Securing a FHIR server

My company is building a clinician-facing SMART on FHIR application which is launched from an EMR context. We’ve been using SMART’s dev sandbox ( for our internal testing (no real patient data), but it doesn’t seem to have any real authentication or access restriction abilities built in to it. We’d like to use something that we can safely expose to the internet so our sales people, account managers, etc can demonstrate our product away from the company network.

We’ve recently tried out Azure’s FHIR service, but it doesn’t support r2 and doesn’t include things like a patient browser. We also use the sandboxes provided by the EMR vendors, but we need something within our company’s control for this.

We’re hoping to avoid the expense of adding a custom application layer for authentication.

Are there any recommendations for either securing the SMART dev sandbox or using another tool?

Have you looked at HAPI?

Hi @boyd,

The Michigan Health Information Network (MiHIN) is 3 weeks away from publicly launching Interoperability Land™; which is a platform designed and hosted in the AWS cloud for organizational testing, development, integration and acceptance using FHIR. You may choose which version of FHIR to use as well. Each organization has access to only their own instance and synthetic data is included.

Happy to show you the platform, or you can find out more here: