Cybersecurity

RESTful search using POST vs GET on #FHIR

I got a Question:  Can you address a specific example of the intersection of FHIR standards and OWASP guidance?  The FHIR spec allows for sensitive ids such as patient identifier to be used on the query string when searching for a patient.  See the following:https://try.smilecdr.com:8000/baseR4/Patient?identifier=47However, the folks at OWASP consider this practice a vulnerability:https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url Information

[ Read More ]

IHE-Connectathon around the world and back

IHE-Connectathon is scheduled for September 12-16, 2022. IHE-USA — https://www.iheusa.org/ihe-na-connectathon — Atlanta IHE-Europe — https://connectathon.ihe-europe.net/connectathon-2022 — Switzerland Everywhere — virtual — anywhere around the globe or space-stations Many FHIR based IHE – Profiles (Implementation Guides) will be tested, in addition to the other popular Interoperability specifications from IHE. There will even be some testing of HL7 published

[ Read More ]

IHE Most Salient – based on specification use analytics

IHE, especially the IT-Infrastructure domain, has been publishing specifications in HTML format and Implementation Guide format on a new web site — https://profiles.ihe.net.   This web site is enabled with Google Analytics. Thus there is some data available that indicates which parts of the IT-Infrastructure specifications are of interest. Presuming they are interesting because they are used.

[ Read More ]

HL7 Security & Privacy Tutorial: July 12-14

HL7 FHIR Security & Privacy The HL7 FHIR Security & Privacy online class describes how to protect a FHIR server (through access control and authorization), how to document what permissions a user has granted (consent), how to enable appropriate access by apps and users and how to keep records about what events have been performed

[ Read More ]

Patient data embargo management

There are legitimate reasons for data to be embargoed for some timeframe. I am not a fan of these reasons, but as a Privacy and Security subject matter expert, I get asked how to solve these business needs. Many think this is an easy problem to solve, just slap a security tag on the data,

[ Read More ]

Explaining #FHIR Consent examples

This article includes explanation of some example scenarios and points at example Consent resources for them. These example scenarios are provided for educational use only, they are not an endorsement of these scenarios. Notice of Privacy Policy Some realms only require that the patient be given access to the organizations privacy policy. In these realms

[ Read More ]

IHE ITI Spring

The IHE domains of IT-Infrastructure, PCC, QRPH, and RAD had our workgroup meetings last week. Radiology met in-person at the RSNA, so got to socialize. I don’t have details for RAD, PCC, or QRPH. IT-Infrastructure met virtually all week. We did not make as much progress as we wanted to, due to  the lack of

[ Read More ]

API Security conference — on #FHIR

Join me at my presentations at #APISecure2022 where I will be surrounded by far smarter people on API security. This is a virtual event, so you should certainly be able to sign up.  so, there is going to be just a little bit about #FHIR: On Wednesday I will be on a panel with Alissa

[ Read More ]

Quick video on IHE Privacy and Security

 IHE just published a short video by me on the IHE Privacy and Security solutions. Links: IHE  IT Infrastructure Whitepapers and Handbooks Cookbook: Preparing the IHE Profile Security Section  De-Identification Handbook  Algorithm Mapping Spreadsheet  Document Sharing Metadata Handbook Template for XDS Affinity Domain Deployment Planning  Access Control  Enabling Document Sharing Health Information Exchange Using IHE Profiles 

[ Read More ]