This article is intended for Information Technology Staff (network admin and desktop support) to provide guidance in preparation for a Mend Telemedicine Go-Live. Not taking the listed actions may impede performance on some devices and/or networks.
Contents:
- Introduction
- Network Preparation (ISP, WiFi, VPN)
- Email Filtering
- Endpoint Preparation (hardware and software)
- Testing Strategy
Introduction
The implementation of video telemedicine can be challenging. Many information systems and networks used in healthcare settings were not designed to support streaming video. Security controls may be in place to block access to streaming media or peer-to-peer traffic. This guide is designed to help IT staff who support providers that are implementing Mend video telemedicine.
Many healthcare organizations have change-management procedures that require a compliance or information security review prior to making changes on networks or endpoints. We recommend bringing infosec or compliance into the implementation process as early as possible. Mend’s compliance team is available to assist in communicating the changes with the compliance or infosec team.
Network Preparation
Video telemedicine requires a high-speed Internet connection. Video sessions can consume a constant 1.1 Mbps upload speed and 1.1 Mbps download speed for each video participant. Lesser connections around 300 Kbps can work, but are not optimal. If multiple providers are using video simultaneously in one location, ensure that the network has the bandwidth to support one video upload stream per active provider, and one download stream per active patient (there may be multiple patients in each video session).
Internet Service Provider
Using a computer that is hard-wired to your LAN, check the speed of your Internet service provider. Make sure that you have the upload and download bandwidth required to support the number of providers and patients who will be using video simultaneously, in addition to the usual traffic (VoIP, EHR, etc.)
Firewall
It is critical that the following whitelistings are completed for Mend to function properly. If one of these points of emphasis cannot be completed, please contact implementations@mend.com and state your Organization’s Name and reason for why this cannot be done.
Whitelist:
Ports:
TCP Port 443 - The standard port used for TLS-encrypted web traffic (HTTPS requests). It's also used for encrypted video traffic.
UDP Port 3478 - This is used to connect to a specific component of the video infrastructure, known as a STUN server (More information can be found here: https://en.wikipedia.org/wiki/STUN)
UDP Ports 1025-65535 - When possible, the WebRTC video protocol streams media packets on a high-numbered UDP port (UDP ports 1025 - 65535). UDP is better than TCP for streaming media. The streams are always encrypted with TLS, even when using ports other than 443.
Domains:
https://*.salesforceliveagent.com
Mend uses Vonage/Tokbox, a service provider to deliver webRTC services across the world.
Vonage maintains a list of IP address blocks associated with the platform components. They limit exposure of their network to trusted end-points only. Vonage will also have a process in place to manage updates to the IP address blocks without disrupting service. This list includes the following components:
Media servers — In routed sessions, clients send audio and video to our media server for intelligent and efficient routing.
TURN servers — In relayed sessions, if strict network conditions prevent direct connectivity between clients, clients use these servers to relay audio and video.
API server — Clients connect to this server for session initialization and signaling.
Logging servers — Our logging server collects anonymized data about quality and possible
errors.
If your platform restricts the inbound traffic it can receive using IP address ranges (typically via firewalls), you'll need to add the following IP addresses to your allow lists.
Vonage's traffic might come from any of the IP addresses included in the referenced subnets.
https://*.tokbox.com
https://*.opentok.com
- 99.80.88.240/28
- 99.79.160.16/28
- 95.172.84.0/25
- 74.201.205.0/25
- 72.251.228.0/25
- 72.251.224.0/25
- 54.89.253.64/28
- 54.69.125.241/32
- 54.250.250.208/28
- 52.66.255.192/27
- 52.65.127.192/27
- 52.51.63.16/28
- 52.41.63.240/28
- 52.213.63.176/28
- 52.200.60.16/28
- 52.194.114.14/28
- 44.234.90.64/28
- 44.232.236.96/27
- 35.158.127.224/28
- 34.223.51.224/27
- 34.223.51.192/27
- 34.222.66.96/28
- 34.218.216.144/28
- 3.7.161.48/28
- 3.7.161.0/27
- 3.25.48.192/28
- 3.248.244.96/27
- 3.248.243.144/28
- 3.248.234.48/28
- 3.235.255.176/28
- 3.234.248.80/28
- 3.234.232.160/27
- 3.214.145.96/27
- 3.127.48.224/28
- 3.123.12.128/28
- 18.202.216.0/28
- 18.180.159.224/27
- 18.179.48.208/28
- 18.157.71.112/28
- 18.156.18.0/27
- 18.141.165.128/27
- 18.139.118.176/28
- 168.100.64.0/18
- 15.228.1.16/28
- 13.251.158.0/28
- 117.20.41.128/25
All Services
- 216.147.0.0/18
- 168.100.64.0/18
- 5.10.112.112/28
- 69.59.247.192/27
- 69.59.248.192/27
- 69.59.249.192/27
- 69.59.250.192/27
- 69.59.251.192/27
- 119.81.44.0/28
- 168.100.88.192/27
- 169.50.165.80/28
- 169.50.200.64/28
- 169.60.146.16/28
- 169.63.86.160/28
SIP
- 5.10.112.121
- 5.10.112.122
- 69.59.250.1
- 69.59.250.2
- 69.59.250.3
- 69.59.250.4
- 69.59.248.2
- 69.59.248.3
- 69.59.248.4
- 69.59.248.9
- 69.59.251.1
- 69.59.251.2
- 69.59.251.3
- 69.59.251.4
- 69.59.247.1
- 69.59.247.2
- 69.59.247.3
- 69.59.247.4
- 69.59.249.1
- 69.59.249.2
- 69.59.249.3
- 69.59.249.4
- 119.81.44.6
- 119.81.44.7
- 168.100.78.9
- 168.100.88.1
- 168.100.88.2
- 168.100.88.3
- 168.100.88.4
- 169.48.36.56
- 169.48.36.66
- 169.55.62.70
- 169.55.62.215
- 169.60.141.29
- 169.60.141.30
- 216.147.0.1
- 216.147.0.2
- 216.147.1.1
- 216.147.1.2
- 216.147.2.1
- 216.147.2.2
- 216.147.3.1
- 216.147.3.2
- 216.147.4.1
- 216.147.4.2
- 216.147.5.1
- 216.147.5.2
-
216.147.62.4*
-
216.147.62.5*
-
216.147.63.116*
-
216.147.63.117*
-
216.147.63.38*
-
216.147.63.39*
-
216.147.63.4*
-
216.147.63.5*
-
216.147.63.100*
-
216.147.63.101*
Port: UDP/TCP on 5060, TLS on 5061
RTP
- 69.59.247.0/24
- 69.59.248.0/24
- 69.59.249.0/24
- 69.59.250.0/24
- 69.59.251.0/24
- 159.8.231.16/28
- 159.8.246.224/27
- 161.202.24.16/28
- 168.100.88.0/24
- 169.47.144.176/28
- 169.48.97.80/28
- 169.50.120.160/28
- 169.50.165.128/27
- 169.50.200.160/27
- 169.54.106.32/27
- 169.45.208.96/27
Port: All**
**If you cannot allow all UDP ports, you can alternatively restrict the port range to 10000:50000
WebSocket
- 119.81.173.16/28
- 161.202.24.16/28
- 169.47.144.176/28
- 169.48.97.80/28
- 169.50.120.160/28
- 169.54.106.32/27
- 169.54.125.48/28
- 169.45.209.32/27
- 169.62.172.0/27
- 161.202.172.128/27
- 169.50.200.160/27
Port: All**
**If you cannot allow all UDP ports, you can alternatively restrict the port range to 10000:50000
WiFi
If your providers will be conducting telemedicine via WiFi, test the available bandwidth from your WiFi network. Since WiFi bandwidth can vary widely based on signal strength, test bandwidth in any location around the office where providers will be working.
If your wireless access points support 5GHz and 2.4GHz on a single SSID, providers’ devices may automatically “downgrade” a 5GHz connection to 2.4GHz, causing unpredictable issues with video and audio quality (especially for mobile devices). It’s best to create a dedicated 5GHz-only network and ensure that devices used for video telemedicine have a strong connection to the 5GHz network.
If you experience problems with video quality on WiFi, plug into the LAN and test video, to isolate whether the problem is caused by the WiFi connection, or upstream in the network. Mend support is available to serve as “test patients” when troubleshooting network issues.
Some WiFi networks have additional security controls that may need to be fine-tuned in order to allow streaming video and audio for telemedicine. For example, Cisco Meraki WAPs have a setting to block peer-to-peer traffic. This block will need to be disabled to allow Mend’s streaming video and audio.
Providers Working Remote
One benefit of telemedicine is that providers can work from remote locations. Unfortunately, remote work also comes with IT challenges, because we have minimal control over the network that the provider is connecting to. The following steps can minimize issues caused by remote work:
- It is preferred for the provider to connect using equipment issued and controlled by the practice. This recommendation ensures that the equipment is secure and meets the minimum requirements for Mend.
- Check the configurations of VPN clients and firewalls on the workstations to ensure that they will permit telemedicine.
- Best practice is to route only internal traffic over the VPN (such as EHR access), and route other traffic (including Mend) over the Internet. Mend’s video stream is encrypted and does not need to be routed over a VPN. VPNs typically do not have the bandwidth or latency to support real-time streaming video.
- Have each provider run an Internet speed test from their remote work location prior to seeing patients, to ensure that they have enough bandwidth for telemedicine.
- Have each provider conduct a test video session prior to seeing patients.
- If the provider is having problems, Mend support is available to help them, via the “Need Help?” link in the Mend portal.
Email Filtering and URL defense
Use of hyperlink defense has been growing rapidly throughout the Healthcare Industry. URL Defense programs, such as Proofpoint, will scan any clicked hyperlink and verify whether the URL could potentially be malicious. If a URL is blacklisted, the connection may not be made.
Please take the following steps to modify your URL defense / Proofpoint settings to allow for Mend’s appointment notifications and other links to function as intended.
- Login with your admin credentials into Proofpoint Dashboard.
- Under Security Settings, click Malicious Content tab.
- Under Malicious Content, click URL Defense tab.
- Navigate to “Exclude URLs that contain specified domains/IP addresses” field
- Enter the following domains list separated by line, comma or semicolon: https://portal.mendfamily.com; https://api.mendfamily.com; https://portal-stage.mendvip.com;https://api-stage.mendvip.com
Endpoint Preparation
Providers may connect with computers or mobile devices, but we have found that computers tend to support more reliable, high-quality video connections. This is especially true for group video (more than two parties in a video call).
Computers
Hardware Specs
Two-way video streaming requires more processing power than typical business applications. We recommend:
- Processor: Intel Core i5 or i7 (or equivalent)
- RAM: 8GB (minimum)
- 13” screen (minimum)
- 780p or better front facing camera
Use the Task Manager (Windows) or Activity Monitor (Mac) to verify that CPU and memory usage are below 50% during a video visit.
Many providers want to have their EHR software open during a visit, so providing an external monitor may be helpful if their laptop has a small screen.
We also recommend providing a headset with a good microphone, to minimize background noise and distractions.
Software Specs
Mend requires:
- Windows 7, 8.1, or 10
- Mac OS X
- Latest version of Google Chrome
Endpoint Protection
Test Mend from a typical provider workstation to ensure that your endpoint protection system (anti-malware, antivirus, etc.) is configured to allow video telemedicine.
Mobile Devices (tablets, phones, etc.)
Providers can connect from mobile devices, but this workflow is not officially support by Mend and you should be aware of the limitations:
- Many features and functions are not available for providers when accessing the portal on a mobile device.
- From a compliance and security perspective, you may not have as much control over the security of a personally owned device (BYOD).
- Many mobile devices have limited processing power, which may be reflected in limitations on video quality, especially with more than two or three participants in a video session.
- Mobile devices may be more likely to connect to a slower WiFi network or fall back to a cellular connection, resulting in poor streaming quality.
If your strategy is for providers to use mobile devices, consider providing a tablet that is known to support streaming video and 5GHz WiFi.
Testing Strategy
Thorough testing prior to go-live is essential to avoid provider and patient frustration. Conduct a test video session on the device that each provider will be using, in each location that they will be using it.
If a test reveals problems, perform the following checks:
- Run a basic speed test at https://www.speedtest.net/ and ensure that upload bandwidth, download bandwidth, and latency are sufficient (requirements are described in the next section)
- Run a WebRTC-specific test at https://test.webrtc.org/ using Chrome or Firefox. You should get a green checkmark for every test, with the following exceptions:
- It’s okay if some camera resolutions are not supported
- It’s okay if IPv6 is not supported
- It’s okay if “Reflexive connectivity” is not available
Record the results from these tests, along with the specifications of the test device, its operating system, and browser version. This information will help Mend support troubleshoot issues more quickly.