Securing a FHIR server

My company is building a clinician-facing SMART on FHIR application which is launched from an EMR context. We’ve been using SMART’s dev sandbox (https://github.com/smart-on-fhir/smart-dev-sandbox) for our internal testing (no real patient data), but it doesn’t seem to have any real authentication or access restriction abilities built in to it. We’d like to use something that we can safely expose to the internet so our sales people, account managers, etc can demonstrate our product away from the company network.

We’ve recently tried out Azure’s FHIR service, but it doesn’t support r2 and doesn’t include things like a patient browser. We also use the sandboxes provided by the EMR vendors, but we need something within our company’s control for this.

We’re hoping to avoid the expense of adding a custom application layer for authentication.

Are there any recommendations for either securing the SMART dev sandbox or using another tool?

Have you looked at HAPI?