Skip to content

Data Flow: NVS → NHC API

Description

The NVS Laravel application calls the NHC Django REST API to retrieve PHI for display in VA (Virtual Assistant) management sessions.

Flow Details

Attribute Value
Source NVS account — Laravel application (EC2)
Destination NHC account — Django API (EC2 behind ALB)
Protocol HTTPS (TLS 1.2 minimum required)
Authentication API key or cross-account IAM role (to be confirmed)
PHI transmitted Patient records, session data

Security Requirements

  • TLS 1.2+ enforced on the NHC ALB listener
  • HTTP → HTTPS redirect enabled
  • API authentication uses short-lived credentials (IAM role preferred over static API key)
  • Cross-account IAM role for NVS scoped to minimum required NHC API endpoints
  • NHC ALB security group allows inbound only from NVS EC2 security group (or NAT IP)
  • CloudTrail logs all calls to NHC API infrastructure

Risks

Risk Mitigation
PHI transmitted over HTTP Enforce HTTPS redirect on ALB
Static API key compromised Rotate to IAM role-based auth
NHC API exposed to internet Restrict ALB SG to NVS source IPs

Open Items

  • Confirm current authentication method (API key vs IAM)
  • Confirm TLS enforcement status on NHC ALB
  • Document specific API endpoints that return PHI