FHIR Chat · User - password · implementers

Stream: implementers

Topic: User - password

view this post on Zulip Emiliano Fernandez (Feb 12 2021 at 15:26):

Hi all.
Is there a resource which i can send condiential data like user/password?
Thanks!

view this post on Zulip David Pyke (Feb 12 2021 at 15:31):

Can you explain a little more about your use case?

view this post on Zulip Emiliano Fernandez (Feb 12 2021 at 15:39):

Its a smart app that recibes a certificate from the EHR, and the medic has to sign it. To sign it, he must put his user and password.

view this post on Zulip Emiliano Fernandez (Feb 12 2021 at 15:40):

The user and password are located in the EHR database

view this post on Zulip David Pyke (Feb 12 2021 at 15:59):

As FHIR doesn't have encryption in the resources, sending the userid/password in a FHIR resource would be a problem, unless you encrypt it prior to placing it in the resource. However, there are no specific resources for this kind of information. You would need to create an extension on one of the standard resources to hold it.

view this post on Zulip John Moehrke (Feb 12 2021 at 17:02):

FHIR is a REST data model for healthcare information. It is intended to be used within a general IT security model. The most common is OAuth based, for which there is an Implementation Guide from HL7 in smart-on-fhir. Please see the Security and Privacy pages in the FHIR core specification for more guidance http://hl7.org/fhir/secpriv-module.html

view this post on Zulip Cooper Thompson (Feb 12 2021 at 17:03):

Most EHRs will probably be very unwilling to accept a password for a user via FHIR. Just because you implement an option for sending a password over the wire, I wouldn't expect most EHRs would (or should) accept it. I'd suggest looking at other options for communicating a signature rather than sending clear-text passwords.

view this post on Zulip Josh Mandel (Feb 12 2021 at 18:36):

Would suggest taking a look at https://hl7.org/fhir/smart-app-launch/ if you need to connect a user to an EHR system from within a 3rd paty app

view this post on Zulip Colin E. (Feb 16 2021 at 19:50):

As a general point, not specifically FHIR-related, moving user names and passwords around in a software stack not specifically designed (and tested) for security purposes (identity and authentication) is highly undesirable, and unlikely to get past any serious security audit. Supporting the point made by @Cooper Thompson, I would suggest looking at other options designed for the purpose.

view this post on Zulip Grahame Grieve (Feb 24 2021 at 03:34):

SCIM - http://www.simplecloud.info/

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -