This page is part of the FHIR Specification (v0.4.0: DSTU 2 Draft). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions

2.14.4.2 General Security Considerations

Some of the SDC transactions make use of patient-specific information. Even those that merely retrieve empty forms could be abused by malicious actors to corrupt the form - resulting in the potential subsequent exposure of patient data. For this reason, all SDC transactions must be appropriately secured with access limited to authorized individuals, data protected while in transit and appropriate audit measure taken.

Implementers should be aware of the security considerations associated with FHIR transactions, particularly those related to:

• Communications
• Authentication
• Authorization/Access Control
• Audit Logging
• Digital Signatures

For the purposes of SDC, security conformance rules are as follows:

• Systems SHALL use TLS version 1.0 or higher with bi-directional certificate validation for all transmissions not taking place over a secure network connection.
  (Using TLS even within a secured network environment is still encouraged to provide defense in depth.)
• Systems SHALL use OAuth or an equivalent mechanism to provide necessary authentication (user or system-level)
• Systems SHALL use either IHE's ATNA standard for audit logging or an equivalent using the SecurityEvent resource
• Where workflow requires digital signatures on forms or on answer submissions, implementers SHALL make use of the Provenance resource to record such signatures.

2.14.4.2 Consent

The SDC workflow envisions the sharing of patient-identifiable healthcare information from SDC Form Filler systems to SDC Form Manager. It also envisions transmitting completed forms from SDC Form Filler to SDC Form Receiver systems. Where such exchanges take place across organizational or other custodial boundaries, patient consent may be required. Furthermore, use of C-CDA data for completing questionnaires for purposes unrelated to the initial population of the C-CDA may also require patient consent. It is the responsibility of the client systems to ensure that any necessary consent records exist and are reviewed prior to each exchange of patient-identifiable healthcare information. This verification should be logged in the same manner as other transactions, as discussed above under General Security Considerations.