Securing a FHIR endpoint in Node-RED

So in a comment to the previous post on using Node-RED to create Tasks from Assessments, Michael suggested that I talk about some of the  security considerations that you might have. There are a few ways you could make this more secure that I can think of.

  • The simplest way would be to put the whole thing behind as API manager (such as APIgee or WSO2) and delegate security to that application. In effect you are trusting the API manager.
  • Another way is to follow the SMART / OAuth process – check that a valid access token issued by an Authorization Server (Authz) has been provided in the call, rejecting the call if not.
  • And yet another option is to perform the whole OAuth2 dance – look for a valid access token, taking on the role of the Authorization server if not – validating the user and issuing tokens.

(And there will be plenty of others I’m sure). Naturally all calls will use SSL.

Let’s look a bit further into the second option – checking for a valid access token, and simply rejecting the call if there is not one present.

Read more of this post

What is SMART and why should you care.

This was actually a summary of SMART that was intended to wrap up a series I wrote a few months back, but I forgot to post it! So, better late than never…

Read more of this post

SMART Webinar

And quite by coincidence, this webinar from HL7 that Josh is presenting…

SMART – Scopes and Profiles

In a previous post we looked at some of the ‘security related’ aspects of SMART. In this one we’re going to take a closer look at what the ‘scope’ is, and make a couple of comments on the use of Profiles.

Scope is an AOuth2 term that represents the range of functionality requested by (and potentially granted to) a client application by the Authorization Server. For example an app that displays a person’s vitals might want to be able to read and create Observations.

Read more of this post

Using SMART to talk between systems  

A question I was asked was ‘Can SMART help the scenario where an EMR users wants to access data from another system for the patient they have in context’?

Take the situation where there is, say, an HIE that contains information about a patient that is useful to share in care delivery. It might have the definitive list of the patients medications, all known prescriptions, or their allergies, or encounters – information of value to the clinician and exposed by FHIR interfaces. In New Zealand, it could be the proposed national EHR.

Read more of this post

SMART – Security

So in the last post we went into some details concerning a specific SMART scenario – where a web based application is launched from the EHR (technically an EHR launch as described below). Let’s take a step back and take an overview of SMART as a whole, including some the other ways it can be used.

Read more of this post

Implementing SMART on FHIR in an EHR

We’ve talked about SMART and OAuth2 before, but it was a little while ago and it was in the context of what SMART is about and how it worked (with the odd bit of sample code thrown in). This post takes a slightly different perspective by looking at SMART from the perspective of an EHR (Electronic Health Record) developer tasked with implementing a SMART interface to an EHR– what are they things that they need to consider adding SMART Interfaces ?

We’ll take a slightly roundabout way of doing that by starting with a brief overview and some key points about SMART, then diving into the details of the steps involved in a sample implementation. That’ll be enough for this post, then in a follow up we’ll take a closer look at the issues that our EHR developer will need to resolve. And later on, we’ll switch to the clients perspective.

Read more of this post

FHIR, SMART and Sidecar Applications

I was reading the SMART on FHIR support group and came across this post from Wes Rishel. I thought it was really good, and so asked him if I could duplicate here. Not only did he agree, but he added some more stuff to it!
Thanks Wes…

Read more of this post

SMART writing

And hot on the heels of the last post that referenced a ‘FAQ’ from the SMART on FHIR Support group is this question about using the SMART interface for writing as well as reading data.

The question:

looking at the docs they all show how to get data and launch apps but nothing about sending data. Is the import also fhir or do I have to hack the database instead?

Read more of this post