Views:

PatientSync Technical Overview

Table of Contents

Technical Requirements

PatientSync’s telephony infrastructure is powered by AWS Connect.  The majority of the technical requirements with regards to network configuration and workstation configuration directly correlate to the requirements for using AWS Connect.

Network Requirements

Work From Home Disclaimer:
For optimal performance, we always recommend having users work from within a business office setting with enterprise grade network circuits and PC hardware when possible. However, we recognize that providing agents with the ability to work from home has a lot of advantages, and many of our customers elect to enable this for their workforce. Please note that residential grade networks and service providers do not provide guaranteed speeds and may have inconsistencies in system performance and call quality as a result that are not within the control of PatientSync.
Recommended Network Speeds:
100+ Mbps Download / 10+ Mbps Upload
Please review the baseline network requirements for AWS Connect here:
https://docs.aws.amazon.com/connect/latest/adminguide/ccp-networking.html
Use this table below as a reference to know what inputs are required for our PatientSync instance of Connect.
AWS Network DocumentationPatientSync Instance/Region Value
rtc*.connect-telecom.{region}.amazonaws.comrtc*.connect-telecom.us-east-1.amazonaws.com
{myInstanceName}.my.connect.aws/ccp-v2path-forward-prod.my.connect.aws/ccp-v2
{myInstanceName}.my.connect.aws/apipath-forward-prod.my.connect.aws/api
*.execute-api.{region}.amazonaws.com*.execute-api.us-east-1.amazonaws.com
participant.connect.{region}.amazonaws.comparticipant.connect.us-east-1.amazonaws.com
*.transport.connect.{region}.amazonaws.com*.transport.connect.us-east-1.amazonaws.com
{Amazon S3 bucket name}.s3.{region}.amazonaws.compathforward-agent-desktop-webapp-prod.s3.us-east-1.amazonaws.com
TurnNlb-*.elb.{region}.amazonaws.comTurnNlb-*.elb.us-east-1.amazonaws.com

Workstation/Hardware/Browser Requirements

It is important to note that these requirements are the minimum for our application only. If the user is running multiple applications simultaneously that are resource intensive on the processor, network, or memory - the performance of our application can be impacted.
Workstation Requirements:
-Processor: 2GHz dual-core minimum, 2GHz+ quad-core recommended
-Memory: 4gb minimum; 8gb+ recommended
-Mobile devices are not currently supported.
Monitor Recommendations:
We recommend at least a 24’’ monitor that can be positioned in a vertical (portrait) configuration (this will reduce scrolling from within the Navigator guided workflow) with at least 1920x1080 resolution.  Any larger size or higher resolution monitors will be a bonus to the agent with regards to screen real-estate.  We do recommend agents operate with at least 2 monitors for increased productivity and less switching between EHR and our application. 
Headset Recommendations:
PatientSync is compatible with virtually any audio device that can be recognized as a microphone and speaker by your computer. If you are considering using a wireless device, please note that these could introduce more variables when troubleshooting audio issues for agents.
Supported Browsers:
*Updated to the two latest versions for all
-Google Chrome
-Microsoft Edge
-Mozilla Firefox
Browser Settings/Recommendations:
If you are able to control user’s Browser settings via Group Policy, we recommend configuring the following Site Settings for each of these sites below to prevent issues with our application features functioning properly.
 Site Settings to Allow:
·        Microphone: Allow
·        Pop-Ups and Redirects: Allow
·        Notifications: Allow
·        Sound: Allow
 URLs to apply these settings to:
·https://dwfri3y9ewuum.cloudfront.net
https://d1lzb8wunya1fn.cloudfront.net
https://login.patientsync.us
https://ccp1.patientsync.us
https://ccp2.patientsync.us
https://navigate.patientsync.us
https://voicemail.patientsync.us
https://supervisor.patientsync.us
https://app.patientsync.us
https://patientsync.app
https://path-forward-prod.awsapps.com
https://pathforward.spicecsm.com
https://greeting.patientsync.app
 Please whitelist the following email addresses:  Accessing PatientSync via Remote Sessions - Not Recommended
We do not recommend accessing PatientSync via an RDP or VDI remote environment as this can introduce issues with latency and/or audio device problems.  If you are planning to have them connected via VPN, please ensure all network setup above is completed as this can cause issues with voice traffic. If you plan to access PatientSync via a remote session, please let our team know so we can discuss this setup.

