Thursday, April 13, 2017

FHIR Security model is enterprise centric

NO! This is a false understanding. FHIR has no security model. And this is a good thing.

FHIR is designed first and most important as a data model with a few expected interaction models (REST, Messaging, Document). There is expectation that many security models exist, and application of those security models does not impact the most important priority of getting the data model correct. This is especially exercised with REST, but is not limited to REST. REST is just used as a most likely first interaction model, and one that is understood to drive for a good transport agnostic data model.

There are many workgroups working on specifications for how to apply OAuth to FHIR REST, but these are not fundamental to FHIR, they are alternatives. There are various variations of OAuth as well, those that might be more Patient centric, those that might be more enterprise centric, and those that might be cross-enterprise centric. There are work on OAuth scopes. There are others that are working on pure mutual-authenticated-TLS for organization to organization. There are others looking toward SOAP. There are others applying security to the packaging so that it can travel by many transports with end-to-end security. Others are looking to smart-contracts in blockchain. Others just focused on enabling Privacy. Others tagging data so that rules can be applied. All enabled by the very fact that FHIR is not bound to one security model. This is an important fact.

I am sorry that it seem to FHIR is bound to an enterprise OAuth security model. I suspect this impression comes from the most visible project -- SMART-on-FHIR... which is enterprise centric. SMART-on-FHIR is a fantastic project, very important, and the one that really has the necessary engagement to 'make it real'. That said, these other projects are also doing good work. Not all projects have, or could have, the marketing power that SMART has... 

FHIR has many security models, while having none