SlideShare a Scribd company logo

Security overview (grahame)

Download as PPTX, PDF
D
DevDays

FHIR provides standards for security including authentication, authorization, access control, digital signatures, audit trails, and security labels. Authentication verifies a user's identity, while authorization determines what resources a user can access. Access control engines enforce authorization and other rules. Digital signatures can be applied to resources and bundles to ensure integrity. Audit trails and provenance track access. Security labels make access restrictions like confidentiality explicit. Ongoing work continues on authorization models and how to apply signatures to RESTful resources.

Education
1 of 23
Downloaded 28 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
FHIR® is the registered trademark of HL7 and is used with the permission of HL7. The Flame Design mark is the registered trademark of HL7 and is used with the permission of HL7. Amsterdam, 15-17 November | @fhir_furore | #fhirdevdays17 | www.fhirdevdays.com Overview over security in FHIR & Security Labels Grahame Grieve, Health Intersections
Security Problem Space • Basic Web Security • Authentication / Authorization / Access Control • Digital Signatures • Audit Trail / Provenance tracking • Security Labels • An insecure system is an unsafe system
Basic Web Security • Use a time synchronization protocol • Use SSL / TLS (almost always) • Keep your security libraries up to date • Use CORS correctly (hard) • No Buffer overflows, XSS, etc • Narrative Handling • Recommended: https://www.troyhunt.com/
Content Issues • Base Content Rules: • No DTD references • No Active Content in XHTML • XML: Ignore Processing Instructions • XHTML: • White list external references • Don’t leak headers processing external references (images, css, etc) • Check media types of attachments
AuthZ • Authentication: Who is the user? (and their agent?) • Authorization: What does the user allow in this context? • Access Control: Is this request allowed, given • The data in the request • The user’s rights • The user’s authorization • The rules on the underlying data
Access Control Engine
OAuth • Delegating Authorization • Implicit: Delegating Authentication • openID Connect: Make this explicit • Two layer OAuth (demonstration) • Smart App Launch (http://hl7.org/fhir/smart-app-launch) • A profile on OAuth + openID Connect • Should always use this wherever possible for interoperability
Two Layer OAuth • Must be possible to map from identity on health records server to Identity server information (this can be established lots of ways) • Best identity server is a national identity server OAuth Client Server (AS/RS) Resources User Application Health Records Server What healthcare records should this application get access to Health Records Server Identity Server Identification information about the patient
OAuth • Delegating Authorization • Implicit: Delegating Authentication • openID Connect: Make this explicit • Two layer OAuth (demonstration) • Smart App Launch (http://hl7.org/fhir/smart-app-launch) • A profile on OAuth + openID Connect • Should always use this wherever possible for interoperability
Smart App Launch • Confidential Client (can keep a secret) – server / secure enclave • Public Client • Backend services • Not much supported, and not part of STU standard
Smart App Launch Scopes • [class]/[type].[mode] • Class = patient | user | system • Type = * or a FHIR resource type • Mode = * | read | write • Examples: patient/*.read user/*.* system/Communication.write • Also: openid profile launch offline_access online_access
Smart App Launch
Alternative Approach • Instead of Smart Scopes, scopes are URIs that identify Consent resource • Application identifies the consent resource it wants to work under • User chooses which consent resource to proceed under • Server replies with the consent resource that the user chose • Makes decisions obscure to the interface, but… • Possibly going to be tested in January connectathon
Access Control • The Smart OAuth scopes interact with access control • Access Control Engine engine: • What scopes can a user allow? • What operations/data does a user have rights for? • What scopes has the user allowed in this context? • What other Consents are applicable in this context? (+ jurisdictional rules) • FHIR does not standardise the access control layer • Should we? • SCIM for user management – what’s the mapping between users and roles?
AuditEvent and Provenance AuditEvent • Record of an event • Login/logout • RESTful API transaction • Higher level event (RWE) • Typically Create (no update/delete) • Consider signing the audit trail (blockchain?) • Provenance • Information about source of data • Applies to a set of resources • W5: Who What When Where Why • This information is denormalised into resources variably • Can provide it in an HTTP header • Can populate the AuditEvent
Digital Signatures • Formal Support: • Signature Data type • Provenance.signature • Bundle.signature
Signature Data Type
Using the Signature Data Type • Provenance • Detached Signature • Provenance.target : Reference(Any) 1..* • Provenance.signature: a signature across all the resources • Canonicalization across multiple resources not specified • Bundle • Enveloped Signature • Bundle.signature signs content • http://hl7.org/fhir/xml.html#digsig and http://hl7.org/fhir/json.html#canonical
Challenges with digital signatures • Signatures on static content (“documents”) are well understood • Signatures on a RESTful interface are not • Changing contents on interface engines • Signing packages of resources that can be re-identified
Security Labels • Some resources need special handling • VIP patients • Confidential records • Restricted use data (i.e. released for research, not for treatment) • Sometimes this is implicit in context, or the content of the resource • Mostly useful to make this explicit on the resource (denormalization)
Using Labels • Text to add to slide • Indent item • Another item
Core Labels • Purpose of Use • Treatment, research, legal, claims… etc • Confidentiality Codes • Unrestricted  normal  restricted  very restricted • Delete after use / No Reuse • All applications are required to know what these labels mean and observe/obey them if relevant • There are 500+ total labels, and growing….
Summary • Security is hard • Requires clear thinking • Ongoing development around Authorization and Consent • Questions…

More Related Content

PPTX
fhir-documents
DevDays
 
PPTX
Devdays 2017 implementation guide authoring - ardon toonstra
DevDays
 
PPTX
Fhir foundation (grahame)
DevDays
 
PPTX
Building bridges devdays 2017- powerpoint template
DevDays
 
PPTX
Furore devdays2017 tdd-2-advanced
DevDays
 
PPTX
Advanced .net api (ewout)
DevDays
 
PPTX
Furore devdays2017 general-introtofhir
DevDays
 
PPTX
Fhir tooling (grahame)
DevDays
 
fhir-documents
DevDays
 
Devdays 2017 implementation guide authoring - ardon toonstra
DevDays
 
Fhir foundation (grahame)
DevDays
 
Building bridges devdays 2017- powerpoint template
DevDays
 
Furore devdays2017 tdd-2-advanced
DevDays
 
Advanced .net api (ewout)
DevDays
 
Furore devdays2017 general-introtofhir
DevDays
 
Fhir tooling (grahame)
DevDays
 

What's hot (20)

PPTX
Dev days 2017 advanced directories (brian postlethwaite)
DevDays
 
PPTX
Furore devdays 2017 - workflow
DevDays
 
PPTX
Furore devdays 2017-sdc (lloyd)
DevDays
 
PPTX
final Keynote (grahame)
DevDays
 
PPTX
Furore devdays 2017- profiling academy - profiling guidelines v1
DevDays
 
PDF
Integrating with the epic platform fhir dev days 17
DevDays
 
PPTX
Furore devdays 2017- rdf2(solbrig)
DevDays
 
PPTX
Whats new (grahame)
DevDays
 
PPTX
Profiling with clin fhir
DevDays
 
PPTX
Furore devdays2017 tdd-1-intro
DevDays
 
PPTX
2017 11-ccda-on-fhir
DevDays
 
PPTX
Dev days 2017 questionnaires (brian postlethwaite)
DevDays
 
PPTX
20171116 rene spronk_profiling_governance
DevDays
 
PPTX
Furore devdays 2017- continua implementing fhir
DevDays
 
PPTX
Discover the new face of HL7 FHIR v4 - Ideas2IT
Ideas2IT Technologies
 
PPTX
Building a Scenario using clinFHIR
DevDays
 
PPTX
Furore devdays 2017 - implementation guides (lloyd)
DevDays
 
PPTX
Fhir dev days 2017 fhir profiling - overview and introduction v07
DevDays
 
PPTX
Fhir dev days_basic_fhir_terminology_services
DevDays
 
PPTX
Transforming other content (grahame)
DevDays
 
Dev days 2017 advanced directories (brian postlethwaite)
DevDays
 
Furore devdays 2017 - workflow
DevDays
 
Furore devdays 2017-sdc (lloyd)
DevDays
 
final Keynote (grahame)
DevDays
 
Furore devdays 2017- profiling academy - profiling guidelines v1
DevDays
 
Integrating with the epic platform fhir dev days 17
DevDays
 
Furore devdays 2017- rdf2(solbrig)
DevDays
 
Whats new (grahame)
DevDays
 
Profiling with clin fhir
DevDays
 
Furore devdays2017 tdd-1-intro
DevDays
 
2017 11-ccda-on-fhir
DevDays
 
Dev days 2017 questionnaires (brian postlethwaite)
DevDays
 
20171116 rene spronk_profiling_governance
DevDays
 
Furore devdays 2017- continua implementing fhir
DevDays
 
Discover the new face of HL7 FHIR v4 - Ideas2IT
Ideas2IT Technologies
 
Building a Scenario using clinFHIR
DevDays
 
Furore devdays 2017 - implementation guides (lloyd)
DevDays
 
Fhir dev days 2017 fhir profiling - overview and introduction v07
DevDays
 
Fhir dev days_basic_fhir_terminology_services
DevDays
 
Transforming other content (grahame)
DevDays
 
Ad

Similar to Security overview (grahame) (20)

PDF
APIsecure 2023 - FHIR API Security, Grahame Grieve (Health Intersections)
apidays
 
PPTX
Introduction to Web Application Security Principles
Dr. P. Mohana Priya
 
PPTX
Cm2 secure code_training_1day_data_protection
dcervigni
 
ODP
Building open source identity infrastructures
Francesco Chicchiriccò
 
PPTX
Introduction to SMART on FHIR
Nishit Charania
 
PDF
Securing .NET Core, ASP.NET Core applications
NETUserGroupBern
 
PDF
Vault 101
Hazzim Anaya
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PPTX
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Caserta
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
PDF
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
PPTX
Lesson 6 web based attacks
Frank Victory
 
PPTX
Public Digital Identity as a Service
PT Datacomm Diangraha
 
PDF
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
PPTX
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Sean Whalen
 
PDF
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
PPTX
Ledingkart Meetup #3: Security Basics for Developers
Mukesh Singh
 
PPTX
OpenId Connect Protocol
Michael Furman
 
PPT
UserCentric Identity based Service Invocation
guestd5dde6
 
PDF
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
APIsecure 2023 - FHIR API Security, Grahame Grieve (Health Intersections)
apidays
 
Introduction to Web Application Security Principles
Dr. P. Mohana Priya
 
Cm2 secure code_training_1day_data_protection
dcervigni
 
Building open source identity infrastructures
Francesco Chicchiriccò
 
Introduction to SMART on FHIR
Nishit Charania
 
Securing .NET Core, ASP.NET Core applications
NETUserGroupBern
 
Vault 101
Hazzim Anaya
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Caserta
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
Lesson 6 web based attacks
Frank Victory
 
Public Digital Identity as a Service
PT Datacomm Diangraha
 
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Sean Whalen
 
Shifting security left simplifying security for k8s open shift environments
LibbySchulze
 
Ledingkart Meetup #3: Security Basics for Developers
Mukesh Singh
 
OpenId Connect Protocol
Michael Furman
 
UserCentric Identity based Service Invocation
guestd5dde6
 
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Ad

More from DevDays (14)

PPTX
Consent dev days
DevDays
 
PPTX
Mohannad hussain dicom and imaging tools
DevDays
 
PPTX
Mohannad hussain community track - siim dataset & dico mweb proxy
DevDays
 
PPTX
Validation in net and java (ewout james)
DevDays
 
PPTX
Structure definition 101 (ewout)
DevDays
 
PPTX
Quality improvement dev days-2017
DevDays
 
PPTX
Furore devdays 2017- rdf1(solbrig)
DevDays
 
PPTX
Furore devdays 2017- oai
DevDays
 
PPTX
Connectathon opening 2017
DevDays
 
PPTX
20171127 rene spronk_messaging_the_unloved_paradigm
DevDays
 
PPTX
Vonk fhir facade (christiaan)
DevDays
 
PPTX
Opening student track
DevDays
 
PPTX
Fhir dev days_advanced_fhir_terminology_services
DevDays
 
PPTX
Distributing cds dev days-2017
DevDays
 
Consent dev days
DevDays
 
Mohannad hussain dicom and imaging tools
DevDays
 
Mohannad hussain community track - siim dataset & dico mweb proxy
DevDays
 
Validation in net and java (ewout james)
DevDays
 
Structure definition 101 (ewout)
DevDays
 
Quality improvement dev days-2017
DevDays
 
Furore devdays 2017- rdf1(solbrig)
DevDays
 
Furore devdays 2017- oai
DevDays
 
Connectathon opening 2017
DevDays
 
20171127 rene spronk_messaging_the_unloved_paradigm
DevDays
 
Vonk fhir facade (christiaan)
DevDays
 
Opening student track
DevDays
 
Fhir dev days_advanced_fhir_terminology_services
DevDays
 
Distributing cds dev days-2017
DevDays
 

Recently uploaded (20)

PDF
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
RMMM.pdf make it easy to upload and study
sajedul2
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Pre independence Education in Inndia.pdf
goofy5603
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Institutional Correction lecture only . . .
limvtheghins
 
Basic Mud Logging Guide for educational purpose
wdandworks
 

Security overview (grahame)