Endpoint Testing Utility

We recommend doing endpoint testing using the link below after configuring your workstations.  This tool can be used to confirm both connectivity and correct configuration of audio devices. It is a great tool to help troubleshoot end user issues when they are experiencing problems with their connection or audio.
https://tools.connect.aws/endpoint-test/?connectInstanceUrl=https://path-forward-prod.my.connect.aws&regions=us-east-1&autoRun=true
The Endpoint Test Utility performs the following checks:
  • Validates that the browser being used supports WebRTC.
  • Determines if the browser has appropriate access to media devices (microphone, speakers, etc).
  • Performs latency tests to our Connect instance.
  • Validates network connectivity across required ports for media streams.

Architectural Overview

This document provides an overview of the system architecture for PatientSync’s.  This content is intended for client technical teams to understand the background architecture for how our PatientSync platform is designed through our AWS Connect instance and to display how telephony and data flows securely through our platform and related applications.

Overall System Architecture:

Telephony Services Layer:


Amazon Connect Telephony is integrated with multiple telephony providers (carriers) with redundant dedicated network paths to three or more Availability Zones in every Region where the service is offered today.  TFNs are configured to multiple carriers for built in carrier redundancy. PatientSync is built on the US East-1 Region.  Capacity, platform resiliency, and scaling are handled as part of the managed service, allowing you to efficiently ramp from 10 to 10,000+ agents without worrying about the management or configuration of underlying platform and telephony infrastructure. Workloads are load balanced across a fleet of telephony media servers, allowing new updates and features to be delivered to you with no downtime required for maintenance or upgrades. If a particular component, data center, or an entire Availability Zone experiences failure, the affected endpoint is taken out of rotation, allowing you to continue to provide a consistent quality experience for your customers.
When a voice call is placed to an Amazon Connect instance, the telephony layer is responsible for controlling the endpoint that your customer calls into through their carrier, across the PSTN and into Amazon Connect. This layer represents the audio path established between Amazon Connect and the customer.
Voice calls
The following diagram shows how voice calls flow through Amazon Connect
  1. Users access the Amazon Connect application using a web browser. All communications are encrypted in transit using TLS.
  2. Users establish voice connectivity to Amazon Connect from their browser using WebRTC. Signaling communication is encrypted in transit using TLS. Audio is encrypted in transit using SRTP.
  3. Voice connectivity to traditional phones (PSTN) is established between Amazon Connect and AWS’s telecommunications carrier partners using private network connectivity. In cases where shared network connectivity is used, signaling communication is encrypted in transit using TLS and audio is encrypted in transit using SRTP.
  4. Call recordings are stored in our secure Amazon S3 bucket that our instance of Amazon Connect has been given permissions to access. This data is encrypted between Amazon Connect and Amazon S3 using TLS.
  5. Amazon S3 server-side encryption is used to encrypt call recordings at rest using a PatientSync-owned KMS key.
 API/Interface Services Layer
The API/interface layer includes:
  • Single Sign-On (SSO) integration user authentication/Multi-Factor Authentication (MFA)
    • We partner with Okta to allow our customers to implement these features for their agents.
  • PatientSync’s secure Client Web Portal APIs are used to communicate real time with AWS Connect instance.  This allows us to dynamically control components of the Agent CCP & customer Contact Flows.
  • Custom APIs created using the Amazon Connect Streams API may provide additional functionality and/or integrate with existing EHR/PM platforms depending on the integration level achieved with the customer.
  • Amazon Connect contact-facing web chat API & Text to Chat API.
  • Many Amazon API Gateway endpoints and corresponding AWS Lambda functions necessary to route contacts properly through Contact Flows in Amazon Connect.
  • Our PatientSync Supervisor application that allows customer supervisors to configure/manage agent settings, search for call recordings, and view real-time metrics.

Contact Flow/IVR Layer


The Contact Flow/IVR layer is the primary architectural vehicle for Amazon Connect and serves as the point of entry and first line of communication with customers reaching out to your contact center. Contact flows enable us to dynamically prompt contacts, collect and store contact attributes, and route appropriately.  We can assign a contact flow to multiple phone numbers and manage and configure it through Amazon Connect Sys Admin.
 After a customer contacts PatientSync Connect, a contact flow controls the interaction between Amazon Connect, the contact, and the agent, allowing us to Dynamically invoke AWS Lambda functions to make API calls, send real-time IVR and voice data to third-party endpoints through Amazon Kinesis.  We can also utilize several other AWS services such as Lex and Polly within the Contact Flows to improve the customer experience.

