This page is part of the National Healthcare Directory Attestation (v1.0.0-ballot: STU 1 Ballot 1) based on FHIR R4. . For a full list of available versions, see the Directory of published versions
Security
The following are the security considerations that implementers should follow:
- All implementers of FHIR servers and clients should pay attention to FHIR Security considerations.
- In addition to the FHIR Security considerations, the VhDir requests need to contain specific information about National Healthcare Directory client identity and organization information.
- Providing this information using FHIR Search APIs is very cumbersome and is not necessary. This kind of information can be collected by the VhDir Authorization Server during application registration and avoid repeating the information on each request.
- These mechanisms are outlined in detail in the SMART Backend Services Authorization Guide.
The following are security conformance requirements for VhDir actors:
- National Healthcare Directory actors SHALL use the SMART Backend Services Authorization Guide to collect the necessary requestor information appropriate for making the VhDir data request.
- National Healthcare Directory actors SHALL reference a single time source to establish a common time base for security auditing across the system.
- National Healthcare Directory actors SHALL use the AuditEvent resource to capture audit logs of the various transactions. VhDir actors SHOULD capture as many AuditEvent resource data elements as appropriate based on requirements of FHIR Audit Logging and local policies.
- National Healthcare Directory transactions SHALL use TLS version 1.2 or higher to secure the transmission channel unless the transmission is taking place over a more secure network.(Using TLS even within a secured network environment is still encouraged to provide defense in depth.) US Federal systems implementing VhDir actors SHOULD conform with FIPS PUB 140-2.
- National Healthcare Directory actors SHALL conform to FHIR Communications requirements.
- National Healthcare Directory actors SHOULD retain Provenance information using the FHIR Provenance resource.
The following are security conformance requirements for the overall program/system: