Basics

Delivery to a cloud storage provider object storage can be configured as needed which will enabled documents (PDFs or FHIR bundles) to be pushed to a cloud storage location of your choosing.
After following this guide, provide Connective Health with all details from the finish S3 or finish Azure sections

File Delivery Location Template

Customers are able to decide the location within their cloud storage where the files are delivered to using a configurable template which Connective Health maintains on their behalf. A reasonable default for the template would be incoming_files/[yyyy]/[MM]/[dd]/[correlationId]_[mrn]_[patientLastName]_[documentType].[ext] See the below table for all the dynamic variables which are available in the template. Work with your account manager to decide what this configuration should be.

Available Dynamic Values

PropertyDescription
patientFirstNamePatient first name
patientLastNamePatient last name
mrnPatient MRN
clinicNameClinic name
providerNpiProvider NPI
providerFirstNameProvider first name
providerLastNameProvider last name
correlationIdConnective Health Correlation ID
yyyyFour-digit year
MMTwo-digit month
ddTwo-digit day
documentTypeDocument type. Required to be part of the configured location
extFile extension. Required to be part of the configured location

AWS S3

Customer Setup

We connect to AWS S3 using a federated web identity authz model. This allows for security without the need to exchange static secrets.
  1. Create (or identify) an S3 bucket which should be used for Connective Health to push documents to
    1. Our recommendation is to create a new bucket for this specific purpose to prevent accidental data leakage or other unexpected problems
  2. Create a new Role under the IAM section of your AWS Console
  3. When building the role, choose Custom trust policy and edit the JSON of the policy
    1. Set the policy to the below JSON, Connective Health will provide you with the appropriate Google Account sub value based on the environment (staging or production)
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Federated": "accounts.google.com"
			},
			"Action": "sts:AssumeRoleWithWebIdentity",
			"Condition": {
				"StringEquals": {
					"accounts.google.com:sub": [
						"value depends on environment"
					]
				}
			}
		}
	]
}
AWS New Role Screen
  1. Choose Next
  2. Continue with the wizard, skipping the adding of permissions, we will do that later
  3. The name can be anything you want, for example ch-assume-role-policy
  4. After creating the role, click on it
  5. Click the Add permissions dropdown and choose Create inline policy
  6. Select JSON
    1. The permissions should provide these permissions (at least):
      • s3:PutObject
      • s3:GetObject
      • s3:ListBucket
      • s3:GetBucketLocation
  7. Make sure to populate the resources array with the S3 bucket and objects
  8. Here is a complete example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::ch-test-protected-storage",
                "arn:aws:s3:::ch-test-protected-storage/*"
            ]
        }
    ]
}

Connective Health S3 Setup

When you are finished with your configuration, please notify Connective Health of the following information:
  1. Your chosen file delivery location template, which will dictate the exact path Connective Health writes files to within your S3 bucket
  2. The name of your S3 bucket — we will need a staging/test bucket as well as a production bucket
  3. The role’s ARN value. This can be found on the role page, under the summary section

Azure Blob Storage

Customer Setup

We connect to Azure Blob Storage using a federated identity credential model. This allows for security without the need to exchange static secrets.
  1. Create an App registration in Azure Active Directory
    1. This is needed to get a client ID
    2. Under the app registration, create a new federated credential
    3. Connective Health will provide you with the appropriate Google Account subject identifier value based on the environment (staging or production)
Azure Federated Credential Setup
  1. Create a Storage account in Azure
    1. Our recommendation is to create a new storage account for this specific purpose to prevent accidental data leakage or other unexpected problems
    2. Under this storage account, add the app registration from the previous step with the proper access role
    3. You can choose either a standard role like “Storage Blob Data Contributor” or create a custom role based on your security requirements
  2. Create a Storage container under the storage account
    1. This container will be used to store the documents that Connective Health pushes to your Azure Blob Storage

Connective Health Azure Setup

When you are finished with your configuration, please notify Connective Health of the following information:
  1. Your chosen file delivery location template, which will dictate the exact path Connective Health writes files to within your Azure storage container
  2. The app registration Application (client) ID
  3. The app registration Directory (tenant) ID
  4. The storage account’s blob service endpoint URL
  5. The storage account’s container name