Hospitals running Epic EMR need a connectivity architecture that is secure by design, audit-ready, and operationally simple. US Healthcare Company is a concrete example of a multi-hospital system completing a major Epic EHR transition, reportedly going live on Epic on after a large multi‑year implementation effort.
Graphiant was used as the secure interconnection fabric between a hospital network and Epic (cloud or on‑prem), combining:
Private, cloud-grade connectivity and centralized control via the Graphiant Portal and APIs
End‑to‑end encryption for control and data plane traffic, designed so traffic is not decrypted outside the customer premises
Segmentation and micro‑segmentation mapped to LAN segments and enforced with policy
Audit/logging integrations to centralized log platforms/SIEMs, plus configuration versioning workflows in the Portal
HIPAA-aligned controls using a shared responsibility model:
Graphiant for network security + visibility
AWS-native controls (CloudTrail, Config, immutable S3 storage) for audit evidence and retention
A key highlight for hospitals evaluating a pilot: Graphiant is available for a published price of $3,500/month.
Key Aspects
Assumptions are explicitly labeled because hospital environments vary:
$3,500/month for the Graphiant NaaS subscription cost for 1 Gbps
Epic hosted on AWS (“Epic on AWS”), or Epic hosted on‑prem / colocation / managed service
“Snapshotting” in this brief is implemented as Network configuration version workflows surfaced in the Graphiant Portal (“Configuration Versions”).
Reference Architecture for Epic Access Using Graphiant
A hospital-grade Epic connectivity fabric should meet five measurable outcomes:
Strong isolation between clinical workloads, corporate IT, third parties, and cloud workloads (segmentation / least privilege)
End-to-end encryption of traffic carrying ePHI in transit
Auditability: Durable, queryable logs that support HIPAA Security Rule audit controls
Resilience: Redundant network paths / failover and tested recovery procedures (including contingency planning requirements)
Operational simplicity: Centralized policy, identity integration, and minimal on‑prem management burden
Graphiant supports these via an encrypted, policy-driven WAN and cloud on‑ramp model managed from a centralized Portal (and APIs).
Graphiant Architectural Advantages
Graphiant supports API-driven management and operations; key to making the network fabric “automatable” in hospital environments with change control requirements.
Graphiant supports SSO with Okta using SAML for Portal access, enabling enterprise identity governance.
Graphiant Portal supports MFA options (SMS, Authenticator).
Graphiant maps security policy zones 1:1 to LAN segments.
Graphiant Gateway Service connects on‑prem Graphiant networks to public cloud workloads using a private connection; for AWS, the Gateway Service connects to AWS Direct Connect.
For compliance-oriented path assurance and flow analytics, Graphiant Data Assurance controls/defines physical paths for geographical or compliance requirements and analyzing data for assurance.
Step-by-step Pilot via AWS Marketplace
Subscribe to Graphiant NaaS Capacity
Follow these steps:
In AWS Marketplace, locate “Graphiant NaaS: Monthly Pay-as-You-Go.”
Select “1 Gbps Bandwidth – 700 Credits”. The published price for this line item is $3,500/month.
Register / set up your Graphiant account from the subscription workflow.
Choose Your Attachment Model
You can attach to Graphiant in two main pilot patterns:
Option A: Private cloud interconnect using Graphiant Gateway Service + AWS Direct Connect
Recommended when private connectivity already exists or is required.
Graphiant AWS Gateway Service connects an on‑prem Graphiant network to AWS via AWS Direct Connect and positions the Gateway as the preferred hybrid connectivity method.
Option B: Deploy a Graphiant Virtual Edge inside a VPC
Fastest “within AWS” attachment for a pilot.
The Graphiant Virtual Edge is available as an AMI/CloudFormation deployment and is designed to connect cloud workloads/VPCs to the Graphiant Network Service.
Most hospitals do Option B first for speed, then move to Option A for long-term private interconnect.
Option A Configuration Highlights: Gateway Service for AWS Direct Connect
Graphiant documents a detailed sequence for connecting to AWS, including:
In the Graphiant Portal, request the AWS Gateway Service and provide required fields such as speed, LAN segment, and AWS account ID; a Graphiant support engineer coordinates provisioning.
In AWS, you must have a VPC (with subnet and route table), then create:
Transit Gateway, then a Transit Gateway Attachment to the VPC, and update VPC routes (e.g., default route to the TGW if desired for the design).
Direct Connect Gateway, then associate the TGW and DXGW.
A Transit Virtual Interface; Graphiant BGP ASN as 30656 for the peer ASN in that setup.
Option B Configuration Highlights: Deploy Graphiant Virtual Edge (Cloud Edge) in AWS
Graphiant provides a step-by-step deployment for a Cloud Edge using AWS Marketplace + CloudFormation:
In AWS Marketplace, search “Graphiant” and select Graphiant Virtual Edge.
Choose CloudFormation template deployment (either deploy new resources or into an existing VPC).
Create the CloudFormation stack (Graphiant parameters such as stack name, AllowedCidr, and AvailabilityZone).
Register the Edge: connect to the EC2 serial console, obtain the auth URL, and authorize the device in the Graphiant Portal.
Identity, Access, and Operational Setup
Configure Okta SAML SSO for Graphiant Portal access (Graphiant provides a specific Okta SAML setup procedure and endpoints).
Enable MFA policies in the Graphiant Portal for administrative access (SMS or Google Authenticator).
Define LAN segments (e.g., “Epic_Clinical”, “Epic_Interfaces”, “Corp_IT”, “Partner”) and apply security policies; Graphiant zones mapping 1:1 to LAN segments.
Cost Breakdown Supporting the $3,500/month Pilot Budget
The Fixed $3,500/month Line Item
AWS Marketplace publishes Graphiant monthly NaaS pricing as:
1 Gbps Bandwidth: $3,500.00 per month
Networking Credit (50 Credits): $250.00 per unit
What the $3,500/month Does and Does Not Include
Included in the $3,500/month pilot budget:
Graphiant NaaS subscription entitlement for 1 Gbps / 700 credits in North America
Explicitly not included:
AWS infrastructure costs (“Additional AWS infrastructure costs may apply”)
Security, Compliance, and Operational Capabilities
How Graphiant Supports HIPAA Security Rule Technical Safeguards
HIPAA technical safeguards include Access Control, Audit Controls, Integrity, Person/Entity Authentication, and Transmission Security.
Graphiant supports those controls as follows:
Access Control: Use Okta SAML SSO for Graphiant Portal access (federated identity), enabling unique user identities and centralized access management.
Person or Agent Authentication: SSO + MFA adds strong authentication assurance for administrative actions.
Audit Controls: Graphiant supports centralized Syslog and IPFIX export for network/audit telemetry and complete snapshotting of the environment for total audit change control as well as Data Assurance for data pattern profiling.
Transmission Security (guard against unauthorized access to ePHI in transit): Graphiant data plane is encrypted end-to-end and not decrypted outside customer premises. Site-to-site VPN options (IPsec) exist for extending policy-based private fabric to locations/partners not directly peered.
Segmentation, Least Privilege, and “Blast Radius” Control
Graphiant security policy model ties zones to LAN segments, enabling micro-segmentation by design.
Segmented networks are an explicit, policy-controlled mechanism (not an implicit “flat network”), and Graphiant drops by default unless NGFW policy permissions allow.
This supports a hospital pattern:
One segment for Epic production flows
Separate segments for integration engines
Separate segments for admin/corporate
Strict policies between them
Audit Trail and Configuration “Snapshotting” Approach
Graphiant provides “Configuration Versions” workflows after configuration changes in multiple Portal flows (e.g., Syslog override workflows and BGP filter workflows), providing an operational “snapshot” of what changed and what is being applied.
Graphiant v/s Cisco Comparison
Why Cisco Tends to Increase Operational Complexity and Cost
Cisco SD‑WAN deployment complexity drivers:
Cisco SD‑WAN architecture includes multiple distinct components: vManage, vSmart controller, vBond orchestrator, and vEdge routers, each with defined roles and integration points.
Cisco licensing for SD‑WAN is tiered and subscription-based (Cisco DNA Essentials/Advantage/Premier), with Catalyst SD‑WAN functionality is a “pure subscription-based product offering,” and upon expiration you are no longer licensed to access the SD‑WAN feature set.
Graphiant Reduces Complexity
Graphiant’s advantages for hospitals with Epic:
Published subscription with transparent monthly pricing
Centralized APIs for managing a hybrid cloud fabric
End‑to‑end encryption and cloud connectivity via a dedicated Gateway Service model
Built-in telemetry patterns and Data Assurance analytics for visibility and compliance-oriented path governance
For more detailed cost & architecture information, click here.
Concise Comparison Table
Evaluation Criteria | Graphiant | Cisco SD‑WAN |
|---|---|---|
Core Architecture Model | NaaS with centralized Portal + APIs; encrypted fabric; cloud on‑ramp via Gateway Service. | Overlay SD‑WAN with multiple key components (vManage, vSmart, vBond, vEdge). |
“Snapshotting”/Evidence Approach | Portal configuration version workflows. | Audit can be built, but the environment includes multiple systems to monitor and maintain (controllers, licensing). |
Published Pilot Cost | $3,500/month for 1 Gbps. | No single comparable “all-in”; licensing is tiered and subscription-based. |
Operational Overhead (qualitative) | Portal + simpler procurement for pilots (AWS Marketplace). | More components + licensing renewal governance. |