This page is part of the FHIR Specification (v0.06: DSTU 1 Ballot 2). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions . Page versions: R5 R4B R4 R3 R2

Community Input (wiki)

FHIR Security 2.10

Fast Healthcare Interoperability Resources (FHIR) is not a security profile, nor does it define any security related functionality. However FHIR does define exchange protocols and content models that need to be used with various security protocols defined elsewhere. This section gathers all information about security in one section. A summary:

TLS - all exchange of production data should be secured using TLS/SSL (i.e. https)
Authentication - OAuth is recommended. However authentication is done, there needs to be mapping between security protocol identification and device, person and organisation resources. This is discussed below
Access Control - FHIR does not (presently) address any aspect of access control
Audit - FHIR defines a provenance resource and a security event resource suitable for tracking the history and status of resources
Digital Signatures - FHIR includes several specifically reserved locations for digital signatures. See below for further information
Attachments - FHIR allows for attachments. These have their own concerns. See below for discussion

Time critical concerns regarding security flaws in the FHIR specification should be addressed to the FHIR email list for prompt consideration. Alternatively, issues can be raised through the community input mechanism.

Mapping between resources and security systems 2.10.1

Correctly identifying people, devices, locations and organisations is one of the foundations that any security system is built on. Most uses of security protocols, whether authentication, access control, digital signatures etc rely on the correct mapping between the relevant resources and the underlying systems. Note that this isn't necessary: there is nothing in FHIR that requires or relies on any security being in place, or any particular implementation. But real world usage will generally require this.

Todo.. outline general considerations

Digital Signatures 2.10.2

This is an old version of FHIR retained for archive purposes. Do not use for anything else
Implementers are welcome to experiment with the content defined here, but should note that the contents are subject to change without prior notice.
© HL7.org 2011 - 2012. FHIR v0.06 generated on Tue, Dec 4, 2012 00:04+1100. License