Validated Healthcare Directory, published by HL7 International / Patient Administration. This guide is not an authorized publication; it is the continuous build for version 1.0.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/VhDir/ and changes regularly. See the Directory of published versions
Security
The following are the VhDir security considerations that implementers should follow:
- All implementers of FHIR servers and clients should pay attention to FHIR Security considerations.
- In addition to the FHIR Security considerations, the VhDir requests need to contain specific information about VhDir client identity and organization information.
- Providing this information using FHIR Search APIs is very cumbersome and is not necessary. This kind of information can be collected by the VhDir Authorization Server during application registration and avoid repeating the information on each request.
- These mechanisms are outlined in detail in the SMART Backend Services Authorization Guide.
The following are security conformance requirements for VhDir actors:
- VhDir actors SHALL use the SMART Backend Services Authorization Guide to collect the necessary requestor information appropriate for making the VhDir data request.
- VhDir actors SHALL reference a single time source to establish a common time base for security auditing across the system.
- VhDir actors SHALL use the AuditEvent resource to capture audit logs of the various transactions. VhDir actors SHOULD capture as many AuditEvent resource data elements as appropriate based on requirements of FHIR Audit Logging and local policies.
- VhDir transactions SHALL use TLS version 1.2 or higher to secure the transmission channel unless the transmission is taking place over a more secure network.(Using TLS even within a secured network environment is still encouraged to provide defense in depth.) US Federal systems implementing VhDir actors SHOULD conform with FIPS PUB 140-2.
- VhDir actors SHALL conform to FHIR Communications requirements.
- VhDir actors SHOULD retain Provenance information using the FHIR Provenance resource.
The following are security conformance requirements for the overall program/system: