eHealth Platform Federal infsec Profiles
1.1.0 - STU1
eHealth Platform Federal infsec Profiles, published by eHealth Platform. This guide is not an authorized publication; it is the continuous build for version 1.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/hl7-be/infsec/ and changes regularly. See the Directory of published versions
Pseudonymisation is the activity of replacing meaningful data with a synonym that hides the original data, but when needed this synonym can be replaced by the original data. The aim is to hide data from readers that do not need it, due to legal (GDPR) or other reasons, but still allow the links between different data elements for those who need it. Additional encryption techniques may be used to restrict the access to the information to those who need it.
Detailed explanation about the pseudonymisation techniques used in this solution can be found here.
This solution only applies for short texts, i.e. text that fall within the length of the EC key. The solution for longer texts will be described in a subsequent document.
format: direct | encrypted (optional) default is direct |
Example of a json containing a pseudonym, before the application of the base64 encoding:
{
"x": "AUHWy0LqOxFe6T5dL6x97ygKzukuS+Q6jvqGwxaahWR7XNGh/tdUKNj82Ozhl/gOsoqrGtlUAI/XbZqKKmdZ5zuH",
"y": "AbFTfZ8vaitgHSmOQr7DTMjdgHXVe9J+BJqtBurDxeICNJA4ho/+scwVKIiWgjA1v0Xx2pb8fGPH8Kp0tjWyEYh1",
"transitInfo": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwia2lkIjoiNzQ5YjhlZjUtZjQwMS00NDc2LWIyNDMtYzFiZjIxY2MzZWE4IiwiYXVkIjoiaHR0cHM6Ly9hcGktaW50cmMuZWhlYWx0aC5mZ292LmJlL3BzZXVkby92MS9kb21haW5zL2RvbWFpbmFfdjEifQ..thFZVzwXff8HuxBY.fI8p0EdY1HNuzBP7Vb8AYldoCb1dgkLc5HunHkfTmkJc4H1dzgQ8LBbnBaIPmWFI2DgoPCpFNGqW8ucMYF4dC12l-IGDZv30SGv4RI4qppq_uiR8ik1N_psJSEptDIWsruBicXnNwYy22CHvaIy8-HGq2z6wlrNVgmZEsXqusCEeTIB0Udik.arPBjcRK8geT6aSElM7D0g"
}
The resulting value will put in the original field.
If you want to use the pseudonym for searching, you take the resulting value, and you prefix it with:
urn:be:fgov:ehealth:pseudo:v1:
or
urn:be:fgov:ehealth:pseudo:v2:
depending on the type of pseudonymization you are using. Beware that you can only use the long text solution (urn:be:fgov:pseudo-encrypted:) in searches if the body of the query request contains a FHIR resource that can handle the pseudonymized key.
The resulting value will look like this:
urn:be:fgov:ehealth:pseudo:v1:eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwia2lkIjoiMjAyMi0xMi...
As clients and servers may have different capabilities with regard to the support of pseudonymisation representations, both clients and servers can express their capabilities and conduct negotiations regarding the pseudonymisation representations to be used.
The client will be able to express his preferences by using the Accept-Be-Pseudo HTTP header. This header SHALL contain a comma separated list of the prefix values as described above.
Accept-Be-Pseudo: urn:be:fgov:ehealth:pseudo:v1, urn:be:fgov:ehealth:pseudo:v2, urn:be:fgov:pseudo-encrypted:v1
This header has been designed according to the guidelines in RFC 6648
If the header is not present in the request, the server will default to the lowest version supported as indicated in the capabilities statement (see further).
The server will indicate the version of pseudonymisation used using the Content-Be-Pseudo header.
Content-Be-Pseudo: urn:be:fgov:ehealth:pseudo:v2, urn:be:fgov:pseudo-encrypted:v1
This header is only an suggestion, and the indications in the FHIR resource itself always take precedence over the value in the header. If the header is missing, and there is no conclusive evidence (taking into account the described defaults), the value defaults to the lowest supported version in the capabilities statement.
The server has the opportunity to indicate its preferred use of pseudonymisation in the capabilities statement, as one or more rest.security.service
codeable concepts from CodeSystem be-cs-pseudonymization-version. The client is supposed, as in good fhir practice, to request the capabilities statement of the server, to check the type of pseudonymisation that is expected. If no explicit pseudonymisation representation is present, the client can try to use his own preference, but must be prepared to accept a refusal in the form of a 422 Error Code. In general, sending pseudonymised content to a server that is not capable of handling it, will provoke undefined behaviour with regard to the pseudonymisation definition.
During the pseudonymisation content negotiation, the client and server should choose the highest version that is supported by both client and server. Versions will be ordered by using the ordering rules of positive integers.
These two requirements lead to the following consequences:
To conclude, it is clear that systems that do not have the absolute need for computable integrity and semantic integrity, can adopt other rules. However, these other choices will never imply that they will be allowed to store their resources/documents in a vault, without complying with the rules above.
If new extensions are added to a profile, and searches are executed against the new extension, the resource will be regarded as such, so instances which do not contain the extra information will not be returned, unless explicitly requested in the query. This means that stored resources will not be modified to contain default values.
Upon the storage of a resource in the vault, a means will be made available check the computational integrity of the resource.
Following sources were used in the draughting of these rules:
Discussion on chat.fhir.org about how to define the integrity of a message and the use of meta.profile: https://chat.fhir.org/#narrow/stream/179247-Security-and-Privacy/topic/Progress.20on.20digital.20signatures.20and.20integrity
Discussion on chat.fhir.org about how to manage different versions of profiles: https://chat.fhir.org/#narrow/stream/179166-implementers/topic/Capturing.20multiple.20business.20versions.20supported
Discussion on chat.fhir.org about the meaning of versionless profile references: https://chat.fhir.org/#narrow/stream/179166-implementers/topic/Profile.20versions.20in.20a.20resource
Definition of the Canonical datatype, used to indicate the profile and its version: https://www.hl7.org/fhir/r4/datatypes.html#canonical
Description of the use of Canonicals: https://www.hl7.org/fhir/r4/references.html#canonical
Description of versioning in the R4 standard: https://www.hl7.org/fhir/R4/versioning.html