Security

Health Chain API requests often make use of patient-specific information which could be exploited by malicious actors resulting in exposure of patient data. For this reason, all production Health Chain patient access transactions must be secured appropriately, and directed by regulations, with access limited to authorized individuals, data protected in transit, and appropriate audit measures taken.   The comments below apply to production systems, this guide is targeting interactions with Health Chain's sandbox solution, which only contains synthetic data.   While the below should be adhered to for a production environment, they may not apply to the sandbox solution. 

Developers of third-party applications SHOULD be aware of these security considerations associated with FHIR transactions, particularly those related to:

• Communications
• Authorization/Access Control
• Audit Logging
• Digital Signatures
• Security Labels
• Narrative

The purpose of Health Chain's Implementation Guide, security conformance requirements are as follows:

• Systems SHALL establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements. In addition, US Federal systems SHOULD conform with the risk management and mitigation requirements defined in NIST 800 series documents. This SHOULD include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls - policies, administrative practices, and technical controls - SHOULD be defined in the Business Associate Agreement when available.
• Systems SHALL reference a single time source to establish a common time base for security auditing, as well as clinical records, among computing systems, The selected time SHOULD be documented in the Business Associate Agreement.
• Systems SHALL keep audit logs of the various transactions.
• Systems SHALL use TLS version 1.2 or higher for transmissions not taking place over a secure network connection. (Using TLS even within a secured network environment is still encouraged to provide defense depth.) US Federal systems SHOULD conform with FIPS PUB 140-2.
• Systems SHALL conform to FHIR Communications Security requirements.
• For Authentication and Authorization, Systems SHALL support the SMART App Launch Framework for client <-> server interactions.

Note : The SMART on FHIR specifications include the required OAuth RFC 7591 scopes for enabling security decisions.

• Systems SHALL implement consent requirements per their state, local, and institutional policies. The Business Associate Agreements document systems mutual consent requirements.