This page is part of the Medicolegal Death Investigation (MDI) (v2.0.0-ballot2: STU 2 Ballot 3) based on FHIR (HL7® FHIR® Standard) R4. The current version which supersedes this version is 1.1.0. For a full list of available versions, see the Directory of published versions
This page describes the recommendations for a minimum level of security when implementing the MDI IG. The FHIR Security web page defines more data exchange protocols and content models. MDI CMS should refer to that if a higher level of security is required for interoperability. At minimum, two areas need protection in the data exchange:
In most modern systems, digital data are exchanged using web services. FHIR recommends a web service called RESTful Application Programming Interface (REST API) where REST stands for REpresentational State Transfer. REST API uses Transport Layer Security (TLS) for secure transportation. More accurately, TLS 1.2 or higher needs to be used. This is also known as HTTPS. All data exchanges in MDI FHIR IG must be done in HTTPS.
The OAuth 2.0 Authorization Framework (OAuth2), defined in RFC 6749, is a standard authorization protocol that can be used in order to limit data access for specified and controlled permissions. Developers should become familiar with the RFC 6749 document for the technical details on OAuth2. The following are good additional references for OAuth2:
SMART on FHIR is a recommended security solution for FHIR. It uses OAuth2 for the security protocol. The SMART on FHIR is targeting to clinical data access for providers, patients, and clinical systems such as EHR. While SMART on FHIR can also be applied to MDI FHIR systems, this document does not recommend the SMART on FHIR as a minimum-security solution due to its granularity and complexity of access definitions on resources and users. Thus, this document discusses the general OAuth2 as a minimum level of security. However, if a system needs to be maintained at a similar level of security as clinical systems, SMART on FHIR is a recommended protocol. Details on the SMART on FHIR can be found in the SMART App Launch FHIR IG.
SMART on FHIR uses OAuth2 for security in accessing clinical data for providers, patients, and clinical systems such as EHRs. While SMART on FHIR can be applied to MDI CMS, the granularity and complexity of access definitions on resource sets and user sets are above a minimum security recommendation. However, if an MDI CMS needs to be maintained at a level of security similar to clinical systems, SMART on FHIR is a recommended protocol. Details on the SMART on FHIR can be found in http://www.hl7.org/fhir/smart-app-launch/.
OAuth2 has components with different roles that the MDI CMS can play. Each system will play a different role based on the dataflow in which it operates. The following table shows the OAuth2 roles, and the role MDI CMS should play in the MDI-EDRS and Toxicology-MDI dataflows.
MDI Roles & Responsibilities
Role | Responsibility | MDI CMS-EDRS | Tox-MDI CMS |
---|---|---|---|
Authorization Server | Server that authenticates the resource owner and issues access tokens to the client application. The authorization server can be the same as the authentication server or can be a separate server. | EDRS | MDI CMS |
Client | Application that wants to access the resource on behalf of the resource owner. The client can be a web application, a mobile application, or a desktop application. | MDI CMS | LIMS |
Resource Owner | User who owns the resource (such as a photo or a document) that a client application wants to access. The resource owner grants permission to the client application to access the resource. | MDI CMS users, EDRS users | LIMS users |
Resource Server (Provider) | Server that hosts the resource that the client application wants to access. The resource server verifies the access token and grants access to the resource if the token is valid. | EDRS | MDI CMS |
Please note that toxicology-MDI CMS dataflow incorporates the use of the FHIR message operation including the use of REST API for transportation. Thus, OAuth2 can also be used to secure the toxicology-MDI CMS data exchange. However, FHIR messaging uses the CREATE (HTTP POST) method due to the nature of messaging’s push operation, in which data are originally owned by the LIMS and pushed to the MDI CMS. However, in the REST API operation, the LIMS is a client, and MDI CMS plays a resource provider role, which owns the data after the operation is completed.
This MDI IG recommends two OAuth2 authorization methods based on the client types:
An example of human user cases would be when a certifier needs to access death data in an EDRS for search, update, or certification. We may allow only users in a certain role to change the data. In this case, the user needs to get authenticated and authorized with scope parameter that will define the scope of access. The figure 1 depicts the flow of authorization process for human users.
A human user may be a certifier who needs to access death data in an EDRS for search, update, or certification. The EDRS can allow only users in a certain role to change the data. In this case, the user is authenticated and authorized with scope parameters that define access. The human user authorization flow for human users follows this process:
Figure: OAuth2 Flow for Human Users
API User authorization is for client systems (or client applications) that need access without human intervention. A system is pre-authorized during registration. Since no human provides the credential information, the grant type should be set to clientcredentials, and the credentials should be set as defined by authorization server. The setting can be clientid and clientsecret, or the credential can be created with JSON Web Token (JWT), depending on authorization server configuration. The authorization flow for API Users follows this process:
Figure: OAuth2 Flow for API Users