FHIR Chat · whitelisting machines making FHIR calls · Da Vinci CRD

Stream: Da Vinci CRD

Topic: whitelisting machines making FHIR calls

view this post on Zulip Sreekanth Puram (Oct 22 2021 at 03:10):

Hi @Lloyd McKenzie Is there anything in the CDSHooks specification where the entity providing CDS service can specify the list of IP addresses that may run FHIR calls against the EHR? The specification allows the caller of the CDS service to specify an FHIR server and the access token. However, there is no mention anywhere on how to figure out the IP address from which such a call would come in.
Many hospital systems put firewalls in place which filter out incoming requests based on IP addresses. If there is no standard anywhere, should we add it to the CRD IG or at least the supplemental guide on how to specify the list of IP addresses to be whitelisted by the EHR for external access?

view this post on Zulip Lloyd McKenzie (Oct 22 2021 at 03:22):

Hmm. That might be a hard requirement to meet. The only place that could be exposed is the service 'configuration' information - and an EHR might only look at that when it first "comes up" - meaning configuration information might not be looked at for weeks or months. On the other hand, some IP addresses might change every few hours. And the IP ranges requests could come from could be broad as there could be a variety of services that might each be providing different types of decision support, each with their own load balancers.

Given that the EHR FHIR API is going to be hit by all sorts of apps from all sorts of places, I don't really understand how a "whitelist" filter is going to be terribly effective. Security is managed by the EHR-provided token. If you think more is needed, I suggest you raise the issue on the #cds hooks stream.

view this post on Zulip Sreekanth Puram (Oct 22 2021 at 20:00):

I was never a fan of the whitelisting of the IPs but most of the cyber security personnel evaluating health care applications mandate the use of IP whitelisting. so this is a problem that we can't avoid

view this post on Zulip Lloyd McKenzie (Oct 22 2021 at 22:27):

Given that EHRs are mandated to share patient data with anyone the patient wishes, it's hard for me to understand how IP whitelisting is even feasible anymore... Even if you were to whitelist an app (which you're not allowed to do), given that the app could be on a patient's phone and try to access the EHR from anywhere in the world, there's no hope of being able to whitelist IPs.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -