FHIR Chat · Message-level Security · implementers

Stream: implementers

Topic: Message-level Security

view this post on Zulip Peter Bernhardt (Nov 12 2019 at 17:15):

I'm curious if any production implementations utilize message-level encryption. TIA

view this post on Zulip John Moehrke (Nov 13 2019 at 02:34):

Depends on what you call a message, and what you are using for storage/transport.
For example in the USA there is the "Direct Project" that uses e-mail transport and S/MIME end-to-end encryption of any 'message' which usually are but are not limited to documents.

view this post on Zulip John Moehrke (Nov 13 2019 at 02:35):

In IHE there is a profile for general purpose end-to-end encryption -- DEN profile

view this post on Zulip John Moehrke (Nov 13 2019 at 02:36):

Most of the time these have huge administrative burden ... so often are scrapped half implemented with preference for normal TLS and thus normal web http encryption between client and server (session, point-to-point).

view this post on Zulip Peter Bernhardt (Nov 21 2019 at 17:52):

Thanks @John Moehrke , I was specifically interested in FHIR implementations that encrypt the message payload itself. I suspect the answer is no and that transport-level encryption is sufficient. Speaking only for my org, we also encrypt data at rest, but assume this is SOP industry-wide.

view this post on Zulip John Moehrke (Nov 21 2019 at 17:54):

encryption of data-at-rest would be an operational requirement that is outside-the-scope of HL7 to define. We do point at good security frameworks that would encourage that kind of stuff.

view this post on Zulip Peter Bernhardt (Nov 21 2019 at 17:57):

Understood.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -