FHIR Chat · Security constraints · FHIRcast

Stream: FHIRcast

Topic: Security constraints

view this post on Zulip Brian Postlethwaite (Apr 17 2019 at 03:48):

Would the fhir cast hub be expected to understand security constraints and only inform subscribers if they had access to the data in context?
Similar question applies to a smart on fhir app launch. Would that be expected to know if the app has access rights to the patient in context?

view this post on Zulip John Moehrke (Apr 17 2019 at 17:00):

best-case, yes. What gets exposed if it doesn't? Sorry I don't know the notification content. If it is just a poke , then it leaks very little.

view this post on Zulip Isaac Vetter (Apr 17 2019 at 17:01):

Hey @Brian Postlethwaite - yes for FHIRcast. Note that the spec tries to calls this out in the definition of the context element:

An array of named FHIR objects corresponding to the user's context after the given event has occurred. Common FHIR resources are: Patient, Encounter, ImagingStudy and List. The Hub MUST only return FHIR resources that are authorized to be accessed with the existing OAuth2 access_token.

https://fhircast.hl7.org/specification/May2019Ballot/

view this post on Zulip Isaac Vetter (Apr 17 2019 at 17:02):

@John Moehrke , it's not just a poke/tickler. There can be PHI in the notification.

view this post on Zulip John Moehrke (Apr 17 2019 at 17:12):

I was afraid of that... too bad

view this post on Zulip John Moehrke (Apr 17 2019 at 17:13):

so then you have a "security consideration"... that is you could minimally identify this as a consideration that a developer should think about.. This is why we recommend a "security considerations" section in specifications

view this post on Zulip Isaac Vetter (Apr 17 2019 at 17:18):

@John Moehrke - you were the reason that I wrote exactly this:

The notification message which describes the workflow event is a simple json wrapper around one or more FHIR resources. These FHIR resources can contain PHI.

https://fhircast.hl7.org/security-considerations/

view this post on Zulip John Moehrke (Apr 17 2019 at 17:29):

well, then.... we do good work.

view this post on Zulip John Moehrke (Apr 17 2019 at 17:31):

The additional consideration that Brian brings up is that the hub 'could' supress a notification if it has access control decisions that indicate the recipient would not have authorization to view the data in the notification.

view this post on Zulip Isaac Vetter (Apr 17 2019 at 17:57):

(John - yes, see above)

view this post on Zulip Isaac Vetter (Apr 17 2019 at 18:00):

<retracted>

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -