Presentation is loading. Please wait.

Presentation is loading. Please wait.

CDS Hooks HL7 WGM Jan 2018 CDS Working Group Tuesday, January 30, 2018

Published byVictoria Gaines Modified over 6 years ago

Similar presentations

Presentation on theme: "CDS Hooks HL7 WGM Jan 2018 CDS Working Group Tuesday, January 30, 2018"— Presentation transcript:

1 CDS Hooks HL7 WGM Jan 2018 CDS Working Group Tuesday, January 30, 2018
New Orleans, LA

2 Agenda Connectathon summary Argonaut security assessment summary Specification changes 1.0 release plan Post 1.0 feedback & plans

3 Connectathon Summary 42 CDS Hooks participants - a new record!!!
EHRs, CDS Service Providers, Healthcare organizations Excellent 1.0 feedback - several issues logged & changes made Excellent security implementation feedback! Lots of disparate use cases (Infobutton, opioids, genetics, etc)

4 Univ of Utah Opioid CDS Service

5 Infobutton CDS Service

6 medication-prescribe hook in Cerner

7 Argonaut Security Assessment

8 Argonaut Security Assessment
The Argonaut Project funded a 3rd party security review & assessment, ongoing since October 2017 Dixie Baker, PhD is performing the assessment and also did this for SMART on FHIR TL;DR - The majority of changes are just documentation improvements :-) TL;DR = Too Long Didn’t Read

9 Documentation Improvements
Articulate risks and potential threats so that implementers understand them and can make their own choices based upon their tolerance of risk Strengthen conformance verbiage where appropriate (MUST, SHOULD, MAY, etc) Document each request/response field with REQUIRED or OPTIONAL

10 fhirAuthorization - Add new subject parameter
"access_token" : "some-opaque-fhir-access-token", "token_type" : "Bearer", "expires_in" : 300, "scope" : "patient/Patient.read patient/Observation.read", "subject" : "the-cds-service-oauth2-client-id" } subject client_id of authorized assessor (CDS Service) for which the access token is being requested

11 JWT Signatures From implementer feedback (post Sept 2017 Connectathon) and the Argonaut security review, it is clear this is an issue we need to tackle for 1.0 Plan is to align our strategy with that of the SMART Backend Services, which also leverages signed JSON web tokens (JWT)

12 #87 - Specify JWT public key > JWT Changes
JSON Web Token (JWT): Header: add "kid": "some-opaque-identifier" Payload (no changes): { "iss": " "sub": "client_id", "aud": " "exp": , "iat": , "jti": "ee22b021-e1b ba5b-8eec6a33ac1e", }

13 #87 - Specify JWT public key > JWKs
Issuer makes JWKs available at {iss}/.well-known/jwks.json JWK endpoint conforms to RFC 7517, JSON Web Key (JWK). Example: { "keys": [ { "kty": "EC", "crv": "P-256", "kid": "some-opaque-identifier", "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0" } ] }

14 #87 - Specify JWT public key > Summary
Initially intended to be addressed post 1.0, the reality is that all implementers need a solution today SMART’s use of OpenID Connect already requires JWTs and JWKs SMART Backend services leverage signed JWTs too and we want to align our strategy Adopting two existing IETF standards allows us to leverage existing OSS libraries and work JSON Web Signature (rfc7515) JSON Web Key (rfc7517)

15 Notable Specification Changes

16 #109 - Hooks define their own context
Lesson learned: Code and examples are more important than specification doc :P Context is now an object, the contents of which defined by each hook Specification Sandbox Examples Implementers Context Data Type object array

17 #119 - Move patient_id and encounter_id to context
{ "hookInstance" : "some-uuid", "fhirServer" : " "hook" : "patient-view", "user" : "Practitioner/example", "patient" : "123", "encounter" : "456", "prefetch" : { .. }, "context" : { ... }, "fhirAuthorization" : { ... } } { "hookInstance" : "some-uuid", "fhirServer" : " "hook" : "patient-view", "user" : "Practitioner/example", "patient" : "123", "encounter" : "456", "prefetch" : { .. }, "context" : { "patientId" : "123", "encounterId" : "456" }, "fhirAuthorization" : { ... } }

18 #151 - Clarity around prefetch tokens
Today: {{Patient.id}} {{User.id}} Proposed: Hooks indicate which first-level fields can be prefetch tokens Prefetch tokens have a defined naming convention {{user}} {{context.patientId}} {{context.encounterId}}

19 1.0 Release Plans

20 1.0 release in Q1 2018 1.0 Release Plans
Finalize security assessment (early February) HL7 Jan 2018 WGM feedback (‘informal ballot’ - Now!) Wrap-up remaining 1.0 milestoned issues 1.0 release in Q1 2018

21 Post 1.0 Feedback & Open Discussion

22 Post 1.0 Feedback & Open Discussion
Decisions? Additional use cases? (opioids? radiology?) Anything else? Continue to log issues on GitHub

Download ppt "CDS Hooks HL7 WGM Jan 2018 CDS Working Group Tuesday, January 30, 2018"

Similar presentations

Secure RESTful Interface Profile Phase 1 Briefing

Secure RESTful Interface Profile Phase 1 Briefing
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –

Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –
Healthcare Services Platform Sandbox. The HSPC Sandbox https://hspc.isalusconsulting.com HSPC Sandbox Architecture : Scot Post van der Burg Asthma Ally.

Healthcare Services Platform Sandbox. The HSPC Sandbox HSPC Sandbox Architecture : Scot Post van der Burg Asthma Ally.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
HIT Standards Committee HIT Standards Committee Privacy and Security Workgroup Discussion of NwHIN Power Team Recommendations August 6, 2013 1.

HIT Standards Committee HIT Standards Committee Privacy and Security Workgroup Discussion of NwHIN Power Team Recommendations August 6,
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Data Segmentation for Privacy Agenda All-hands Workgroup Meeting May 9, 2012.

Data Segmentation for Privacy Agenda All-hands Workgroup Meeting May 9, 2012.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
TranSMART REST API. Project background tranSMART background – TranSMART is an open-source knowledge management and analysis platform for clinical and.

TranSMART REST API. Project background tranSMART background – TranSMART is an open-source knowledge management and analysis platform for clinical and.
Web Authorization Protocol (oauth) Hannes Tschofenig.

Web Authorization Protocol (oauth) Hannes Tschofenig.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
Standards & Interoperability (S&I) Structured Data Capture (SDC) FHIR Profile IG SWG.

Standards & Interoperability (S&I) Structured Data Capture (SDC) FHIR Profile IG SWG.

Similar presentations

Ads by Google