Situational Awareness for Novel Epidemic Response, published by HL7 International Public Health Workgroup. This is not an authorized publication; it is the continuous build for version 0.1.0). This version is based on the current content of https://github.com/HL7/fhir-saner/ and changes regularly. See the Directory of published versions
The data access in this implementation guide is summarized metrics that are not senstive to individual patients or workers. The metrics may be percieved as sensitive to the organization publishing them. For this reason the project assesses the Security and Privacy Considerations as at most Business Sensitive, where the lower assessment of Anonymous READ Access may also apply.
Given this assessment, the main Security Considerations are focused on
Given that the use-case for this implementation guide is to support Public Health reporting, the use of the use of client context PurposeOfUse of PUBHLTH is recommended. The communication of PurposeOfUse is not defined in SMART-on-FHIR, so other methods might need to be used. IHE IUA profile provides a OAuth attribute to carry this.
The use of data returned by this API should be limited to the Public Health use-case. Re-purposing the data for other uses, such as re-identification, should be considered a violation of the API intention.
The setting of the PurposeOfUse to PUBHLTH may be addressed through policy agreements and thus not communicated in the API communications.
The maintaince of the data on the client or server is not specified in this implementation guide. Security considerations must be applied in systems design to assure that the data is appropriately protected from inappropriate use and modification. For example only authorized services and individuals should be allowed to update the metrics that would be served by the API defined here.
This section includes an enumeration of some of the risks identified for the use-cases covered and justifying the security and privacy mitigations indicated above.
In addition to the mitigations above, careful definition of regions that would be reported upon should assure that the region is large enough so as to lower the risk of re-identification. Where reporting regions are too small, aggregation into larger regions may be necessary.
Combined reports within one dataset increase the risk of re-identification through the coorelation of indirect identifiers within the dataset. Independent reports can mitigate this reverse coorelation used for re-identification.