DH
Uploaded byDunmail Hodkinson
PPTX, PDF1,010 views

A whistlestop tour of FHIR API authentication and authorization

The document provides an overview of authentication and authorization in the context of FHIR APIs, highlighting various security methods such as OAuth, bearer tokens, and JSON Web Tokens (JWT). It explains how the FHIR standard does not include security but offers guidance on best practices and functionality, including access controls and consent resources. Additionally, it introduces concepts like compartments for resource grouping and links to relevant resources for further information.

Embed presentation

Downloaded 17 times
A whistlestop tour of FHIR API authentication and authorization Dunmail Hodkinson HL7 UK
Authentication The process of identifying an individual Authorization Giving an individual access to operations and resources
FHIR standard • Does not include security • Provides guidance and suggestions • Includes supporting functionality https://www.hl7.org/fhir/security.html#authentication https://www.hl7.org/fhir/security.html#binding
PATTERNS
None FHIR Client FHIR Server http
Basic FHIR Client FHIR Server https Authorization: Basic Security Provider
TLS-MA FHIR Client FHIR Server https X.509 certificate Security Provider
Bearer FHIR Client FHIR Server trust Security Provider https Authorization: Bearer
OAuth ‘An open protocol to allow secure authorization in a simple and standard way from web, mobile and desktop applications’ http://oauth.net/
SMART on FHIR ‘Medical apps that integrate into diverse EHRs at the point of care’ patient/*.read user/*.* patient/Observation.write http://docs.smarthealthit.org/authorization/scopes-and-launch-context/
JSON Web Token (JWT) ‘an open, industry standard RFC 7519 method for representing claims securely between two parties’ { iss: 'https://auth.example.net', sub: 'user@example.net', nbf: 1463059456166, exp: 1463064578213, iat: 1463059366160, aud: ['https://fhir.example.net'], jti: '5794b4f6-90bb-41a2-8e11-27ff4adb8880', } https://jwt.io/
JWT claims for FHIR { … fhir_scp: [ '*' ], fhir_act: [ 'read:Patient,Observation', ’$getRecord:Patient' ] } https://github.com/BlackPearSw/jwt-claims-fhir/blob/master/jwt-claims-fhir.md
SUPPORTING FUNCTIONALITY
Compartments ‘Each resource may belong to one or more logical compartments. A compartment is a logical grouping of resources which share a common property. … [They can] provide a definitional basis for applying access control to resources quickly.’ [base]/fhir/Patient/123/Condition https://www.hl7.org/fhir/compartments.html
Contract resource ‘A formal agreement between parties regarding the conduct of business, exchange of information or other matters’ https://www.hl7.org/fhir/contract.html
Consent resource ‘A record of a healthcare consumer’s privacy policy, which is in accordance with governing jurisdictional and organization privacy policies that grant or withhold consent.’ http://hl7-fhir.github.io/consent.html
Dunmail Hodkinson dunmail@blackpear.com @dunmailh

More Related Content

PPTX
Using FHIR standard interfaces to access GP records
byDunmail Hodkinson
 
PPTX
Healthcare - SMART on FHIR (HealthCare OpenSource is here!!!)
byAll Things Open
 
PPTX
Patients First Terminology Services: A Brief Introduction for Developers
byPeter Jordan
 
PDF
Pavel Smirnov. FHIR-first application development.
byHealthDev
 
PDF
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
byMikeLeszcz
 
PDF
Nick Radov, Payer/Provider - Interoperability & HL7 Da Vinci Project.
byHealthDev
 
PDF
Claude Nanjo. Modeling with FHIR. An Introduction to FHIR.
byHealthDev
 
PDF
Fhir your applications
byVictor Chai
 
Using FHIR standard interfaces to access GP records
byDunmail Hodkinson
 
Healthcare - SMART on FHIR (HealthCare OpenSource is here!!!)
byAll Things Open
 
Patients First Terminology Services: A Brief Introduction for Developers
byPeter Jordan
 
Pavel Smirnov. FHIR-first application development.
byHealthDev
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
byMikeLeszcz
 
Nick Radov, Payer/Provider - Interoperability & HL7 Da Vinci Project.
byHealthDev
 
Claude Nanjo. Modeling with FHIR. An Introduction to FHIR.
byHealthDev
 
Fhir your applications
byVictor Chai
 

What's hot

PDF
EduID Mobile App - Use-Cases, Concepts and Implementation
byChristian Glahn
 
PDF
edu-ID Mobile App for Smart Environments
byChristian Glahn
 
PDF
Aziz Boxwala, MD, Ph.D. SMART-on-FHIR specification & Sapphire demo.
byHealthDev
 
PDF
Applying Security Controls on REST APIs
byErick Belluci Tedeschi
 
PDF
[WSO2 Summit Americas 2020] Towards Greater Interoperability With A Proven In...
byWSO2
 
PPTX
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
PDF
OpenID Foundation RISC WG Update - 2018-04-02
byMikeLeszcz
 
PPTX
Integrating with the ORCID API
byNobuko Miyairi
 
PDF
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
byEve Maler
 
EduID Mobile App - Use-Cases, Concepts and Implementation
byChristian Glahn
 
edu-ID Mobile App for Smart Environments
byChristian Glahn
 
Aziz Boxwala, MD, Ph.D. SMART-on-FHIR specification & Sapphire demo.
byHealthDev
 
Applying Security Controls on REST APIs
byErick Belluci Tedeschi
 
[WSO2 Summit Americas 2020] Towards Greater Interoperability With A Proven In...
byWSO2
 
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
OpenID Foundation RISC WG Update - 2018-04-02
byMikeLeszcz
 
Integrating with the ORCID API
byNobuko Miyairi
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
byEve Maler
 

Viewers also liked

PPTX
FHIR Client Development with .NET
byBrian Postlethwaite
 
PPTX
Smart on FHIR
byMikael Rinnetmäki
 
PPTX
FHIR API for .Net programmers by Mirjam Baltus
byFHIR Developer Days
 
PPTX
Advanced .NET API (Ewout)
byEwout Kramer
 
PPTX
Vitalis 2016 FHIR Introduction
byEwout Kramer
 
PPTX
The Innovation Doctor Is In: How SMART on FHIR Will Evolve EHRs
byMedullan
 
PPTX
HL7 Fhir for Developers
byEwout Kramer
 
PPTX
SMART on FHIR by Scot Post van der Burg
byFurore_com
 
PPTX
FHIR Server internals - sqlonfhir
byBrian Postlethwaite
 
PPTX
Security in FHIR with OAuth by Grahame Grieve
byFHIR Developer Days
 
PPTX
Vitalis 2016 FHIR App Development
byEwout Kramer
 
FHIR Client Development with .NET
byBrian Postlethwaite
 
Smart on FHIR
byMikael Rinnetmäki
 
FHIR API for .Net programmers by Mirjam Baltus
byFHIR Developer Days
 
Advanced .NET API (Ewout)
byEwout Kramer
 
Vitalis 2016 FHIR Introduction
byEwout Kramer
 
The Innovation Doctor Is In: How SMART on FHIR Will Evolve EHRs
byMedullan
 
HL7 Fhir for Developers
byEwout Kramer
 
SMART on FHIR by Scot Post van der Burg
byFurore_com
 
FHIR Server internals - sqlonfhir
byBrian Postlethwaite
 
Security in FHIR with OAuth by Grahame Grieve
byFHIR Developer Days
 
Vitalis 2016 FHIR App Development
byEwout Kramer
 

Similar to A whistlestop tour of FHIR API authentication and authorization

PDF
APIsecure 2023 - FHIR API Security, Grahame Grieve (Health Intersections)
byapidays
 
PDF
APIsecure 2023 - All #FHIRed Up, John Moehrke
byapidays
 
PDF
Privacy on FHIR Demo at HIMSS!5
byagropper
 
PDF
HxRefactored 2015: Mark Scrimshire "BlueButton on FHIR
"
byHxRefactored
 
PDF
BlueButton on FHIR @HXRconf
byMark Scrimshire
 
PPTX
Security overview (grahame)
byDevDays
 
PPTX
Introduction to SMART on FHIR
byNishit Charania
 
PDF
BlueButton On FHIR Presentation to Attachments Work Group at HL7 Meeting Jan ...
byMark Scrimshire
 
PPTX
SMART on FHIR by Scot Post van der Burg
byFHIR Developer Days
 
PDF
Fhir basics session2_restful_apis
byKumar Satyam
 
PPTX
Discover the new face of HL7 FHIR v4 - Ideas2IT
byIdeas2IT Technologies
 
PDF
Google Cloud healthcare data platform and FHIR APIs by Kalyan Pamarthy
byHealthDev
 
PPTX
Edifecs- warming up to fhir
byEdifecs Inc
 
PPTX
2016 SEP SMART ON FHIR
byBrett Esler
 
PDF
Create FHIR-Enabled Experiences: API-First Approach for Healthcare Apps
byApigee | Google Cloud
 
PPTX
Using FHIR for Interoperability
byIatric Systems
 
PPTX
Furore devdays2017 general-introtofhir
byDevDays
 
PPTX
Digital Healthcare – Realizing Interoperability with APIs
byAkana
 
PDF
How to Architect RESTful FHIR APIs for Real‑Time Telehealth‑EHR Integration (...
bysundramvozo
 
