Monitoring, maintenance and reference information for Epic telehealth integrations

This topic describes some monitoring options and additional reference information for Epic telehealth integrations with Pexip Infinity:

For troubleshooting information, see Troubleshooting and call setup information for Epic telehealth integrations.

Monitoring appointments via Pexip Infinity

Active and historic appointments (conferences) can be viewed via the Pexip Infinity Administrator interface.

Each appointment is represented as a single conference within the Status pages on Pexip Infinity, and each conference typically has two participants — the provider and the patient. However, there could be additional participants if it is a group session or an additional provider is added to the call.

The appointment and participant names are constructed as described below.

Appointment and participant names

Appointment and participant names are displayed within the call itself (in the Infinity Connect roster) to all of the participants, and they are also shown within the Pexip Infinity Administrator interface status pages.

By default the appointment name (referred to as the service or conference name within Pexip Infinity) name takes the form:
"Appointment for <patient name> <telehealth profile name>:<Epic unique appointment id> in <encounter department>"
but you can control this by configuring the Service name template in the Pexip Infinity telehealth profile.

Note that "in <encounter department>" is only included if the department is known. For example:

  • "Appointment for Beverley P Spinder Healthcare Org:6ea6d1427f684721abd21c1634386f7b6 in Radiology" or
  • "Appointment for Kai Oosman Picardo Healthcare Org:5ec8f1667f531781afe19c1774322f7b8"

The participants list contains:

  • The Name field of the telehealth profile for the provider e.g. "Healthcare Org".
  • The first name / middle name / last name for the patient e.g. "Beverley P Spinder".

Epic encryption keys, client secrets and OAuth2 keypairs

This section contains more information about how to complete some of the Pexip Infinity telehealth profile settings concerning encryption keys, client secrets and backend OAuth2 keypairs.

Epic encryption key

The Epic encryption key is a secret used for encrypting some of the information passed from Epic to Pexip. It should be a cryptographically strong random value. It is used in the Epic telehealth profile within Pexip Infinity and FDI records within Epic.

To generate a secret for use with Epic AES-256-CBC crypto (used with Epic version August 2019 onwards), you must generate a random 32 byte, base64 encoded key. (If you are using an older version of Epic, you can use either a 16 byte key generated using a similar method to that described below, or a simple password.)

You can generate the key using any tools that Epic may provide, or by using a Pexip command line tool as described below:

  1. Connect over ssh into the Management Node as user admin with the appropriate password.

  2. Issue the following command:

    pextelehealthkeygen 32

Example output:

value: fTW2KwlJZ6JEpRS+RlN2fruKPgggBe+Y9txLIk3QpA0=

The value output to the screen is a random 32 byte key, generated by OpenSSL, that is encoded into human-readable text using base64 encoding.

We recommend that you store this value securely (for example, using your corporate password database) in case you need to recover or reinstall your Pexip system without a suitable backup being available.

Client Secrets

The Provider application Client Secret and Patient application Client Secret that must be configured in the Epic telehealth profile are generated by Epic during the signup process and passed to Pexip, who will relay them securely to the end customer. Currently, the same value is used for both the provider and patient secrets on a single Epic telehealth profile.

A production and non-production variant of each secret is generated. These should be treated as being as sensitive as passwords, and you should ensure that the production and non-production variants are noted distinguishably.

Backend OAuth2 client ID and private/public keypairs

This section explains the procedure for configuring the Email and SMS helper application settings in an Epic telehealth profile, to support patients joining via links sent by email or SMS text messages.

Your Pexip representative will share the Backend OAuth2 application Client ID with you. In common with other application secrets that make up an integration, your production and non-production Epic environments use different Client IDs.

Each client ID needs its own associated unique public/private keypair, so you need to perform the following procedure twice to generate a keypair:

  1. Log in to the Pexip Infinity Management Node over SSH.
  2. Run the following commands:

    cd /dev/shm
    openssl genrsa -out ./privatekey.pem 3072
    openssl req -new -x509 -key ./privatekey.pem -out ./publickey509.pem -subj '/CN=PexipBackendDirectLaunchApp'

    This generates two files: privatekey.pem and publickey509.pem.

    Make sure that the key length is at least 2048 bits (our instructions above specify 3072 bits).

  3. Copy privatekey.pem and publickey509.pem off the Management Node using an SCP (Secure Copy) client, for example WinSCP.
  4. Delete the files from the Management Node by running the following commands:

    rm ./privatekey.pem
    rm ./publickey509.pem
  5. Make a secure backup of the privatekey.pem and publickey509.pem files (you will need them if you need to reinstall your Pexip system).

    Make sure to indicate clearly if the keys are intended for your production environment or your non-production environment. You may want to rename the generated files to distinguish between the files you want to use for your production and non-production environments, and to ensure you do not overwrite the first set of files with the second set of files when you repeat this process.

    privatekey.pem is sensitive — so ensure you store it in a manner that complies with your organization's secret storage security policy (e.g. in a secure location such as your corporate password database).

  6. Repeat the process to generate a second pair of keys (one pair for your production environment and one pair for your non-production environment).

You can now complete your configuration:

  1. Configure your Pexip Infinity Epic telehealth profile for your production environment:

    1. In a text editor, open the privatekey.pem file you want to use for your production environment.
    2. Copy/paste the contents into the Backend OAuth2 private key field in the telehealth profile.
    3. Check you have also entered the production Backend OAuth2 application Client ID that Pexip shared with you, and select Save.
  2. Repeat the step above for your non-production Pexip Infinity environment, but this time using the non-production Backend OAuth2 application Client ID and the other privatekey.pem file.
  3. Send your two publickey509.pem files via email to your Pexip authorized support representative who will relay them to Epic so they can add the keys to their central system. Make sure to indicate clearly which key is for your production environment, and which is for your non-production environment.

    Only send the public keys. Do not send the private keys.

Access and use of data shared between Epic and Pexip Infinity

Please refer to Epic's documentation ("Integration Record Setup" in their Pexip Implementation Guide), which is available from your Epic support representative, for information about the data passed from Epic to Pexip Infinity.

The Pexip Infinity deployment obtains data from Epic that is necessary to launch the appointment in Pexip Infinity. This typically includes the first, middle and last name of the patient, the username of the launching user, the department encounter name e.g. radiology, and the CSN (contact serial number — an encrypted ID that identifies an appointment). The same data is also used for providers.

Pexip Infinity writes data to Epic. In particular it informs Epic when telehealth appointment calls terminate.

Privacy and security

The Pexip Infinity self-hosted solution supports the industry standards for communication encryption for end-user devices, ensuring that all video calls and shared media content is secure and kept private even if it crosses the internet. The entire deployment and all its data, including call status, diagnostic logs and call history, is completely under the ownership and control of the enterprise, even when deployed in the cloud.

Removing a Pexip/Epic integration

If you no longer require Epic telehealth integration, you must remove the specific Epic-related configuration from your Pexip Infinity deployment:

  • The Epic telehealth profile (Call control > Epic Telehealth Profile).
  • The Call Routing Rule that manages the incoming telehealth calls (Services > Call routing).
  • Remove the telehealth integration license from your platform (Platform > Licenses).

You should also remove any optional customizations you may have applied, including:

  • Any branding or customization overrides:

    • Any themes that customized the splash screens (Services > Themes).
    • Any customized Infinity Connect web app settings (Services > Web App customization).
    • Any local policy to customize the VMR (Call control > Policy profiles).
  • Any additional Call Routing Rules that manage device pairing and/or dial out (teleconsult) from the conference (Services > Call routing).

Please talk to your Epic provider for information about how to remove your Pexip integration from the Epic system itself.