Agent CCP

The agent CCP layer is delivered via the client web-browser.  Access to the CCP is controlled via the aforementioned API layer.  This layer is responsible for providing the agent all call controls and delivering the call audio via the agent’s workstation web browser.  The customer’s network environment & firewalls can have significant impact on call quality and performance of the agent CCP.  We recommend reviewing in detail the PatientSync Network Requirements documentation above, and customers can also use the Amazon Connect Network Setup Guide to provide additional information to deploy PatientSync Connect in their environment.

Metrics and reporting


The metrics and reporting layer includes the components responsible for delivering, consuming, monitoring, alerting, or processing real-time and historical metrics for your agents, contacts, and contact center. This includes all native and third-party components responsible for facilitating the processing, transmission, storage, retrieval, and visualization of real-time or historical contact center metrics, activity audit, and monitoring data.
Contact Trace Records (CTRs) for every customer interaction are securely transmitted and encrypted at rest on a secure Amazon S3 bucket.  These CTRs contain all of the attributes of a call that we can report on. 
Our Amazon Redshift db stores the data referenced by our QuickSight reporting dashboards that are published for customers to view historic data and trends related to their call center.
All calls are recorded by default and stored at minimum for up to 7 years in a secure Amazon S3 bucket.  The recordings can be accessed via our client facing Supervisor or Admin web-app (user login required & integrated with SSO/MFA capabilities).

Data Retention and Policies

Does PatientSync store customer data?
Yes, PatientSync stores customer data. This includes a variety of data types and information that are critical to the services we provide. Below is a detailed overview of the nature of the data stored, how and where it is stored, our retention policies, and our procedures for handling data post-completion and/or termination of a contract.
 What type of data is stored?
  • Interaction Data:
 This encompasses data related to phone calls, chats, SMS, and tasks. It can include recordings and transcripts of conversations between the contactor and the agent (provided the customer opts for this service) and collected data from interactions with callers within our guided workflow application.
  • Electronic Health Records (EHR) Data:
 Any EHR data transmitted to or received by PatientSync is also stored. This data is critical for providing seamless healthcare services and support.
 Where and How is the Data Stored?
All the data mentioned above is stored in our data warehouse. This centralized storage system ensures data security, integrity, and accessibility for operational needs. The data warehouse is designed to handle large volumes of data efficiently, ensuring that we can access and manage customer information as needed effectively.
 Retention Period:
  • PatientSync does not have a data cleansing or deletion policy based on the age of the data. We store all data indefinitely, ensuring that we have a comprehensive record of customer interactions and health records as needed.
  • Backup data is retained for a period of 5 years. This policy ensures that we have access to historical data for a significant duration, aiding in analysis, compliance, and service improvement.
 Post-Completion/Termination of Contract:
Upon contract termination, PatientSync will abide by any agreed upon treatment of client data.  Additionally, customers are provided the option to receive exports of their data.
We provide:
  • Regular exports of contact data during the tenure of the contract.
  • A comprehensive export of all stored data at the termination of the contract, including both Interaction data and EHR data.
 This policy ensures that customers retain control and access to their data even after their relationship with PatientSync concludes.

Security and Compliance

HIPAA Compliance

Our software is specifically designed for Healthcare, so data security is paramount.  Access to PatientSync applications requires user authentication through our Okta identity portal.  We are able to granularly control user access to each of the applications and many of the features within those applications.  For example, we can allow or disallow access to call recordings by user profile, etc.  All data is securely transmitted and encrypted at rest on our secure Amazon S3 and/or Redshift databases.

PCI Compliance

Our call recording software has the capability to scrub any PCI data from call recordings and is obfuscated from any logs or transcriptions.  If there is a use case for collecting PCI information via DTMF using a secure IVR solution, we use envelope encryption with AWS SDK to protect both the raw data and the data keys used to encrypt them.  The system is not pre-configured out of the box with PCI compliance enabled, and does require additional add-on services to enable this. Please reach out to a member of our support team if you are interested in enabling this on your instance.

e911 Calling

It is recommended to instruct staff to inform callers to hang up and dial 911. Our system does not have e911 calling turned on by default because e911 is designed to pass through the agent’s location to the 911 system (not the caller/patient). This would only be helpful in the event that the agent was having an emergency situation. We recommend informing callers to hang up and dial 911 themselves so that their location will be provided to the emergency services. If the agent themselves is having an emergency, we recommend that they use their personal device to contact 911 so that their physical location will pass through to 911. If your organization requires that your agents be able to use PatientSync Connect to dial out to 911, please reach out to our support team.