Stream: cds hooks
Topic: Trusting EHR Server
Manny Ramirez (Dec 04 2017 at 15:00):
Hi,
I am looking for some guidance on how to figure out who the EHR(or hospital/clinic location) that is calling my CDS Service is. I see the JWT that is being sent on each request, and I am able to decode it, but what piece(s) of data should I look at to determine the identity of the EHR system? I was thinking that it may be the “iss” value that I need to focus on but two different docs say two slightly different things. At https://cds-hooks.github.io/docs-hl7-ballot/#trusting-ehrs I see that the iss value should be “The base URL of the EHR’s FHIR server. This must be the same URL as the fhirServer field in a CDS Service request.” And at http://cds-hooks.org/specification/1.0/#trusting-ehrs I see that iss should be “The URL of the issuer of this JWT.” So which one is it or are they the same thing just worded differently? How can I be sure that the issuer and the EHR are the same server?
Thank you
Kevin Shekleton (Dec 04 2017 at 18:10):
Hi @Manny Ramirez. Don't look at https://cds-hooks.github.io/docs-hl7-ballot -- that is an old version of the spec that was used for an informal HL7 ballot back in September 2017. The latest spec is at http://cds-hooks.org/specification/1.0 (which you found). The differences you found are the changes we made based upon implementer feedback at the September 2017 Connectathon.
When determining who/how to trust the EHR, you should work with the EHR vendor and learn:
1. The iss value they will be sending in the JWT
2. The location of their public key (we will be standarizing this in #87)
Last updated: Apr 12 2022 at 19:14 UTC
