- How can the existing FHIR Provenance and Signature resources be used to verify and ensure the identity of resources created and modified in a distributed system during and after the communication sequence?
- To what extent is it possible to identify all other systems that have requested and processed this data?
- Which requirements does the preservation of resource integrity pose on security measures to be implemented?
- Which parts of the FHIR standard are required to ensure non-repudiation and integrity?
Results & Discussion
The FHIR resources Provenance and Signature were essential for the work. Functionalities offered by FHIR, as well as mechanisms for maintaining the security of a FHIR system, were analyzed.
An exemplary patient monitor was used to show how the methods and resources provided by FHIR can be used to preserve resource integrity and which conditions for the behavior of a FHIR server and its system environment need to be met.
This work shows that the communication standard offers design possibilities to achieve the previously discussed protection goals. However, the requirements and recommendations concerning electronic signatures are not yet precise enough or elective. An example is that for electronic signatures with JWT claims are defined, and their use must be specified and required in the standard.
Also, if the results of this work are not generally applicable but are limited to the specific example, it was shown which problems currently exist in implementing designed security requirements in FHIR. One example is that FHIR signatures do not currently specify which resource was signed. There are also gaps in identifying resources for signing before the server’s resources receive a logical ID and version. A partial solution for this was shown by using a signature-specific identifier generated by the client at random.
Another result of this work is that a device must communicate changes to its settings, updates, or status to ensure the database’s traceability and consistency. For this purpose, update requests need to be appropriately secured.
It remains open to which extent subsequent versions of the FHIR standard will evolve in terms of security. For this purpose, as many different scenarios and medical processes as possible in interaction with medical devices, systems, and personnel should be evaluated to make statements as specific as possible. These statements should be aligned with the FHIR principles.
Nina & Julian
Julian Suleder, Nina Matysiak. ERNW White Paper 70 – HL7 FHIR: Preserving Distributed Resource Integrity. Online: https://ernw-research.de/en/whitepapers/issue-70.html.