This page is part of the FHIR Specification (v1.0.0: DSTU 2 Ballot 3). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions
D.28 General Security Considerations
DAF transactions often make use of patient-specific information which could be exploited by malicious actors resulting in exposure of patient data. For this reason, all DAF transactions must be secured appropriately with access to limited authorized individuals, data protected in transit, and appropriate audit measures taken.
Implementers should be aware of the security considerations associated with FHIR transactions,
particularly those related to:
For the purposes of DAF, security conformance rules are as follows:
- Systems SHALL establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements. In addition US Federal systems SHOULD conform with the risk management and mitigation requirements defined in NIST 800 series documents. This SHOULD include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls – policies, administrative practices, and technical controls – SHALL be defined in the Business Associate Agreements.
- Systems SHALL reference a single time source to establish a common time base for security auditing, as well as clinical data records, among computing systems. The selected time service SHALL be documented in the Business Associate Agreements.
- Systems SHALL use either IHE's ATNA standard for audit logging or an equivalent using the AuditEvent
resource
- Systems SHALL use TLS version 1.0 or higher for all transmissions not taking place over a secure network connection.
(Using TLS even within a secured network environment is still encouraged to provide defense in depth.) US Federal systems SHOULD conform with FIPS PUB 140-2.
- Systems MAY protect the confidentiality of data at rest via encryption and associated access controls. The policies and methods used are outside the scope of this specification.
- Systems SHALL use OAuth or an equivalent mechanism to provide necessary authentication (user or system-level).
The existing IHE IUA profile specifies how to use OAuth tokens when accessing RESTful resources. Note: OAuth standards and profiles are still in flux and as such this requirement will be replaced in future with newer releases of IHE IUA or equivalent profiles. Authentication or authorization failures SHALL produce a negative response to the DAF Requestor and SHALL be recorded in the local system's audit logs.
- Systems SHALL implement coordinated consent requirements per their state, local, and institutional policies. The Business Associate Agreements SHALL document systems mutual consent requirements. DAF actors SHALL ensure that any necessary consent records exist and are reviewed prior to each exchange of patient-identifiable healthcare information. This verification should be logged in the same manner as other transactions, as discussed above under General Security Considerations.