ERNW White Paper 70 – HL7 FHIR: Preserving Distributed Resource Integrity

With this blog post I am pleased to announce the publication of a new ERNW White Paper about the HL7 FHIR communication standard.

Digital networking is already widespread in many areas of life. More and more medical devices are also being networked in the healthcare industry. This growth makes the development and use of new medical communication standards necessary since existing solutions can only meet the changing requirements with great effort. The HL7 FHIR standard is an example of such a medical communication standard. FHIR is said to have increased the interoperability between different medical contexts,e.g., administration, billing, and clinical care, to enable data exchange of various systems. The FHIR standard addresses the security risks associated with strongly networked communication from a large number of systems across the trust and organizational boundaries only indirectly because FHIR does not define mandatory security controls or requirements.

In this paper, we analyze the security controls of the HL7 FHIR communication standard that is concerned with non-repudiation and accountability of resource modifications and the integrity of exchanged resources. To do this, existing FHIR resource types are examined with a focus on answering the following questions:

The FHIR resources Provenance and Signature were essential for the work. Functionalities offered by FHIR, as well as mechanisms for maintaining the security of a FHIR system, were analyzed.

An exemplary patient monitor was used to show how the methods and resources provided by FHIR can be used to preserve resource integrity and which conditions for the behavior of a FHIR server and its system environment need to be met.

This work shows that the communication standard offers design possibilities to achieve the previously discussed protection goals. However, the requirements and recommendations concerning electronic signatures are not yet precise enough or elective. An example is that for electronic signatures with JWT claims are defined, and their use must be specified and required in the standard.

Also, if the results of this work are not generally applicable but are limited to the specific example, it was shown which problems currently exist in implementing designed security requirements in FHIR. One example is that FHIR signatures do not currently specify which resource was signed. There are also gaps in ​​identifying resources for signing before the server’s resources receive a logical ID and version. A partial solution for this was shown by using a signature-specific identifier generated by the client at random.

Another result of this work is that a device must communicate changes to its settings, updates, or status to ensure the database’s traceability and consistency. For this purpose, update requests need to be appropriately secured.

It remains open to which extent subsequent versions of the FHIR standard will evolve in terms of security. For this purpose, as many different scenarios and medical processes as possible in interaction with medical devices, systems, and personnel should be evaluated to make statements as specific as possible. These statements should be aligned with the FHIR principles.