**Disclaimer - The menu items above marked with a star are yet not specified**
General information regarding security for components in EHMI
General security definitions for components in the message chain
Security specifications regarding EHMI Delivery Status of messages
It is possible to report and access data via a FHIR API. Web-services/RESTful-services, that are exposed via an interface, must, like other national web-services on the health area, comply with national architecture and national standards.
This means, among other things, that in case of personally identifiable information:
A strong authentication of users must take place (equivalent to NIST level 3-4 or NSIS level “significant”).
The general and specific security about this is described in: Security architecture EHMI support services v01 (opens in new window)
Following definitions for all systems/components in EHMI apply:
Security in relation to delivery status is divided into these different steps:
From the Architecture Vision, we know that security around this is necessary partly so that the users will consider the service based on the collected data to be trustworthy, and partly because personal data is collected, since unique citizen identification (most often the CPR number) is part of the collected information:
EHMI components | Subtask | Who |
---|---|---|
EHMI Delivery Status-component | Authenticity: A component, that stores EHMI Delivery Status for messages must authenticate itself when accessing the repository. | Sending system (Sending system/MSH/AP) |
Sending system (Sending system/MSH/AP) | Authenticity management: Implementation of signing submission | Sending system (Sending system/MSH/AP) |
EHMI Delivery Status-component | Authenticity management: Verification of signature upon receipt. | EHMI Delivery Statuscomponent |
Sending system (Sending system/MSH/AP) EHMI Delivery Status-component | Integrity protection and confidentiality protection: Communication via secured transport protocol, e.g. TLS | Sending system (Sending system/MSH/AP) EHMI Delivery Status-component |
Sending system (Sending system/MSH/AP) EHMI Delivery Status-component | Availability: Implementation of queue mechanism to handle that a connection may be down | Sending system (Sending system/MSH/AP) EHMI Delivery Status-component |
In the following, both sides of the sender and receiver ecosystems are assumed to have the same setup as the sending ecosystem. In practice, Sender and Receiver ecosystems are potentially very different, and in that case the different scenarios must be combined accordingly.
From the Architecture Vision, we know that the service, who exhibit EHMI Delivery Status on messages, must comply to the same security requirements and rules as other services in the health area, cf. the Architecture Vision’s principle PT6. Therefore, several of the same already existing security mechanisms from other services should be used:
Since the service is exhibited and performed on a platform, that may have its own and more strict security politics than the general security politics in the healthcare area, these must also be observed if necessary.
It will be based on an OAuth-secured REST-interface and SMART-on-FHIR or similar.
For the collection of EHMI Delivery Status, explicit signature between the EHMI Delivery Status “client” and “server” (with associated verification) on system credentials level (VOCES/FOCES/Niveau 3) is required, cf. section 6.3.1 in the Architecture Vision.
To search for EHMI Delivery Status, it is required to use identification on system credentials level (VOCES/FOCES/Niveau 3) between the EHMI Delivery Status “client” and “server”.
To search for EHMI Delivery Status, it is further required to use identification on user credentials level (MOCES/MitID/Niveau 4) for a citizen’s own access as well as a healthcare professional’s specific access via the citizen’s/patient’s record.
EHMI components | Subtask | Who |
---|---|---|
Sending system (Sending system/MSH/AP) | Authenticity management: Implementation of signing submissions | Sending system (Sending system/MSH/AP) |
Receiving component | Authenticity management: Verification of signing upon receiving. | Receiving component |
Sending system (Sending system/MSH/AP) Receiving component | Integrity protection and confidentiality protection: Communication of message/envelope via secured transport protocol, e.g. TLS | Sending system (Sending system/MSH/AP) Receiving component |
From the Architecture Vision it is known, that EHMI Addressing Service must comply to the same security requirements and rules as corresponding services on the healthcare area, and therefore more of the same already existing security mechanisms should be used:
Since the service is exhibited and performed on a platform, that may have its own and more strict security politics than the general security politics in the healthcare area, these must also be observed if necessary.
EHMI components | Subtask | Who |
---|---|---|
Sending system (System) | Authenticity management: Implementation of signing a search (VOCES/FOCES) | Sending system (System) |
EHMI Addressing Service | Authenticity management: Verification of signing (VOCES/FOCES) | EHMI Addressing Service |
Sending system (System) EHMI Addressing Service | Integrity protection and confidentiality protection: Communication secured via transport protocol, e.g. TLS | Sending system (System) EHMI Addressing Service |
Sending system (System) EHMI Addressing Service | Availability: Implementation of fixed searches, which may be locally saved to handle if a connection is down. If the service is online, one should always search online. Fixed searches should be updated outside peak hours | Sending system (System) EHMI Addressing Service |