This page is part of the FHIR Specification (v1.8.0: STU 3 Draft). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R5 R4B R4 R3
Work Group FHIR Infrastructure Security | Ballot Status: n/a |
The Security and Privacy Module describes how to protect a FHIR server (through access control and authorization), how to document what permissions a user has granted (consent), and how to keep records about what events have been performed (audit logging and provenance). FHIR does not mandate a single technical approach to security and privacy; rather, the specification provides a set of building blocks that can be applied to create secure, private systems.
The Security and Privacy module includes the following materials:
Security in FHIR includes the set of considerations required to ensure that data can be discovered, accessed, or altered only in accordance with expectations and policies. FHIR includes implementation guidance to ensure that:
Privacy in FHIR includes the set of considerations required to ensure that individual data are treated according to an individual's preferences. FHIR includes implementation guidance to ensure that:
Use case: A FHIR server should ensure that API access is allowed for authorized requests, and denied for unauthorized requests.
Approach: Authorization details can vary according to local policy, and according to the access scenario (e.g. sharing data among institution-internal subsystems vs. sharing data with trusted partners vs. sharing data with third-party user-facing apps). In general, FHIR enables a separation of concerns between the FHIR REST API and standards-based authorization protocols like OAuth. For the use case of user-facing third-party app authorization, we recommend the OAuth-based SMART protocol (ref) as an externally-reviewed authorization mechanism with a real-world deployment base — but we note that community efforts are underway to explore a variety of approaches to authorization. For details, see Security: Binding.
Use case: "A FHIR server should keep a complete, tamper-proof log of all API access and other security- and privacy-relevant events".
Approach: Approach: FHIR provides an AuditEvent resource suitable for use by FHIR clients and servers to record when a security or privacy relevant event has occurred. This form of audit logging records as much detail as reasonable at the time the event happened. For details, see Security: Audit + add reference to ATNA for conseptual background (GG).
In the STU3 release, FHIR includes building blocks and principles for creating secure, privacy-oriented health IT systems; FHIR does not mandate a single technical approach to security and privacy.
In future releases, we are anticipate including: