Current Build
Work Group FHIR Infrastructure & Security Ballot Status: Informative

The Security and Privacy Module describes how to protect a FHIR server (through access control and authorization), how to document what permissions a user has granted (consent), and how to keep records about what events have been performed (audit logging and provenance). FHIR does not mandate a single technical approach to security and privacy; rather, the specification provides a set of building blocks that can be applied to create secure, private systems.

The Security and Privacy module includes the following materials:

Resources Datatypes Implementation Guidance and Principles

FHIR is focused on the data access methods and encoding leveraging existing Security solutions. Security in FHIR needs to focus on the set of considerations required to ensure that data can be discovered, accessed, or altered only in accordance with expectations and policies. Implementation should leverage existing security standards and implementations to ensure that:

  • All communications can be encrypted to prevent unauthorized access.
  • No information leaks when errors occur
  • No active script content can be injected into narrative resources
  • Full audit trails can be constructed and used to detect anomalous access patterns

For general security considerations and principles, see Security. Please leverage mature Security Frameworks cover device security, cloud security, big-data security, service-to-service security, etc. See NIST Mobile Device Security and OWASP Mobile Secuity . These security frameworks include prioritized lists of most important concerns.

Privacy in FHIR includes the set of considerations required to ensure that individual data are treated according to an individual's Privacy Principles. FHIR includes implementation guidance to ensure that:

  • Individual preferences can be communicated through standards-based protocols (e.g., OAuth, User-Managed Access) or using an explicit FHIR representation (Consent)
  • Resources can be tagged to indicate the sensitivity or confidentiality of the data they represent (Security Labels)
  • Data access records and audit logs can be shared with individuals, e.g. for accounting of disclosures (Audit Event)

Use case: A FHIR server should ensure that API access is allowed for authorized requests, and denied for unauthorized requests.

Approach: Authorization details can vary according to local policy, and according to the access scenario (e.g. sharing data among institution-internal subsystems vs. sharing data with trusted partners vs. sharing data with third-party user-facing apps). In general, FHIR enables a separation of concerns between the FHIR REST API and standards-based authorization protocols like OAuth. For the use case of user-facing third-party app authorization, we recommend the OAuth-based SMART protocol see Security: Authentication as an externally-reviewed authorization mechanism with a real-world deployment base — but we note that community efforts are underway to explore a variety of approaches to authorization. For further details, see Security: Authorization and Access Control.

Use case: "Access to protected Resources are enabled though user Role-Based, Context-Based, and/or Attribute-Based Access Control."

Approach: Users should be identified and should have their Functional and/or Structural role declared when these roles are related to the functionality the user is interacting with. Roles should be conveyed using standard codes from Security Role Vocabulary.

A purpose of use should be asserted for each requested action on a Resource. Purpose of use should be conveyed using standard codes from Purpose of Use Vocabulary.

When using OAuth, the requested action on a Resource for specified one or more purpose of use and the role of the user are managed by the OAuth authorization service (AS), and may be communicated in the security token where jwt tokens are used. For details, see Security: HCS vocabulary.

Use case: "A FHIR server should keep a complete, tamper-proof log of all API access and other security- and privacy-relevant events".

Approach: FHIR provides an AuditEvent resource suitable for use by FHIR clients and servers to record when a security or privacy relevant event has occurred. This form of audit logging records as much detail as reasonable at the time the event happened. The FHIR AuditEvent is aligned and cross-referenced with IHE Audit Trail and Node Authentication (ATNA) Profile. For details, see Security: Audit.

Use case: "Documentation of a Patient's Privacy Consent Directive - rules for Collection, Use, and Disclosure of their health data."

Approach: FHIR provides a Consent resource suitable for use by FHIR clients and servers to record current Privacy Consent state. The meaning of a consent or the absence of the consent is a local policy concern. The Privacy Consent may be a pointer to privacy rules documented elsewhere, such as a policy identifier or identifier in XACML. The Privacy Consent has the ability to point at a scanned image of an ink-on-paper signing ceremony, and supports digital signatures through use of Provenance. The Privacy Consent has the ability to include some simple FHIR centric base and exception rules.

All uses of FHIR Resources would be security/privacy relevant and thus should be recorded in an AuditEvent. Those access qualifying as a Disclosure should additionally be recorded as a Disclosure, see Disclosure Audit Event Example.

For Privacy Consent guidance and examples, see Consent Resource.

Use case: "All FHIR Resources should be capable of having the Provenance fully described."

Approach: FHIR provides the Provenance resource suitable for use by FHIR clients and servers to record the full provenance details: who, what, where, when, and why. A Provenance resource can record details for Create, Update, and Delete; or any other activity. Generally Read operations would be recorded using AuditEvent. Many Resources include these elements within, this is done when that provenance element is critical to the use of that Resource. This is overlap is expected and cross-referenced on the W5 report. For details, see Provenance Resource.

Use case: "For any given query, need Provenance records also."

Approach: Given that a system is using Provenance records. When one needs the Provenance records in addition to the results of a query on other records (e.g. Query on MedicatioRequest), then one uses reverse include to request that all Provenance records also be returned. That is add ?_revinclude=Provenance:target. For details, see _revinclude.

Use case: "Digital Signature is needed to prove authenticity, integrity, and non-repudiation."

Approach: FHIR Resources are often parts of Medical Record, or are communicated as part of formal Medical Documentation. As such there is a need to cryptographically bind a signature so that the receiving or consuming actor can verify authenticity, integrity, and non-repudiation. This functionality is provided through the signature element in Provenance Resource. Where the signature can be any local policy agreed to signature including Digital Signature methods and Electronic Signature. For details, see Security: Digital Signatures.

Digital Signatures bind cryptographically the exact contents, so that any changes will make the Digital Signature invalid. When a Resource is created, or updated the server is expected to update relevant elements that it manages (id, lastupdated, etc). These changes, although expected of normal RESTful create/update operations, will break any Digital Signature that has been calculated prior. One solution is to create the Digital Signature after the REST create operation completes, one must first confirm that the resulting created/updated Resource is as expected, then the Digital Signature is formed.

A variation of this happens in Messaging, Documents, and other interaction models. For details, see Ramifications of storage/retrieval variations

De-Identifiction is inclusive of pseudonymization and anonymization; which are the Process of reducing privacy risk by eliminating and modifying data elements to meet a targeted use-case.

Use-Case: "Requesting Client should have access to De-Identifed data only."

Trigger: Based on an Access Control decision that results in a PERMIT with an Obligation to De-Identify, the Results delivered to the Requesting Client would be de-identified.

Consideration: This assumes the system knows the type and intencity of the de-identificaiton algorithm. Where de-identification is best viewed as a Process, not an algorithm. A Process that reduces Privacy risk while enabling a targeted and authorized use-case.

Discussion: With the Observation Resource, one would remove the subject element as it is a Direct Identifier. However there are many other Reference elements that can easily be used to navigate back to the Subject; e.g., Observation.context value of Encounter or EpisodeOfCare; or Observation.performer.

Some identifiers in Observation Resource:

  • Direct Identifiers: .identifier, .subject, . performer, .text, .specimen, .device, .related, .text, .comment
  • Indirect Identifiers: ..issued, .component

Emphasis: The .specimen is a direct identifier of a particular specimen; and would be an indirect identifier of a particular person. There is a ramification of having the specimen identifier. One solution is to create pseudo specimen resources that will standin for the original specimen resource. This psudo specimen management is supplied by a trusted-third-party that maintains a database of pseudo-identifiers with authorized reversability.

Further Standards: Health: ISO Pseudonymization , NIST IR 8053 - De-Identification of Personal Information , IHE De-Identificaiton Handbook , DICOM (Part 15, Chapter E)

In the STU3 release, FHIR includes building blocks and principles for creating secure, privacy-oriented health IT systems; FHIR does not mandate a single technical approach to security and privacy.

In future releases, we are anticipate including guidance on:

  • incorporate the SMART on FHIR authorization specification, for user-authorized apps,
  • methods for organization-to-organization authorization,
  • more details about how to use digital Signatures for data integrity and non-repudiation, including an approach that supports some level of manipulation of resources (e.g. separating the entries in a bundle, or conversion between XML and JSON during processing),
  • more detailed Consent management, including support for specific consent use cases.