The Canadian Clinical Drug Data Set April 2025 release is now available for access and implementation on the Terminology Server and Terminology Gateway. Learn More >

Important Update: We are pleased to announce significant enhancements to our FHIR Terminology Server, offering more seamless and standards-based access to terminology content for healthcare data exchange. Discover the new features and upcoming changes to our Terminology Gateway. Learn More >

Share this page:

Share
Share
Print Email
  1. Forum
  3. Working Groups
  5. FHIR® Implementations
  7. Recent FHIR Security and Privacy Webinar

file Recent FHIR Security and Privacy Webinar

  • Posts: 169
4 years 8 months ago #6170 by Joel Francis
Recent FHIR Security and Privacy Webinar was created by Joel Francis
Hi All,

I wanted to share my leanings from the recent HL7 FHIR Security and Privacy Webinar.

Speak John Moehrke
Architect: Healthcare Informatics Standards - Interoperability, Privacy, and Security
CyberPrivacy – Enabling authorized communications while respecting Privacy
IHE Co-Chair IT Infrastructure Planning & Technical Committee
HL7 Co-Chair Security WG, FHIR FMG, FHIR facilitator, and
FHIR Foundation founding member
HITRUST Certified CSF Practitioner

What topics were covered?

• Working understanding of privacy and security mechanics
• Introductory knowledge and use of FHIR security mechanics
• A clear understanding of the FHIR consent, provenance and AuditEvent resource


A few things stood out for me:

Provenance resource not intended to be used by Security, Operations or Auditors but by the people who view and use the data. The AuditEvent is what is used to monitor and capture all events (not just data creation)

The Consent resource can not only capture positive consent but also dissent (negative)
1. Consent resource just points at scanned paper
2. Consent resource points at Questionnaire Response
3. Consent with encoded context
4. Consent with depth .provisions (PERMIT vs DENY)
5. Consent using external rules encoding (XACML)

What technologies and frameworks are used for authentication and authorization

Authentication:
Mutual-Authenticated-TLS
API Key
SAML SSO Profile
OAuth 2.0
Cascading OAuth
Open-ID Connect
User Managed Access (UMA)

Authorization:
SMART-on-FHIR
SMART for Bulk Data Access
IHE Internet User Authorization (IUA)
SAML encapsulated
HEART (a healthcare variant of UMA)

What is the general stack and FHIR Resources that are used?

Is transport secure? https
Who is the user? OpenID Connect
What App/Device? OAuth client_id & scopes
What may the user/role do? Access Control rules
What the Patient authorized? Consent Resource
Where does this data come? Provenance Resource
What just happened? AuditEvent


I just wanted to share and encourage you all to attend the webinar if it is hosted again to get a broader understanding of how security mechanics work in FHIR

Thanks,

Joel Francis

Please Log in or Create an account to join the conversation.

  1. Forum
  3. Working Groups
  5. FHIR® Implementations
  7. Recent FHIR Security and Privacy Webinar

InfoCentral logo

Improving the quality of patient care through the effective sharing of clinical information among health care organizations, clinicians and their patients.

Contact Us