Skip to main content

Secure APIs with Security tags

Security Tags in FHIR APIs with OpenID Connect

[https://build.fhir.org/security.html]

[https://orionhealth.com/nz/white-papers/how-to-maximize-security-by-adding-smarts-to-your-fhir-apis/]

[https://cloud.google.com/healthcare-api/docs/concepts/fhir]

OpenID Connect

  • Authorization Code Grant Flow
  • JWT Tokens
  • Access Token
  • ID Token format for security tags claims
  • Send both?

Security Tags

  • FHIR resources can be tagged with security labels specifying access restrictions and permissions.

  • These tags define who can access the resource and what actions they can perform (e.g., read, write, delete).

  • OpenID Connect can leverage these tags to enforce access control decisions based on the user's identity and permissions.

  • OpenID Connect ensures user authenticity

  • Security tags /labels fine-tune access based on resource sensitivity, enable precise control over data access, preventing unauthorised users from viewing or modifying sensitive information.

  • Where do we define the tags in the Standard

Patients can have control over who can access their health records by setting appropriate permissions through security tags. E.g.

  • A patient accesses a healthcare application through OpenID Connect and authenticates with their provider.
  • The application requests access to a specific FHIR resource containing sensitive medical data.
  • The resource is tagged with a security label requiring specific permissions for access.
  • OpenID Connect retrieves the patient's permissions and verifies if they match the resource's access requirements.
  • If authorised, the application retrieves the requested information from the FHIR resource.

Benefits for Different Stakeholders:

  • Patients: Increased control over their health data and who can access it.
  • Healthcare Providers: Improved data security and compliance with privacy regulations.
  • Application Developers: Streamlined access control and enhanced data security for their applications.

Implement logging and monitoring to track access to sensitive resources.

Define custom claims that map to the security tags

Utilize the FHIR Extension mechanism to embed the relevant security tags within existing OpenID Connect claims.

[https://docs.smarthealthit.org]

patient/: Read and write access to all patient data. patient/read: Read-only access to patient data. encounter/: Read and write access to all encounter data. observation/read: Read-only access to observation data.

{
  "sub": "user123",
  "aud": "app456",
  "iss": "https://fhir.example.com",
  "exp": 1670860800,
  "iat": 1670857200,
  "fhirUser": "https://fhir.example.com/Patient/user123",
  "profile": "https://fhir.example.com/Patient/user123",
  "security": {
    "confidentiality": "Low",
    "integrity": "High"
  }
}
{
  "sub": "user123",
  "aud": "app456",
  "iss": "https://fhir.example.com",
  "exp": 1670860800,
  "iat": 1670857200,
  "scopes": [
    "patient/*.*",
    "encounter/*.read",
    "observation/*.read"
  ],
  "launch": {
    "patient": "patient123",
    "encounter": "encounter456"
  }
}