I am working on _____ IG that is FHIR document based and we need a means to prove authenticity. The model is relatively simple in that a document and all of its parts represent a single thing that needs to be “signed”.
I have looked around for examples of this in IGs and in example documents and I have not found anything. I see a lot of references to CDA documents and signatures, but not much in the ay of FHIR documents. Can you point me in the right direction? Are there example FHIR IGs and documents out there. Where should I start?
Documents are good
There is already a specification for this from IHE – Document Digital Signature (DSG); and is what the FHIR core specification recommends. https://profiles.ihe.net/ITI/TF/Volume1/ch-37.html
Both documents would have DocumentReference that point at the bits (My preference is using a Binary, but the enclosed base64 data is an alternative).
The two documents would have a relationship. The digital signature (DocumentReference) would have a .relatesTo with the .relatesTo.target of the DocumentReference with the content; and the .relatesTo.code of ‘signs’.
Some more context on this https://healthcaresecprivacy.blogspot.com/2017/04/ihe-document-digital-signature-dsg.html
Note the concept of having everything needed (document) in one blob to be signed is very similar to what the COVID-19 credential does, but they strip things down to the bare minimum in order to fit in a reasonable QR code. They do use a JSON signature and encapsulate the content. So it is logically similar to the above, but practically it looks very different. (Updated to be more correct)
My other articles on Digital Signatures