This page is part of the HL7 Belgium FHIR Specifications (v2020May: QA Preview) based on FHIR R4. This is the current published version. For a full list of available versions, see the Directory of published versions
Security requirements for FHIR profiles
Unless otherwise stated, all interfaces implementing these profiles shall be considered as containing Protected Health Information and as such shall implement the adequate security mechanisms.
These security requirements are usually defined by the parties that will interoperate. For example, when exchanging data with the regional data vaults, systems shall comply with the security mechamisms defined and implemented for those vaults. A different example is when the exchange is between two systems inside a hospital, and in this case the security mechanisms will be defined by the hospital.
While rules can be defined locally, it is expected that any system implementing these profiles will not present a point of failure or weakness.
The technical architecture for security is not yet decided by the parties – vaults, authorities, vendor community. This is only background information and no recommendation.
IHE has some implementation guidance on authorization.
End-to-end, double encryption solution.
TLS 1.2+ with mutual authentication, represented schematically below:
|