Deploying Patient Journey Intelligence on Azure
Patient Journey Intelligence deploys entirely within your Azure subscription, ensuring healthcare data remains in your environment under your complete control.
Architecture Overview
┌──────────────────────────────────────────────────────────────────┐
│ Azure Subscription │
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Virtual Network (VNet) │ │
│ │ │ │
│ │ ┌────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ │
│ │ │Application │ │ Private │ │ Private │ │ │
│ │ │ Gateway │ │ Subnets │ │ Endpoints │ │ │
│ │ └─────┬──────┘ └────────┬────────┘ └─────────┬───────┘ │ │
│ │ │ │ │ │ │
│ │ ▼ ▼ ▼ │ │
│ │ ┌───────────────────────────────────────────────────────┐ │ │
│ │ │ AKS Cluster (Azure Kubernetes Service) │ │ │
│ │ │ │ │ │
│ │ │ ┌──────────┐ ┌──────────────┐ ┌───────────────┐ │ │ │
│ │ │ │ Web UI │ │ API Server │ │ NLP Pipeline │ │ │ │
│ │ │ └──────────┘ └──────────────┘ └───────────────┘ │ │ │
│ │ │ │ │ │
│ │ │ ┌──────────┐ ┌──────────────┐ ┌───────────────┐ │ │ │
│ │ │ │Ingestion │ │ De-ID Engine │ │ Terminology │ │ │ │
│ │ │ │ Workers │ │ │ │ Server │ │ │ │
│ │ │ └──────────┘ └──────────────┘ └───────────────┘ │ │ │
│ │ └───────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ ┌────────────────┐ │
│ │Azure Database for│ │ Azure Blob │ │ Azure Cache │ │
│ │ PostgreSQL │ │ Storage │ │ for Redis │ │
│ │ │ │ │ │ │ │
│ │ - OMOP CDM │ │ - Raw Files │ │ - Sessions │ │
│ │ - Metadata │ │ - Documents │ │ - Cache │ │
│ │ - Audit Logs │ │ - DICOM │ │ │ │
│ └──────────────────┘ └──────────────────┘ └────────────────┘ │
│ │
│ ┌────────────────�──┐ ┌──────────────────┐ ┌────────────────┐ │
│ │ Azure Key Vault │ │Azure Monitor/ │ │ Azure Backup │ │
│ │ │ │Log Analytics │ │ │ │
│ │ - Secrets │ │ - Logs │ │ - DB Backups │ │
│ │ - Certificates │ │ - Metrics │ │ - Snapshots │ │
│ └──────────────────┘ └──────────────────┘ └────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────┘
Key Azure Services
Compute
- Azure Kubernetes Service (AKS): Container orchestration
- Virtual Machine Scale Sets: Auto-scaling worker nodes
- VM Series: Standard_D8s_v3 or higher for application workloads
Data Storage
- Azure Database for PostgreSQL (Flexible Server): OMOP CDM database
- Azure Blob Storage: Raw files, documents, and archives
- Azure Cache for Redis: Session management and caching
Networking & Security
- Virtual Network (VNet): Network isolation
- Network Security Groups (NSG): Traffic filtering
- Azure Private Link: Secure service connectivity
- Application Gateway: Load balancing and WAF
- Azure Key Vault: Secrets and certificate management
Monitoring & Operations
- Azure Monitor: Centralized logging and metrics
- Log Analytics: Query and analyze operational data
- Azure Backup: Automated backup and recovery
- Azure Security Center: Security posture management
Deployment Options
Fully Managed
John Snow Labs operates infrastructure within your Azure subscription. You retain data ownership and control.
Self-Managed
You operate infrastructure using provided ARM templates or Terraform. John Snow Labs provides support and updates.
Hybrid
Shared responsibility with John Snow Labs managing core services and you controlling network/security.
Prerequisites
Azure Subscription Requirements
- Owner or Contributor role
- Sufficient quotas for:
- vCPUs (minimum 64 cores)
- Public IP addresses
- Storage accounts
- Load balancers
Networking Requirements
- Dedicated VNet with /16 CIDR block
- Minimum 3 subnets (application, data, management)
- Network connectivity to on-premises systems (ExpressRoute or VPN)
Compliance
- Azure Policy for governance
- Microsoft Defender for Cloud enabled
- HIPAA/HITRUST compliance requirements configured
Installation Process
1. Infrastructure Provisioning (Week 1-2)
Deploy using Azure Resource Manager or Terraform:
# Using Terraform
terraform init
terraform plan -var-file="azure-production.tfvars"
terraform apply
Creates:
- Resource Group
- VNet and subnets
- AKS cluster
- PostgreSQL Flexible Server
- Storage accounts
- Key Vault
2. Application Deployment (Week 3-4)
Deploy using Helm:
helm install patient-journey jsl/patient-journey-intelligence \
--namespace Patient Journey Intelligence \
--values azure-values.yaml
3. Data Integration (Week 5-6)
Configure data sources and ingestion pipelines.
4. Validation & Go-Live (Week 7-8)
Testing, security audit, and production cutover.
Resource Sizing
Small (< 100K patients)
| Component | Specification | Est. Cost/Month |
|---|---|---|
| AKS Nodes | 3 x Standard_D4s_v3 | $500 |
| PostgreSQL | GP_Gen5_4 | $350 |
| Blob Storage | 500 GB | $10 |
| Redis Cache | Standard C1 | $75 |
| Total | ~$2,000 |
Medium (100K - 1M patients)
| Component | Specification | Est. Cost/Month |
|---|---|---|
| AKS Nodes | 6 x Standard_D8s_v3 | $2,000 |
| PostgreSQL | GP_Gen5_8 | $700 |
| Blob Storage | 5 TB | $100 |
| Redis Cache | Standard C3 | $300 |
| Total | ~$9,000 |
Large (> 1M patients)
| Component | Specification | Est. Cost/Month |
|---|---|---|
| AKS Nodes | 12 x Standard_D16s_v3 | $8,000 |
| PostgreSQL | GP_Gen5_16 (with read replicas) | $2,000 |
| Blob Storage | 50 TB | $1,000 |
| Redis Cache | Premium P2 | $1,000 |
| Total | ~$25,000 |
High Availability
- Multi-zone AKS node pools
- PostgreSQL zone-redundant deployment
- Geo-redundant storage (GRS) for Blob Storage
- Azure Traffic Manager for cross-region failover
- RTO < 1 hour, RPO < 15 minutes
Security
Network Security
- Private endpoints for all Azure services
- NSGs with least-privilege rules
- No public internet access for compute
Encryption
- TDE (Transparent Data Encryption) for PostgreSQL
- Storage Service Encryption (SSE) for Blob Storage
- Key Vault-managed encryption keys
- TLS 1.2+ for all communications
Access Control
- Azure AD integration
- Managed Identities for service authentication
- RBAC with least privilege
- MFA required for admin access
Compliance
- Azure Policy enforcement
- Compliance Manager for HIPAA/HITRUST
- Azure Purview for data governance
- Regular security assessments
Monitoring
Metrics
- AKS cluster health
- PostgreSQL performance
- Application response times
- Ingestion throughput
Alerting
- Service degradation
- Resource exhaustion
- Security events
- Failed backups
Logging
- Centralized to Log Analytics
- 90-day retention
- Query with Kusto (KQL)
Cost Optimization
- Azure Reserved Instances (1 or 3-year terms)
- Blob Storage lifecycle management
- AKS auto-scaling
- Azure Hybrid Benefit (if applicable)
- Spot instances for batch workloads
Azure Integration Features
Azure AD Integration
Single sign-on for users using Azure Active Directory.
Azure Data Factory
Optional integration for complex ETL workflows.
Azure Synapse Analytics
Connect OMOP CDM for advanced analytics.
Power BI
Direct integration for reporting and dashboards.
Next Steps
- Schedule architecture review with John Snow Labs
- Prepare Azure subscription and networking
- Define deployment timeline
- Optional: Pilot deployment