Security for Scalable Registration, Authentication, and Authorization, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 2.0.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-udap-security-ig/ and changes regularly. See the Directory of published versions
Official URL: http://hl7.org/fhir/us/udap-security/ImplementationGuide/hl7.fhir.us.udap-security | Version: 2.0.0 | |||
IG Standards status: Trial-use | Maturity Level: 4 | Computable Name: UDAPSecurity |
This IG is currently undergoing ballot reconciliation in preparation for publication of STU2.
This Security FHIR® IG has been established upon the recommendations of ONC’s FHIR at Scale Taskforce (FAST) Security Tiger Team, and has been adapted from IGs previously published by UDAP.org. The workflows defined in the Unified Data Access Profiles (UDAP™) have been used in several FHIR IGs, including the TEFCA Facilitated FHIR IG, Carequality FHIR IG, Carin BB IG, DaVinci HREX IG, and others. The objective of this IG is to harmonize workflows for both consumer-facing and B2B applications to facilitate cross-organizational and cross-network interoperability.
Additional enhancements include a formal definition for a B2B Authorization Extension Object to facilitate these transactions.
This implementation guide describes how to extend OAuth 2.0 using UDAP workflows for both consumer-facing apps that implement the authorization code flow, and business-to-business (B2B) apps that implement the client credentials flow or authorization code flow. This guide covers automating the client application registration process and increasing security using asymmetric cryptographic keys bound to digital certificates to authenticate ecosystem participants. This guide also provides a grammar for communicating metadata critical to healthcare information exchange.
The requirements described in this guide are intended to align with the proposed solutions of the ONC FHIR at Scale Taskforce’s Security Tiger Team, the security model and UDAP workflows outlined in the Carequality FHIR-Based Exchange IG, and implementation guides incorporating UDAP workflows published by the CARIN Alliance and the Da Vinci Project.
This Guide is divided into several pages which are listed at the top of each page in the menu bar.
Guidance regarding the use of this IG with the SMART App Launch Framework can be found in Section 7.5.
This section lists some additional topics to be addressed by trust communities adopting this guide:
iss
and sub
claims of signed metadata elements (see Section 2.3).iss
and sub
claims of software statements (see Section 3.1).organization_id
in Section 5.2.1.1).subject_role
in Section 5.2.1.1).purpose_of_use
in Section 5.2.1.1).consent_policy
and consent_reference
in Section 5.2.1.1).