Cybersecurity

I got a Question:  Can you address a specific example of the intersection of FHIR standards and OWASP guidance?  The FHIR spec allows for sensitive ids such as patient identifier to be used on the query string when searching for a patient.  See the following:https://try.smilecdr.com:8000/baseR4/Patient?identifier=47However, the folks at OWASP consider this practice a vulnerability:https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url Information

This article summarizes a concept that came from my blog reader. This is actually published in a personal Implementation Guide at — https://johnmoehrke.github.io/RelatedPersonConsent/ . This concept has not been proposed as a formal work item, but I think it would fit nicely in IHE Basic Patient Privacy Consents for Mobile that I have proposed (more on that

IHE-Connectathon is scheduled for September 12-16, 2022. IHE-USA — https://www.iheusa.org/ihe-na-connectathon — Atlanta IHE-Europe — https://connectathon.ihe-europe.net/connectathon-2022 — Switzerland Everywhere — virtual — anywhere around the globe or space-stations Many FHIR based IHE – Profiles (Implementation Guides) will be tested, in addition to the other popular Interoperability specifications from IHE. There will even be some testing of HL7 published

IHE, especially the IT-Infrastructure domain, has been publishing specifications in HTML format and Implementation Guide format on a new web site — https://profiles.ihe.net.   This web site is enabled with Google Analytics. Thus there is some data available that indicates which parts of the IT-Infrastructure specifications are of interest. Presuming they are interesting because they are used.

HL7 FHIR Security & Privacy The HL7 FHIR Security & Privacy online class describes how to protect a FHIR server (through access control and authorization), how to document what permissions a user has granted (consent), how to enable appropriate access by apps and users and how to keep records about what events have been performed

This article includes explanation of some example scenarios and points at example Consent resources for them. These example scenarios are provided for educational use only, they are not an endorsement of these scenarios. Notice of Privacy Policy Some realms only require that the patient be given access to the organizations privacy policy. In these realms

The IHE domains of IT-Infrastructure, PCC, QRPH, and RAD had our workgroup meetings last week. Radiology met in-person at the RSNA, so got to socialize. I don’t have details for RAD, PCC, or QRPH. IT-Infrastructure met virtually all week. We did not make as much progress as we wanted to, due to  the lack of