CDS Hooks HL7 WGM Jan 2018 CDS Working Group Tuesday, January 30, 2018

Slides:



Advertisements
Similar presentations
Secure RESTful Interface Profile Phase 1 Briefing
Advertisements

Prabath Siriwardena | Johann Nallathamby.
IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –
Healthcare Services Platform Sandbox. The HSPC Sandbox HSPC Sandbox Architecture : Scot Post van der Burg Asthma Ally.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
HIT Standards Committee HIT Standards Committee Privacy and Security Workgroup Discussion of NwHIN Power Team Recommendations August 6,
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Data Segmentation for Privacy Agenda All-hands Workgroup Meeting May 9, 2012.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
TranSMART REST API. Project background tranSMART background – TranSMART is an open-source knowledge management and analysis platform for clinical and.
Web Authorization Protocol (oauth) Hannes Tschofenig.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
Standards & Interoperability (S&I) Structured Data Capture (SDC) FHIR Profile IG SWG.
OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.
1 Vermont Health Information Technology Plan Workgroup January 10, 2007 VERMONT INFORMATION TECHNOLOGY LEADERS.
OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect
Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
Building Secure Microservices
FHIR: Progress and Future
OAuth 2.0 Improvements Losing Half a Leg.
OAuth WG Conference Call, 11th Jan. 2013
Open Platforms for Innovation
Code4health – Interoperability Developers
OAuth2 WG User Authentication for Clients
Node.js Express Web Services
Infusion Management and Auto Pump Programming
Chairs: Derek Atkins and Hannes Tschofenig
OAuth Assertion Documents
OAuth2 SCIM Client Registration & Software Statement Exchange
Agenda OAuth WG IETF 87 July, 2013.
Addressing the Beast: Single Sign-On II
Saturday, January 27 & Sunday, January 28
FHIR BULK DATA API April 2018
WEB API.
BY: SHIVI AGRAWAL ( ) CSE-(6)C
Project Plan Template (Help text appears in cursive on slides and in the notes field)
ODS API Suite APIs to Organisation Reference Data
RFC PASSporT Construction 6.2 Verifier Behavior
Dataporten Andreas Åkre Solberg
ESB Networks Market Release Meeting of the IGG, March 5th 2009
OAuth Design Team Call 11th February 2013.
Project Argonaut and FHIR
SharePoint Online Authentication Patterns
Harvard Medical School
Office 365 Development.
SMART on FHIR for managed authorised access to medical records
STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.
Token-based Authentication
SMART on FHIR Scot Post van der Burg FHIR Developer Days November 25,
A JWT profile for OAuth2 Access Tokens
OpenID Enhanced Authentication Profile (EAP) Working Group
EMS &Trauma Registries Update
OpenID Enhanced Authentication Profile (EAP) Working Group
Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02
STIR / SHAKEN for 911 use of SHAKEN 8/7/2019
Basic Data Provenance April 22, 2019
Payer/Provider Information Exchange Track (including Cdex)
Da Vinci Community Forum
CMS NPRM for Payer Data Exchange – to Member
OpenID Enhanced Authentication Profile (EAP) Working Group
Veterans Health Administration
Presentation transcript:

CDS Hooks HL7 WGM Jan 2018 CDS Working Group Tuesday, January 30, 2018 New Orleans, LA

Agenda Connectathon summary Argonaut security assessment summary Specification changes 1.0 release plan Post 1.0 feedback & plans

Connectathon Summary 42 CDS Hooks participants - a new record!!! EHRs, CDS Service Providers, Healthcare organizations Excellent 1.0 feedback - several issues logged & changes made Excellent security implementation feedback! Lots of disparate use cases (Infobutton, opioids, genetics, etc)

Univ of Utah Opioid CDS Service

Infobutton CDS Service

medication-prescribe hook in Cerner

Argonaut Security Assessment

Argonaut Security Assessment The Argonaut Project funded a 3rd party security review & assessment, ongoing since October 2017 Dixie Baker, PhD is performing the assessment and also did this for SMART on FHIR TL;DR - The majority of changes are just documentation improvements :-) TL;DR = Too Long Didn’t Read

Documentation Improvements Articulate risks and potential threats so that implementers understand them and can make their own choices based upon their tolerance of risk Strengthen conformance verbiage where appropriate (MUST, SHOULD, MAY, etc) Document each request/response field with REQUIRED or OPTIONAL

fhirAuthorization - Add new subject parameter "access_token" : "some-opaque-fhir-access-token", "token_type" : "Bearer", "expires_in" : 300, "scope" : "patient/Patient.read patient/Observation.read", "subject" : "the-cds-service-oauth2-client-id" } subject client_id of authorized assessor (CDS Service) for which the access token is being requested

JWT Signatures From implementer feedback (post Sept 2017 Connectathon) and the Argonaut security review, it is clear this is an issue we need to tackle for 1.0 Plan is to align our strategy with that of the SMART Backend Services, which also leverages signed JSON web tokens (JWT)

#87 - Specify JWT public key > JWT Changes JSON Web Token (JWT): Header: add "kid": "some-opaque-identifier" Payload (no changes): { "iss": "https://fhir-ehr.example.com/", "sub": "client_id", "aud": "https://cds.example.org/cds-services/some-service", "exp": 1422568860, "iat": 1311280970, "jti": "ee22b021-e1b7-4611-ba5b-8eec6a33ac1e", }

#87 - Specify JWT public key > JWKs Issuer makes JWKs available at {iss}/.well-known/jwks.json JWK endpoint conforms to RFC 7517, JSON Web Key (JWK). Example: { "keys": [ { "kty": "EC", "crv": "P-256", "kid": "some-opaque-identifier", "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0" } ] }

#87 - Specify JWT public key > Summary Initially intended to be addressed post 1.0, the reality is that all implementers need a solution today SMART’s use of OpenID Connect already requires JWTs and JWKs SMART Backend services leverage signed JWTs too and we want to align our strategy Adopting two existing IETF standards allows us to leverage existing OSS libraries and work JSON Web Signature (rfc7515) JSON Web Key (rfc7517)

Notable Specification Changes

#109 - Hooks define their own context Lesson learned: Code and examples are more important than specification doc :P Context is now an object, the contents of which defined by each hook Specification Sandbox Examples Implementers Context Data Type object array

#119 - Move patient_id and encounter_id to context { "hookInstance" : "some-uuid", "fhirServer" : "https://fhir.example.org", "hook" : "patient-view", "user" : "Practitioner/example", "patient" : "123", "encounter" : "456", "prefetch" : { .. }, "context" : { ... }, "fhirAuthorization" : { ... } } { "hookInstance" : "some-uuid", "fhirServer" : "https://fhir.example.org", "hook" : "patient-view", "user" : "Practitioner/example", "patient" : "123", "encounter" : "456", "prefetch" : { .. }, "context" : { "patientId" : "123", "encounterId" : "456" }, "fhirAuthorization" : { ... } }

#151 - Clarity around prefetch tokens Today: {{Patient.id}} {{User.id}} Proposed: Hooks indicate which first-level fields can be prefetch tokens Prefetch tokens have a defined naming convention {{user}} {{context.patientId}} {{context.encounterId}}

1.0 Release Plans

1.0 release in Q1 2018 1.0 Release Plans Finalize security assessment (early February) HL7 Jan 2018 WGM feedback (‘informal ballot’ - Now!) Wrap-up remaining 1.0 milestoned issues 1.0 release in Q1 2018

Post 1.0 Feedback & Open Discussion

Post 1.0 Feedback & Open Discussion Decisions? Additional use cases? (opioids? radiology?) Anything else? Continue to log issues on GitHub

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.