Security Report: “The New Healthcare Ecosystem will depend on FHIR APis, but Are They Secure?“ Alissa Knight did some invited and funded cyberSecurity research and found some good and some bad. No-one should be surprised by that conclusion. The point we should take from this research is that EHRs are doing a good job of
I have drafted a prototype Implementation Guide covering the AuditEvent profiling for generic FHIR RESTful actions. For any FHIR REST operation there is a well-defined AuditEvent specified in this implementation guide. The appropriate AuditEvent shall be recorded by Client and Server applications that claim conformance to this implementation guide. The resulting set of AuditEvents are
I was asked about Digital Signatures for FHIR documents: I am working on _____ IG that is FHIR document based and we need a means to prove authenticity. The model is relatively simple in that a document and all of its parts represent a single thing that needs to be “signed”. I have looked around
In the USA and elsewhere, there are Document Sharing based Health Information Exchanges. These exchanges have been built up over the past ten or so years. They have security models, privacy models, patient identification models, record location models, and data format models. They also have mature testing tools, events, and have been specialized for many
I am late to promoting this book, should have done it back in March when it was released. It is called a book, but is available for free download in multiple formats. IHE Profiles for Health Information Exchange By Keith Boone He is the author, but he gives credit for pulling from many sources including
I was honored to be on the In Scope podcast, and excited to be paired up with Alissa Knight. We talked about FHIR security and such. The host Mike Murry, who I worked with at GE for many years. He doesn’t get to be in the pretty picture (Not my best picture, well I don’t
My next speaking engagement is at HIMSS. This will be from the perspective of my employer By Light, as we have been the developer of the current Patient Portal at the VHA – My HealtheVet, and are the implementers of the original Blue Button. I work with the team on the transition to FHIR. I
Having completed the HL7 FHIR Security and Privacy tutorial, I have found that there are links in my presentation that might be useful to itemize in a more web friendly way. Some people can’t go to google presentation, some struggled with quickly typing them in. So here are the links from my presentation. The presentation
The FHIR standard is a data-model and interface (API) specification for access to health-care data. As such this is a domain of data that is specific to the health of subjects. This is a very big domain, but not all encompassing. When interacting with domains outside of health-care, links between the data is done via
HL7 FHIR Security & Privacy The HL7 FHIR Security & Privacy online class describes how to protect a FHIR server (through access control and authorization), how to document what permissions a user has granted (consent), how to enable appropriate access by apps and users and how to keep records about what events have been performed
