CMS2021-07 ONC FAST Security

Short Description

This track tests scalable ecosystem trust models used by FAST, Carequality, CARIN, and others. Focus is on security and privacy, including client app registration, authentication and authorization for cross-organization query, endpoint validation, and simple federated identity through reusable credentials.

Long Description

• Generate discussion about how to recognize certain classes of users, clients, or servers, reducing friction in ecosystem use of FHIR and working to develop best practices
• Build on successes of previous work in Montreal at this track, in Atlanta, and at the May and September 2020 and January and May 2021 virtual connectathons.

Type

Test a FHIR-associated specification

Submitting Work Group/Project/Accelerator/Affiliate/Implementer Group  

Security Workgroup

FHIR at Scale Taskforce (FAST): Identity Tiger Team
FHIR at Scale Taskforce (FAST): Security Tiger Team

Track Lead(s)

Julie Maas

Related Tracks

FHIR Version

This track is not FHIR version specific.

Specification(s) this track uses

Security for Scalable Registration, Authentication, and Authorization v0.9.0

UDAP Implementation Guide for Registration and Authorization of Business-to-Business Health Apps

UDAP Implementation Guide for Registration and Authorization of Consumer Facing Health Apps

• UDAP Dynamic Client Registration (DCR) - for clients that use authorization code or client credentials grants
• UDAP JWT-Based Client Authentication
• UDAP Tiered OAuth for relying on another OAuth server
• UDAP Server Metadata for endpoint validation

Related Implementation Guides:

• Carequality FHIR Implementation Guide
• CARIN Consumer Directed Payer Data Exchange (CARIN IG for Blue Button®) - Registration Authentication and Authorization
• Da Vinci Health Record Exchange (HRex)
• ONC FAST Identity Tiger Team Proposed Solutions and related PSS
• ONC FAST Security Tiger Team Proposed Solutions and related PSS

Artifacts of focus

Expected participants

Arcweb Technologies
By Light
eHealth Exchange
EMR Direct
Evernorth
GigaTech
Humana
HHS/ONC
Interoperability Institute
IPRO
iShare Medical
Lush Group
MiHIN
OneRecord
POCP
Semanticbits
SSA
The Sequoia Project
TrialSpark
UPMC Health Plan
ZeOmega

Zulip stream

FAST Security Stream

FAST Identity Stream

NOTE: These are both new streams for this connectathon & related IG work, that we'll use moving forward.

Track Details

System roles: 

UDAP-enabled client, UDAP-enabled server, UDAP-enabled identity provider ←This public "UDAP Implementers" Google sheet is continuously available and contains a tab for UDAP adoption "Beyond Sandbox Use" too; please add your own information there to encourage cross-testing!

UDAP-enabled clients are capable of trusted dynamic registration and JWT-based authentication and optionally Tiered OAuth and Server Metadata

UDAP-enabled servers are capable of trusted dynamic registration and JWT-based authentication and optionally Tiered OAuth and Server Metadata

UDAP-enabled identity providers are capable of the IdP side of Tiered OAuth, including other client and server components as above

Scenarios

1. Trusted Dynamic Registration & JWT-Based Authentication (Consumer Facing)

This scenario tests the ONC FHIR at Scale Taskforce (FAST) Security solution for user-facing apps

Precondition: Client has user-level credentials for FHIR server and client's UDAP certificate is trusted

Action: Client app registers, authenticates user, and requests FHIR data

Success Criteria:  Client app successfully registers, authenticates user, and obtains FHIR data. Client should validate server metadata per UDAP Server Metadata profile.

Bonus point: Client and server use Tiered OAuth to authenticate user with trusted OpenID account from a third party instead of credential provisioning native to FHIR server

Bonus point: Include (on server side) and validate (within clients) signed endpoints

Bonus point: Multi Factor Authentication

2. Trusted Dynamic Registration & JWT-Based Authentication (B2B)

This scenario tests the ONC FHIR at Scale Taskforce (FAST) Security solution for business-to-business apps

Precondition: Client's UDAP certificate is trusted

Action: Client app registers, authenticates, and requests FHIR data

Success Criteria:  Client app successfully registers, authenticates, and obtains FHIR data leveraging a trusted certificate. Client should validate server metadata per UDAP Server Metadata profile.

Bonus point: Client and server use Tiered OAuth to authenticate user 

Bonus point: Authenticated Client performs a $match request and server responds to the request  

Bonus point: Include the Carequality FHIR IG Authorization Extension Object in your requests (clients) and process these objects (servers) 

Bonus point: Include (on server side) and validate (within clients) signed endpoints

Bonus point: Multi Factor Authentication

3. Authentication using third party Identity Provider (IdP) via OpenID Connect (OIDC)

This scenario tests additional elements specific to ONC FAST Identity solution #3, Networked Identity Management

Action:

• Client app initiates UDAP Tiered OAuth connection to OAuth server's authorization endpoint, identifying user's preferred OIDC IdP
• OAuth server redirects user to IdP authorization endpoint (server acts as client of IdP)
• User authenticates and authorizes access to identity information
• OAuth server exchanges authorization code from IdP for token and id_token, optionally retrieves additional info from IdP's userinfo endpoint
• OAuth server determines authority of user based on available identity information or pre-registration of the ID
• Authenticated user authorizes client app to access FHIR resources
• Client exchanges authorization code from OAuth server for token, and access FHIR resources

Preconditions:

OAuth server (securing FHIR resources) and client app support UDAP Tiered OAuth

Client is registered with OAuth server for authorization_code flow

OAuth server (data holder) is registered with IdP for authorization_code flow

Success Criteria:

Client app can access FHIR resources

Bonus points:

OAuth server registers dynamically with IdP using UDAP DCR

Client app registers dynamically with OAuth server using UDAP DCR

Multi Factor Authentication

4. Validation of FHIR endpoint managing organization in multi-tenant environment

This scenario tests additional aspects of the ONC FAST Security and Identity solutions

Action:

Client app validates trust with server endpoint before proceeding to OAuth sign in page per UDAP Server Metadata profile.

Server validates trust with client app 

Flow continues, using information from previous step (happy path: user authenticates and authorizes client app to access FHIR resources)/TBD

Precondition:

FHIR endpoint certificate advertisement, demonstrating control of key

Success Criteria:

Client app can access FHIR resources (happy path)

Bonus point: Include and validate signed endpoints

5. Patient matching using OpenID Connect account 

This scenario tests additional aspects of the ONC FAST Security solution and is also related to ONC FAST Identity solution #3

For example, could store as identifier with:
Identifier.type = http://www.udap.org/fhir/CodeSystem/identifier-authenticator | oidc-sub
Identifier.system = Issuer Identifier URI
Identifier.value = Subject Identifier assigned by Issuer

e.g.

{
"resourceType":"Patient",
...
"identifier": [
  {
    "type": {
      "coding": [
        {
          "system":"http://www.udap.org/fhir/CodeSystem/authentication-identifier",
          "code":"oidc-sub",
          "display":"OIDC Subject Identifier"
        }
      ]
    },
    "system":"https://as.healthtogo.me",
    "value":"1234567"
   },
   ...
 ],
 ...
}

Action:

Search on OpenID subject identifier

e.g. GET [base]/Patient?identifier=https://as.example.com/issuer1|1234567

Precondition:

The data holder confirmed the binding of an OIDC subject identifier to the person named in a Patient (or equivalently to a Practitioner, Person, or RelatedPerson) resource using a suitable registration process before adding the identifier.

Success Criteria:

Client app can access FHIR resources for the correct patient linked to the OIDC subject identifier.

Bonus point:

Use OpenID Connect user profile information to match on patient

6. Vaccine credential trust validation and patient matching

Signed vaccination encounter data including associated demographics can be trust validated and its demographic elements used in matching per UDAP Client Certifications & Endorsements. Today, attributes available for matching in this workflow are: name, DOB, identity assurance level (the latter informs what confidence is in the attributes per this SHC valueset).

The VCI standard includes identity assurance level as a required meta security tag on an immunization.

This workflow is a starting point for discussion of higher assurance matching events involving more required attributes or an interoperable identifier, stronger identity assurance and opportunity to involve the subject (patient) for consent and/or notification. Key questions for further discussion as the IG is written include:

-Minimum required demographics for various use cases
-Digital Identity requirements for building interoperable identifiers
-Best practices for representing verified attributes and identifiers in FHIR, recognizing that verification events occur at a point in time and may exist among self-asserted or otherwise non-validated data in health records
-Best practices for managing identity (to include verified attributes and identifiers) in the broader context of a Patient and how that relates to encounter-level identity

Security and Privacy Considerations:

This track focuses on security and privacy. OAuth (client credentials, authorization code, and dynamic client registration), OpenID Connect, UDAP profiles, and PKI are all in scope.