Chapter 6: Technical Anatomy of Smart Assist Communication Design
6.1 Actual Communication Sequence Diagram
The following diagram shows the communication sequence in chronological order, from when the Smart Assist PC sends unconfirmed images to the AWS cloud until it retrieves the classification results.
Each step is explained in detail in the following sections.
6.2 DNS Resolution Flow
Details of Steps 1 and 2
The first thing the Smart Assist PC does is a DNS query to resolve the destination FQDN to an IP address.
Considerations for Hospital Environments
| Checkpoint | Details |
|---|---|
| DNS Server Address | What DNS server is configured on the Smart Assist PC? |
| External Name Resolution Capability | Can the hospital's internal DNS resolve FQDNs on the internet? |
| Firewall DNS Permission | Is DNS 53/udp traffic allowed through the firewall? |
| DNS Cache | Are stale IP addresses cached? |
AWS Environment-Specific Considerations
With AWS services, the IP address for the same FQDN can change dynamically. Therefore, it is recommended to configure firewall allow rules based on FQDNs rather than IP addresses (discussed in detail in Chapter 7).
Most people do not realize how often AWS IP addresses change. In fact, ALB IP addresses can change within a matter of hours. When load increases, new IPs are added through scale-out; when load decreases, IPs are removed.
That is why "just look up the current IP address and set it in the FW" is absolutely the wrong approach. By the next morning, the IP may have changed and communication will stop.
Always configure FW allow rules using FQDNs. For firewalls that do not support FQDN-based rules, workarounds are discussed in Chapter 7.
6.3 TLS Handshake
TLS Certificate (Let's Encrypt Logo Example)
Details of Steps 3 and 4
After the TCP connection is established, the TLS handshake takes place.
Impact of SSL Inspection
If the hospital's proxy or firewall performs SSL inspection, the behavior of the TLS handshake changes.
In this case, the certificate received by the Smart Assist PC is not from AWS but rather a certificate issued by the proxy. This can be the cause of certificate errors (discussed in detail in Chapter 10).
Whether SSL inspection is in place can actually be determined instantly by looking at the certificate's issuer.
Check the issuer: line in the output of curl -v https://smartassist.example.com. Under normal conditions, you will see a public CA name like issuer: C=US, O=Amazon, CN=Amazon RSA 2048 M01.
If instead you see something like issuer: CN=Hospital-Proxy-CA or issuer: CN=FortiGate-CA, that is proof that SSL inspection is in place. Performing this check during the pre-deployment interview can prevent future trouble.
6.4 Image Data Transmission Flow
Details of Steps 5 and 6
After the TLS handshake is complete, image data is transmitted as an HTTPS request over the encrypted channel.
HTTPS Request (Illustration):
POST /api/v1/images HTTP/1.1
Host: smartassist.example.com
Content-Type: multipart/form-data
Authorization: Bearer <authentication token>
[Image binary data]
[Specimen ID]
[Auto-classification result]
[Timestamp]
Communication Characteristics
| Item | Details |
|---|---|
| HTTP Method | POST (data submission) |
| Data Size | Relatively large due to image data (several KB to several MB) |
| Authentication | API token-based authentication |
| Encryption | All data is encrypted via TLS |
Response Content
HTTPS Response (Illustration):
HTTP/1.1 200 OK
Content-Type: application/json
{
"status": "accepted",
"request_id": "abc-123-def"
}
This response is a confirmation that the data has been accepted; the classification results are not yet returned.
6.5 Classification Result Retrieval Mechanism
Details of Steps 7 and 8
After the remote technician completes the classification, the Smart Assist PC queries the cloud to retrieve the results.
HTTPS Request (Illustration):
GET /api/v1/results?since=2025-01-15T10:00:00Z HTTP/1.1
Host: smartassist.example.com
Authorization: Bearer <authentication token>
HTTPS Response (Illustration):
HTTP/1.1 200 OK
Content-Type: application/json
{
"results": [
{
"request_id": "abc-123-def",
"specimen_id": "SP-20250115-001",
"classifications": [
{ "image_id": "img-001", "category": "RBC", "confidence": 0.95 },
{ "image_id": "img-002", "category": "WBC", "confidence": 0.92 }
],
"classified_by": "technician-A",
"classified_at": "2025-01-15T10:30:00Z"
}
]
}
Polling Mechanism
The Smart Assist PC periodically queries the cloud for results. This is called polling.
6.6 What Does "Outbound Only" Mean?
Definition
"Outbound Only" means that all communication is initiated from within the hospital network to external destinations.
Communication Direction Classification
| Direction | Definition | Applicable to Smart Assist |
|---|---|---|
| Outbound | Communication initiated from hospital to external | All communication falls under this category |
| Inbound | Communication initiated from external to hospital | Not applicable |
| Response | Reply to an Outbound communication | Result retrieval |
A Response Is Not Inbound
From a firewall perspective, the critical point is that a response to an Outbound communication is not "Inbound communication."
Security Implications of Being Outbound Only
| Point | Explanation |
|---|---|
| No Port Listening | There are no ports on the hospital side listening for external connections |
| Minimized Attack Surface | There is no pathway for external parties to actively intrude into the hospital network |
| Simplified FW Rules | Can be configured with outbound allow rules only |
Hospital IT administrators frequently ask "Is Smart Assist bidirectional communication?" In this situation, answering "Yes, it's bidirectional because results come back" is the worst possible response.
The correct answer is: "Communication is always initiated in the Outbound direction from the hospital to the cloud. The return of results is an HTTPS response, which passes through automatically via the firewall's stateful inspection. No Inbound allow rules are required."
Whether you can provide this explanation or not makes a significant difference in gaining the trust of hospital IT administrators. In the case study in Chapter 12 (Section 12.3), we present a real example where giving the wrong answer to this question caused a 3-month stall.
6.7 Why There Is No Direct External Intrusion
Technical Basis
This section organizes the technical grounds for asserting that there is no direct intrusion from the outside (internet) into the hospital network in Smart Assist's communication design.
Basis 1: No Inbound Ports Are Open
Since no firewall rule exists to allow new connections from outside to the hospital network, external connections are physically blocked.
Basis 2: Behind NAT
The hospital PCs are located behind NAT, and there is no way to directly reach private IP addresses from the outside.
Basis 3: No Listening Services
The Smart Assist PC does not run any services that listen for connections from outside (such as web servers or SSH servers). Even if an attacker could pass through the firewall, there would be no process to accept the connection.
Basis 4: Communication Protection via TLS
TLS prevents eavesdropping, tampering, and impersonation on the communication path. Interception of communication via man-in-the-middle (MITM) attacks is also difficult.
Summary: Explanation for Hospital IT Administrators
"There Is No External Intrusion into the Hospital Network"
Technical Basis:
- No FW rules allow Inbound communication
- Behind NAT, making direct access from outside impossible
- No listening services on the hospital PC
- TLS prevents attacks on the communication path
Result retrieval is an HTTPS response to Outbound communication,
not a new Inbound connection from the outside.
6.8 How to Read the Documentation: Network Explanatory Materials
Overview of the Document
"SmartAssist Network Explanatory Materials" is a technical document that illustrates the system architecture and network connection methods for the Smart Assist cloud using diagrams. It is used by hospital IT departments when evaluating firewall settings and connection methods.
Corresponding File:
UHW-PRJ2024040-L-2025-007a_SmartAssist Network Explanatory Materials
Components of the Smart Assist Cloud
The Network Explanatory Materials show the overall picture of the AWS services that comprise the Smart Assist cloud. Field engineers need to understand the role of each service.
| AWS Service | Role | What the Engineer Should Be Able to Explain |
|---|---|---|
| Route 53 | DNS | Resolves the Smart Assist domain name |
| Certificate Manager | TLS Certificate Management | Automatically manages certificates used for HTTPS communication |
| WAF | Web Application Firewall | Filters malicious requests |
| ALB | Application Load Balancer | Distributes traffic across multiple servers (see Chapter 8) |
| Cognito | User Authentication/Authorization | Authenticates operators and controls access |
| Lambda | Serverless Functions | Execution platform for application logic |
| EC2 | Virtual Servers | Servers for maintenance purposes |
| S3 | Object Storage | Stores image data and result files |
| Aurora (PostgreSQL) | Database | Manages user attributes and measurement status |
| SSM / Secrets Manager | Parameter/Secret Management | Secure management of connection and authentication credentials |
Security and Audit Services
The following AWS security services are enabled in the Smart Assist cloud.
| Service | Role |
|---|---|
| CloudWatch | Log monitoring and alarm notification |
| CloudTrail | Recording of all API operations (audit trail) |
| GuardDuty | Threat detection (IDS/IPS functionality) |
| Config | Management of resource configuration change history |
| Security Hub | Centralized security posture management |
| Shield | Protection against DDoS attacks |
| Detective | Security data analysis and visualization |
| Inspector | Automated vulnerability detection |
| IAM Access Analyzer | Access permission anomaly detection |
Three Connection Options
The Network Explanatory Materials present three options for connecting from the hospital to the Smart Assist cloud.
| Option | Method | Hospital-Side Requirements | Characteristics |
|---|---|---|---|
| Option 1 | Direct Outbound Connection | Allow Outbound HTTPS in FW | Simplest approach. Requires FQDN-based allow rules |
| Option 2 | AWS Client VPN | VPN client installation | Encrypted communication via VPN. Requires dedicated application |
| Option 3 | Via Proxy | Use of existing proxy server | Compliant with hospital proxy policies. However, Smart Assist may not support proxy in some cases |
Important: With any option, no static inbound configuration is required. The communication direction is always Outbound from the hospital side to the cloud.
Physical Connection Configuration
The connection configuration between AUTION EYE and PC/LIS is also documented in the materials.
| Connection | Method | Notes |
|---|---|---|
| AI-4510 -> PC | SED_PORT (via USB) | Wired connection |
| PC -> Hospital LIS | HOST_PORT (via LAN) | LIS connection through Smart Assist |
| PC -> Smart Assist Cloud | HTTPS (443) | Outbound from hospital LAN |
In the next chapter, we will learn about the firewall design to enable this communication and how to submit requests to hospital IT administrators.