Authentication
FHIR’s servers are used to ensure that only people with the proper credentials are accessing this information. FHIR gives different levels of permissions based on case use and risk management, and their systems are designed to protect information as much as possible.
Servers can authenticate an entire system or an individual through OpenID Connect, which verifies the identity of users and forms an extra layer of security on OAuth (the recommended tool to authenticate a user or system).
Authorisation and access control
The correct identification of people, devices and locations is the foundation of any security system.
FHIR uses Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). With RBAC, permissions are grouped into roles and if a user’s role has the proper permission, they can gain access to the specific object required.
With ABAC, a user’s access request is based on the attributes and conditions of access control policies for a specific object. Those attributes may include security tags, environment conditions and other user and object characteristics.
Access control in healthcare is often complex. The client’s user identity, user role and level of assurance is one factor, the patient’s consent and relationship to the user must be considered, the sensitivity, confidentiality and type of data requested is important and the context of the transaction (system identity, purpose of use, transport security) are all important criteria for approving or denying access.
How people search for information is also important when it comes to keeping information secure with HL7 FHIR. Chained search, security labels, resources such as Bundle and Composition, and batch and transaction processing are some ways information can be gathered that HL7 FHIR needs to consider when ensuring that appropriate individuals and systems are given access.
If an approach has been denied, HL7 FHIR lets that person know by one of four ways: 401 ‘unauthorized’, 403 ‘forbidden’ or 404 ‘not found’ pages will show up, or zero results will be shown on data requested.