CLI 3.2.0 Release

  • Josh Ault
  • 2016-07-20

The launch of Stratum 2.1.0 brings a big update to the Stratum CLI. New features like Multi-Factor Authentication (MFA) support, release management, and deployment rollbacks give you more control and enhanced security to keep your data safe. Here’s a quick look at the newest additions to the CLI in version 3.2.0.

NGINX Site Values

A commonly requested feature has now made it into the Stratum CLI: customizable NGINX configs. In 3.2.0, the sites create command allows you to specify NGINX timeouts...

Read more

Minimize Production Down-Time due to Failed Application Deployment

  • Nate Radtke
  • 2016-07-20
  • Co-author - Raj Sundaramurthy

Stratum 2.1 now supports rolling back to a stable prior version of your application

The most recent set of Stratum updates includes a powerful feature we are thrilled to make broadly available to all customers. Compliant rollback capabilities are now accessible to developers who might need to roll back to a previously stable version of their application. We are delighted to offer this advancement in automation while still maintaining the compliance automation you’ve come to rely upon with Stratum...

Read more

Stratum 2.1.0 Release Notes

  • Rajashekar Sundaramurthy
  • 2016-07-17

Catalyze is pleased to announce the General Availability of Version 2.1.0 of Stratum, the industry leading HIPAA Compliant Platform As A Service. This release will be available to all Stratum customers on July 17th, 2016.

This release contains major updates focused on enhanced security, improved ability to manage application deployment failures and enable organizations to utilize Stratum effectively across multiple deployment models and varying configuration management tools/processes.


Read more

Hardening SSH

  • Brandon Maxwell
  • 2016-04-18

A critical step of securing any infrastructure includes verifying your configurations for any unnecessary or insecure defaults. One of my recent tasks after joining the team was to review configurations for any modifications to improve security, one of those being the SSH configuration. I’ve included some of my thoughts and areas you may want to focus on when reviewing your own SSH setup. Remember that securing SSH is only part of the process to achieve defense in depth of your infrastructure...

Read more

Stratum 2.0.4 Release Notes

  • Ryan Rich
  • 2016-03-29

On Thursday March 31st 2016, Catalyze will be releasing our latest updates to Stratum. We’ve made some excellent improvements this time around, and we’re excited to share them with you.

The following bugs have been fixed in 2.0.4:

  • Stratum was missing the ability to resend an activation email, we’ve since fixed that.
  • UTC time was being improperly converted to local time. All times are now displaying correctly.
  • Database backups were intermittently failing with larger sizes. Now any size database...
Read more

Stratum Lifetime Metrics

  • Kyle Grieger
  • 2016-03-21
  • Co-Authors - Thomas Malcolm

Docker Container Metrics. So Easy an Intern Can Do it?

Our recently released product, Stratum, is built on top of Docker. Each job is essentially a Docker container that is performing a task of sorts. As an infrastructure company, it is essential to monitor these containers in order to determine if a user’s environment is stable or possibly experiencing complications. It is also important for users to have access to their environment’s performance metrics in order for them to get the most out...

Read more

Patching Recently Exposed Git Vulnerabilities

  • Brandon Maxwell
  • 2016-03-18


Two vulnerabilities (CVE-2016-2315 and CVE-2016-2324), which feature a heap corruption and buffer overflow, were announced this week in all Git client/server versions before version 2.7.4. Both vulnerabilities have the potential to allow a remote authenticated attacker to perform remote code execution or Denial of Service (DoS) by pushing or cloning a repository with a large filename or large number of nested trees.

Technical Details

The vulnerabilities, identified by Laël Cellier...

Read more

Designing Stratum

  • Ryan Rich
  • 2016-03-14

Introduction to Stratum

On February 25th 2016 Catalyze officially launched Stratum, our Platform as a Service offering, completely rebuilt from the ground up (more on that here). We’ve spent the last 8 months redesigning the dashboard user interface, rebuilding the CLI, and drastically improving our backend performance. This post is dedicated to outlining the changes made to the dashboard, why we made those changes, and illustrating the process we used along the way.

Stratum Product

Major Changes


Read more

Stratum 2.0.0 Launch - Release Notes

  • Ryan Rich
  • 2016-02-23
  • Co-Authors - Josh Ault

Announcing Stratum (2.0.0)

Starting Thursday evening, February 25th 2016 shortly after 10pm, the Catalyze Platform as a Service (PaaS) will be recognized as Stratum, the compliance layer powering healthcare’s transformation.

We’ve made some drastic improvements to the CLI, Dashboard, and performance of Stratum. A large focus for us was abstracting certain patterns away from the dashboard in favor of the CLI. Below is a list of all changes coming in version 2.0.0.


  • A completely revamped...

Read more

How We Onboard Engineers At Catalyze

  • Nathan Sweet
  • 2016-02-23

I’ve been working at Catalyze for a little over a month now, and in that time I cannot believe how much I have learned. I must give credit to how we onboard engineers, because it is quite ingenious.

We onboard engineers by having them answer support tickets from our customers. When I first interviewed with Catalyze, and onboarding was explained to me, I didn’t have any objections. However, I doubted that it would be better than simply digging through source code and sitting one-on-one with my...

Read more

Deploying Linux Virtual Machines With Encrypted Volumes In Azure Using ARM Templates

  • Heath Skarlupka
  • 2015-11-25

Vince and I were at the Microsoft ARM Templating Hackathon last week to begin the process of integrating the Catalyze Platform as a Service into the Microsoft Azure Marketplace. An Azure Resource Manager (ARM) template is a JSON file that provides the schematic for a set of resources that get built in the Azure Cloud. These templates provide the building blocks for creating products in the Microsoft Azure Marketplace.

Disk Encryption in Azure

Encrypting data at rest is a key component in the...

Read more

Catalyze PaaS Release Notes

  • Adam Leko
  • 2015-11-25
  • Co-Authors - Mohan Balachandran

Release Notes

At Catalyze, we are continually working to improve our PaaS offering. We are ultimately here to serve our customers, and our customers are a significant source of suggestions that help make our product better. Rather than setting a rigid pre-defined roadmap of functionality that we strictly adhere to, we instead take as much feedback as possible and try to work it into our product release schedules.

Earlier last week we scheduled a maintenance window to address some necessary VPN...

Read more

Bulk historical data processing with Mirth

  • Rick Wattras
  • 2015-11-06

A common workflow for many of our customers involves analyzing large amounts of patient information, which sometimes requires retrieving a trove of backlogged historical data from the EMR. In this post I will go over how we configure Mirth Connect to handle getting all of that data out of the EMR and into our customers’ systems through the HTTPS Sender efficiently, reliably, and quickly.

Mirth Connect

Here at Catalyze we manage HL7 integrations with the open-source interface engine software...

Read more

Local Web Development With NGINX on OSX El Capitan

  • Anthony Pleshek
  • 2015-10-22


I upgraded to El Capitan the other night, and everything was great until I started in on development the next morning. Much to my chagrin, my local Apache setup had somehow gotten mangled during the upgrade. Instead of looking into how to fix my Apache setup, I decided it would be more advantageous for me to switch over to using NGINX. We (Catalyze) have switched over to using NGINX instead of Apache for our web properties, and it just made sense to switch over my local setup to match.

Read more

New Catalyze CLI features - DB Import-Export, Secure Console, Environment Metrics

  • Nate Radtke
  • 2015-09-23
  • Co-Authors - Josh Ault

The Catalyze Platform as a Service (PaaS) continues to evolve as we get feedback from our customers on the kinds of capabilities they’d like to see. Additionally, as we receive and resolve support tickets, we try to extract common workflows and try to automate them as well. The following are three of the features that we are making publicly available. These are all available under the github repo of the CLI. Please do provide us with feedback and please file any issues you might run into there...

Read more

Building a Secure, Multi-Tenant Docker-based Platform as a Service - Part 2 - Implementation

  • Mohan Balachandran
  • 2015-09-18
  • Co-Authors - Adam Leko

Based on all the requirements described earlier, we arrived at the following architecture and design approach.

IaaS Provider Neutrality

We started off on Rackspace but it was always our intention to also provide our services on AWS, Azure, and other cloud providers. We now run on both Rackspace and AWS with support for Azure coming shortly. We also managed to get two full external HIPAA audits done and achieved HITRUST certification.

Given the various requirements imposed by the IaaS provider...

Read more

Moving from Python to Go for our CLI

  • Josh Ault
  • 2015-09-15

We’ve recently noticed the number of support requests we receive from Windows-based users has been on the rise. These requests range anywhere from importing data into a database to redeploying a code service. With our current Python-based CLI these are self-service tasks. We distribute a PyPI version of this package that allows easy installation, but if you’ve ever tried to use Python on Windows (and sometimes Linux or Mac OSX!), you probably know that installing packages with more than a few...

Read more

Building a Secure, Multi-Tenant Docker-based Platform as a Service - Part 1 - Design Considerations

  • Mohan Balachandran
  • 2015-09-04
  • Co-Authors - Adam Leko, Nate Radtke, Vince Kenney

Detailed explanations are just apologies in long form.

- Adam Leko

This article is intended to provide a top down introduction to the design of the Catalyze Platform as a Service (PaaS). It will additionally delve into the design of the components needed to make our vision a reality and what that means for you as a customer. This will include the design choices, trade-offs, and a quick view into the next generation of these components. Or in the more succinct words of the author of...

Read more

HIPAAGRAM - A Single Custom Class

  • Josh Ault
  • 2015-09-01

Published to the App Store

HIPAAGRAM has gone through a huge redesign and we’re really happy with how it turned out. We not only put time and effort into the design and UI, but we graduated HIPAAGRAM from an internal hackathon project to a published application on the iOS App Store. You can download HIPAAGRAM for iPhone and iPad here.

I’m missing the big picture

HIPAAGRAM is completely open sourced, but sometimes an open sourced project can be daunting and a bit challenging to comprehend. We...

Read more

Mirth Connect Apache HTTPClient, Rhino and Multi-part forms

  • Mark Olschesky
  • 2015-03-18

I was setting up our alerter to send email through our mailgun account. I encountered a problem that I needed to handle for the first time using Mirth Connect: sending a multi-part message using Mirth Connect.

While this would be simpler to do with the HTTPS plugin provided by Mirth, it doesn’t seem like you’re given a great programatic way to do it even with the Mirth utils within the JavaScript Writer. While you can get around needing the HTTPS plugin using methods from, if you...

Read more

VPNs, Security and Healthcare Integration

  • Mark Olschesky
  • 2014-12-22

If you’re used to a world of OAuth handshakes, Pub/Sub and HTTPS for authorization and enabling data transfer, you’ll find yourself somewhat disoriented with healthcare data integration. While outdated it has worked up to this point and helped healthcare organizations keep the “bad guys” out while letting the business associates in. We’ll talk about what’s common and how we help our customers setup secure, redundant integration with clients.

Let’s talk about networking


The OSI 7 Layer Model...

Read more

Configuration Management (Part 2) - Commanding your minions with Salt

  • Mike Ortiz
  • 2014-11-03

So you’re a DevOps engineer or, should I say, master of all things infrastructure related in your kingdom. You have many minions at your beck and call. Some may bring your mail, others may serve as the interface to your kingdom from the outside world. Still others might store the data for your secret proven cheese recipe.

With all of those minions running around, it can be like herding cats. Some running from village to village doing as they please, and others needing a lot of hand-holding just...

Read more

Configuration Management (Part 1) - Catalyze Docker PaaS

  • Mike Ortiz
  • 2014-09-22

The need for configuration and system management is well known. Since shortly after the dawn of time, when the first caveman got his second mainframe, managing configuration across multiple hosts has been a daunting task.

In the era of cloud computing, with ever more complex applications and infrastructure, this task is considerably more involved than it was for our caveman ancestor. Many hosts need be provisioned with all of their associated configurations. Those hosts then need to be managed...

Read more

Advanced Querying for Custom Classes

  • Alex Foran
  • 2014-09-16

We mentioned new querying abilities for custom classes in the 8/28/14 Release Notes, but it’s a topic that deserves expansion and examples. The ability to perform custom, multiple-field queries on your entries is immensely powerful.

The docs for this are in our resources, but an example might be a better explanation.

An Example

Let’s consider an application that tracks how long people run for and the distance they ran. The fields for that custom class (which I’ll call run_log) are:

  • duration
Read more

How to design a HIPAA Compliant Healthcare API, Part 3

  • Travis Good, MD
  • 2014-07-11

This is the third post in our series on building a HIPAA compliant healthcare API. The first and second post focused on technology, design of the API and data models respectively. This post delves into HIPAA compliance more broadly than technology, and highlights some of the key areas where Catalyze is different from other infrastructure and HIPAA compliant API vendors.

HIPAA is about a lot more than technology. There are organizational and administrative requirements that are a part of HIPAA...

Read more

How to design a HIPAA compliant healthcare API, part 2

  • Mark Olschesky
  • 2014-07-09

In part 1 we discussed why we structured our backend as its built. Now in part two we’ll discuss how to get started with building out your apps.

Step 1: Develop your application’s data models

Now that you know a bit more about the data structures that comprise standard Catalyze data models, decide which models you will need to use. Not sure where to start? Let me ask you some questions to help you hone in on what you need.

Who are your users?

While Catalyze only has one “User” model, it should...

Read more

Mobile Backend as a Service Stack

  • Ben Uphoff, PhD
  • 2014-06-30

Welcome to our engineering blog. We intend for this section to cover in-depth technical content that is of interest to developers and ops folks. For a first post we are covering our Mobile Backend as a Service’s stack. Future posts will drill down into the specifics of some of the more interesting pieces.


Our REST API is written in Java using the Dropwizard framework. Dropwizard bundles - among other things - strong gradle support, Jersey, Jackson for JSON processing and a bunch of...

Read more

The journey to a Docker based Platform as a Service - Part 1

  • Mohan Balachandran
  • 2014-06-16

The idea came to us around October of last year. What if we could provide a platform such that we ourselves had no access to our customers data? The more we thought about it, the more sense it made. One of the primary business reasons was that such an approach would limit any additional liability that we would incur. This wouldn’t obviate the need for a BAA of course. From an overall security and privacy perspective, such an approach would almost guarantee that the core encryption requirements...

Read more

How to design a HIPAA Compliant Healthcare API - Part 1

  • Mohan Balachandran
  • 2014-06-12

When we set out to build Catalyze, the one thing that kept cropping up as we talked to potential users, a lot of whom were coming from outside healthcare, was a lack of knowledge about all the complexities of healthcare data and standards. I wrote about this a while back trying to summarize all the key standards and code sets that are most relevant for a healthcare developer. What I had also mentioned in that post was that v2 of the Catalyze HIPAA compliant API, what we sometimes refer to as

Read more

Addressing the Heartbleed Vulnerability the Catalyze Way

  • Ben Uphoff, PhD
  • 2014-04-09

On April 7th, OpenSSL informed the industry of a vulnerability known as the ‘Heartbleed bug’ (CVE-2014-0160). This vulnerability can be remotely exploited to leak encrypted information and secrets from any application using OpenSSL, allowing an attacker to potentially steal usernames, passwords, and private keys. This also inherently compromises any private key (including those used for SSL certificates), allowing an attacker to view any information encrypted via that key. As of Wednesday at 02...

Read more

Intro to Secure APIs

  • Travis Good, MD
  • 2013-11-27

Over the weekend I had the privilege of attending a YCombinator conference in San Francisco covering best practices for web security. A number of topics were discussed including securing APIs, incident responses and responsible disclosure, proper backup techniques, how to handle customer secrets, and when to pay for pen testing. Over the next few blog posts I’ll outline these topics in detail. We’ll start off with securing APIs.

One of the most important things to remember about security is that...

Read more

The need for a backend as a service in healthcare

  • Mohan Balachandran
  • 2013-06-25

This is the lead-in to a series of posts explaining why backend as a service is needed for healthcare. Follow us on twitter or subscribe to our mailing list to keep reading. We’ve already published the first in the series, which is linked below. You can follow the corresponding link below to read further.

In this series, we will cover the following topics:

  1. What is backend as a service (BaaS) and what does it mean in a healthcare context?

  2. Data, security and access - needs, wants and regulations

Read more