PDF
Fast Healthcare Interoperability Resources is a draft standard descr.pdf
byanuradhaartjwellery
 
APIsecure 2023 - FHIR API Security, Grahame Grieve (Health Intersections)
byapidays
 
APIsecure 2023 - All #FHIRed Up, John Moehrke
byapidays
 
Privacy on FHIR Demo at HIMSS!5
byagropper
 
HxRefactored 2015: Mark Scrimshire "BlueButton on FHIR
"
byHxRefactored
 
BlueButton on FHIR @HXRconf
byMark Scrimshire
 
Security overview (grahame)
byDevDays
 
Introduction to SMART on FHIR
byNishit Charania
 
BlueButton On FHIR Presentation to Attachments Work Group at HL7 Meeting Jan ...
byMark Scrimshire
 
SMART on FHIR by Scot Post van der Burg
byFHIR Developer Days
 
Fhir basics session2_restful_apis
byKumar Satyam
 
Discover the new face of HL7 FHIR v4 - Ideas2IT
byIdeas2IT Technologies
 
Google Cloud healthcare data platform and FHIR APIs by Kalyan Pamarthy
byHealthDev
 
Edifecs- warming up to fhir
byEdifecs Inc
 
2016 SEP SMART ON FHIR
byBrett Esler
 
Create FHIR-Enabled Experiences: API-First Approach for Healthcare Apps
byApigee | Google Cloud
 
Using FHIR for Interoperability
byIatric Systems
 
Furore devdays2017 general-introtofhir
byDevDays
 
Digital Healthcare – Realizing Interoperability with APIs
byAkana
 
How to Architect RESTful FHIR APIs for Real‑Time Telehealth‑EHR Integration (...
bysundramvozo
 
Fast Healthcare Interoperability Resources is a draft standard descr.pdf
byanuradhaartjwellery
 

Recently uploaded

PDF
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
PPTX
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
PPTX
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
PPTX
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
PDF
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PPTX
AI-Powered Clinic Management Software for Trichology Clinics in India Enhanci...
byEasy Clinic
 
PPTX
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
PDF
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
PDF
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
PPTX
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PDF
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
PPTX
Microsoft Power Platform Power BI Presentation.pptx
bymazenamerican
 
PDF
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
AI-Powered Clinic Management Software for Trichology Clinics in India Enhanci...
byEasy Clinic
 
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
Microsoft Power Platform Power BI Presentation.pptx
bymazenamerican
 
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 

A whistlestop tour of FHIR API authentication and authorization

Editor's Notes

  • #4 FHIR being adopted. Need to consider how we properly secure APIs. Terminology: Authentication vs Authorisation FHIR v2 https://www.hl7.org/fhir/security.html#authentication Authentication: Custom TLS-MA OAuth2 Authorisation: None Custom OAuth2 + OpenID Connect OAuth2 + OpenID (SMART tokens) jwt.io jwt claims for FHIR Apps - complex pattern Underlying support Compartments Contract resource Consent resource
  • #6 Authentication – none Authorisation – none Not recommended in production
  • #7 Example of a custom scheme Authentication: Server trusts client if the credentials (username:password) presented are accepted by the security provider Authorisation: Server allows client to access resources based on custom information provided by the security provider Quick and easy to implement. Can leverage existing authentication infrastructure e.g. LDAP
  • #8 Authentication: Server trusts clients who present valid X.509 certificate Authorisation: Server MAY access Good for B2B Client certificate management at scale can be hard
  • #9 Authentication: Server trusts clients that present a valid token from a trusted security provider Authorisation: Server allows client to access resources based on a claims within the token Good for individual level access OAuth2 - authentication
  • #10 De facto standard for bearer token 2 versions – OAuth, OAuth2 – FHIR recommends OAuth2
  • #11 Designed to allow apps to integrate to an EHR. Oauth2 authentication & access scopes Predates FHIR, so not a clear mapping between scopes and requests. Need custom code to differentiate operations e.g. is $bar a read operation or a write operation?
  • #12  Recommended by GDS Can be used in conjunction with OAuth2 Can be extended by adding additional
  • #13 Authentication: Server trusts clients that present a valid token from a trusted security provider Authorisation: Server allows client to access resources based on a claims within the token Good for individual level access OAuth2 - authentication
  • #15 Resource – not used directly for authentication and authorisation – may be used by an authorisation provider Could be used to record DSA Difficult to model individual patient consent
  • #16 Resource – not used directly for authentication and authorisation – may be used by an authorisation provider Could be used to record DSA Difficult to model individual patient consent
  • #17 Resource – not used directly for authentication and authorisation – may be used by an authorisation provider Could be used to represent individual patient consents