  • 1. FHIR® is the registered trademark of HL7 and is used with the permission of HL7. The Flame Design mark is the registered trademark of HL7 and is used with the permission of HL7. Amsterdam, 15-17 November | @fhir_furore | #fhirdevdays17 | www.fhirdevdays.com Overview over security in FHIR & Security Labels Grahame Grieve, Health Intersections
  • 2. Security Problem Space • Basic Web Security • Authentication / Authorization / Access Control • Digital Signatures • Audit Trail / Provenance tracking • Security Labels • An insecure system is an unsafe system
  • 3. Basic Web Security • Use a time synchronization protocol • Use SSL / TLS (almost always) • Keep your security libraries up to date • Use CORS correctly (hard) • No Buffer overflows, XSS, etc • Narrative Handling • Recommended: https://www.troyhunt.com/
  • 4. Content Issues • Base Content Rules: • No DTD references • No Active Content in XHTML • XML: Ignore Processing Instructions • XHTML: • White list external references • Don’t leak headers processing external references (images, css, etc) • Check media types of attachments
  • 5. AuthZ • Authentication: Who is the user? (and their agent?) • Authorization: What does the user allow in this context? • Access Control: Is this request allowed, given • The data in the request • The user’s rights • The user’s authorization • The rules on the underlying data
  • 7. OAuth • Delegating Authorization • Implicit: Delegating Authentication • openID Connect: Make this explicit • Two layer OAuth (demonstration) • Smart App Launch (http://hl7.org/fhir/smart-app-launch) • A profile on OAuth + openID Connect • Should always use this wherever possible for interoperability
  • 8. Two Layer OAuth • Must be possible to map from identity on health records server to Identity server information (this can be established lots of ways) • Best identity server is a national identity server OAuth Client Server (AS/RS) Resources User Application Health Records Server What healthcare records should this application get access to Health Records Server Identity Server Identification information about the patient
  • 9. OAuth • Delegating Authorization • Implicit: Delegating Authentication • openID Connect: Make this explicit • Two layer OAuth (demonstration) • Smart App Launch (http://hl7.org/fhir/smart-app-launch) • A profile on OAuth + openID Connect • Should always use this wherever possible for interoperability
  • 10. Smart App Launch • Confidential Client (can keep a secret) – server / secure enclave • Public Client • Backend services • Not much supported, and not part of STU standard
  • 11. Smart App Launch Scopes • [class]/[type].[mode] • Class = patient | user | system • Type = * or a FHIR resource type • Mode = * | read | write • Examples: patient/*.read user/*.* system/Communication.write • Also: openid profile launch offline_access online_access
  • 13. Alternative Approach • Instead of Smart Scopes, scopes are URIs that identify Consent resource • Application identifies the consent resource it wants to work under • User chooses which consent resource to proceed under • Server replies with the consent resource that the user chose • Makes decisions obscure to the interface, but… • Possibly going to be tested in January connectathon
  • 14. Access Control • The Smart OAuth scopes interact with access control • Access Control Engine engine: • What scopes can a user allow? • What operations/data does a user have rights for? • What scopes has the user allowed in this context? • What other Consents are applicable in this context? (+ jurisdictional rules) • FHIR does not standardise the access control layer • Should we? • SCIM for user management – what’s the mapping between users and roles?
  • 15. AuditEvent and Provenance AuditEvent • Record of an event • Login/logout • RESTful API transaction • Higher level event (RWE) • Typically Create (no update/delete) • Consider signing the audit trail (blockchain?) • Provenance • Information about source of data • Applies to a set of resources • W5: Who What When Where Why • This information is denormalised into resources variably • Can provide it in an HTTP header • Can populate the AuditEvent
  • 16. Digital Signatures • Formal Support: • Signature Data type • Provenance.signature • Bundle.signature
  • 18. Using the Signature Data Type • Provenance • Detached Signature • Provenance.target : Reference(Any) 1..* • Provenance.signature: a signature across all the resources • Canonicalization across multiple resources not specified • Bundle • Enveloped Signature • Bundle.signature signs content • http://hl7.org/fhir/xml.html#digsig and http://hl7.org/fhir/json.html#canonical
  • 19. Challenges with digital signatures • Signatures on static content (“documents”) are well understood • Signatures on a RESTful interface are not • Changing contents on interface engines • Signing packages of resources that can be re-identified
  • 20. Security Labels • Some resources need special handling • VIP patients • Confidential records • Restricted use data (i.e. released for research, not for treatment) • Sometimes this is implicit in context, or the content of the resource • Mostly useful to make this explicit on the resource (denormalization)
  • 21. Using Labels • Text to add to slide • Indent item • Another item
  • 22. Core Labels • Purpose of Use • Treatment, research, legal, claims… etc • Confidentiality Codes • Unrestricted  normal  restricted  very restricted • Delete after use / No Reuse • All applications are required to know what these labels mean and observe/obey them if relevant • There are 500+ total labels, and growing….
  • 23. Summary • Security is hard • Requires clear thinking • Ongoing development around Authorization and Consent • Questions…