EHMI Logo
EHMI Landingpage EHMI Core EHMI Delivery Status EHMI Addressing Service* EHMI Endpoint Register* EHMI Governance* EHMI Security* EHMI Glossary

Specification of security regarding central EHMI services


**Disclaimer - The menu items above marked with a star are yet not specified**


Table of context


General information regarding security for components in EHMI

It is possible to report and access data via a FHIR API. Web-services/RESTful-services, that are exposed via an interface, must, like other national web-services on the health area, comply with national architecture and national standards.

This means, among other things, that in case of personally identifiable information:

A strong authentication of users must take place (equivalent to NIST level 3-4 or NSIS level “significant”).

  1. Access control must be carried out based on national standardized information (attributes).
  2. Consent/rejection and treatment relation (dansk: behandlingsrelation) must be checked against the national consent service and the national treatment relation service (dansk: behandlingsrelationservice)
  3. Information about healthcare professionals’ access to personal data must be viewable by the citizen via MinLog.

The general and specific security about this is described in: Security architecture EHMI support services v01 (opens in new window)


General security definitions for components in the message chain

Following definitions for all systems/components in EHMI apply:


Security specifications regarding EHMI Delivery Status of messages

Security in relation to delivery status is divided into these different steps:

  1. EHMI Delivery Status is collected and saved in a repository.
  2. EHMI Delivery Status is retrieved by users via displayed services.


Submission to EHMI Delivery Service repository

From the Architecture Vision, we know that security around this is necessary partly so that the users will consider the service based on the collected data to be trustworthy, and partly because personal data is collected, since unique citizen identification (most often the CPR number) is part of the collected information:


Client security for EHMI Delivery Status - Submission

EHMI components Subtask Who
EHMI Delivery Status-component Authenticity: A component, that stores EHMI Delivery Status for messages must authenticate itself when accessing the repository. Sending system (Sending system/MSH/AP)
Sending system (Sending system/MSH/AP) Authenticity management: Implementation of signing submission Sending system (Sending system/MSH/AP)
EHMI Delivery Status-component Authenticity management: Verification of signature upon receipt. EHMI Delivery Statuscomponent
Sending system (Sending system/MSH/AP) EHMI Delivery Status-component Integrity protection and confidentiality protection: Communication via secured transport protocol, e.g. TLS Sending system (Sending system/MSH/AP) EHMI Delivery Status-component
Sending system (Sending system/MSH/AP) EHMI Delivery Status-component Availability: Implementation of queue mechanism to handle that a connection may be down Sending system (Sending system/MSH/AP) EHMI Delivery Status-component


Submissions in relation to the scenarios in Specifications – security regarding message communication

In the following, both sides of the sender and receiver ecosystems are assumed to have the same setup as the sending ecosystem. In practice, Sender and Receiver ecosystems are potentially very different, and in that case the different scenarios must be combined accordingly.

Scenarios Starting/Incoming submission Final/outgoing submission
All components stand-alone – implemented on different servers
All components stand-alone – grouped together on the same server
All components stand-alone – sending system and MSH grouped together on the same server
All components stand-alone - MSH and AP grouped together on the same server


Sending system
Sending MSH
Sending AP
——————————————-
Receiving AP
Receiving MSH
Sending MSH
Sending AP
——————————————-
Receiving AP
Receiving MSH
Receiving system
     
Sending system stand-alone - MSH/AP build together - implemented on different servers
Sending system stand-alone - MSH/AP build together - all grouped on the same server


Sending system
Sending MSH/AP
——————————————-
Receiving MSH/AP
Sending MSH/AP
——————————————-
Receiving MSH/AP
Receiving system
     
Sending system/MSH build together - AP stand-alone - implemented on different servers
Sending system/MSH build together - AP stand-alone - all grouped together on the same server

Sending system/MSH
Sending AP
——————————————-
Receiving AP
Sending AP
——————————————-
Receiving AP
Receiving system/MSH
     
Sending system/MSH build together – MSH/AP build together - implemented on different servers
Sending system/MSH build together – MSH/AP build together - all grouped on the same server

Sending system/MSH
Sending AP/MSH
——————————————-
Receiving AP/MSH
Sending AP/MSH
——————————————-
Receiving AP/MSH
Receiving system/MSH
     
All components build together
Sending system/MSH/AP
Receiving system/MSH/AP


Exhibition via service

From the Architecture Vision, we know that the service, who exhibit EHMI Delivery Status on messages, must comply to the same security requirements and rules as other services in the health area, cf. the Architecture Vision’s principle PT6. Therefore, several of the same already existing security mechanisms from other services should be used:

Since the service is exhibited and performed on a platform, that may have its own and more strict security politics than the general security politics in the healthcare area, these must also be observed if necessary.


It will be based on an OAuth-secured REST-interface and SMART-on-FHIR or similar.

For the collection of EHMI Delivery Status, explicit signature between the EHMI Delivery Status “client” and “server” (with associated verification) on system credentials level (VOCES/FOCES/Niveau 3) is required, cf. section 6.3.1 in the Architecture Vision.

To search for EHMI Delivery Status, it is required to use identification on system credentials level (VOCES/FOCES/Niveau 3) between the EHMI Delivery Status “client” and “server”.

To search for EHMI Delivery Status, it is further required to use identification on user credentials level (MOCES/MitID/Niveau 4) for a citizen’s own access as well as a healthcare professional’s specific access via the citizen’s/patient’s record.

EHMI components Subtask Who
Sending system (Sending system/MSH/AP) Authenticity management: Implementation of signing submissions Sending system (Sending system/MSH/AP)
Receiving component Authenticity management: Verification of signing upon receiving. Receiving component
Sending system (Sending system/MSH/AP) Receiving component Integrity protection and confidentiality protection: Communication of message/envelope via secured transport protocol, e.g. TLS Sending system (Sending system/MSH/AP) Receiving component


Security specifications regarding EHMI Addressing Service

From the Architecture Vision it is known, that EHMI Addressing Service must comply to the same security requirements and rules as corresponding services on the healthcare area, and therefore more of the same already existing security mechanisms should be used:

Since the service is exhibited and performed on a platform, that may have its own and more strict security politics than the general security politics in the healthcare area, these must also be observed if necessary.


Decentral regarding EHMI Addressing Service

EHMI components Subtask Who
Sending system (System) Authenticity management: Implementation of signing a search (VOCES/FOCES) Sending system (System)
EHMI Addressing Service Authenticity management: Verification of signing (VOCES/FOCES) EHMI Addressing Service
Sending system (System) EHMI Addressing Service Integrity protection and confidentiality protection: Communication secured via transport protocol, e.g. TLS Sending system (System) EHMI Addressing Service
Sending system (System) EHMI Addressing Service Availability: Implementation of fixed searches, which may be locally saved to handle if a connection is down. If the service is online, one should always search online. Fixed searches should be updated outside peak hours Sending system (System) EHMI Addressing Service




About

Support or contact

MedCom is responsible for this page. If you have any questions regarding this page, please contact ehmi@medcom.dk.

If you want to report an issue regarding this page, please report it at GitHub issues for EHMI®

Version of this documentation

The version of this documentation is: Version 0.9.0 You can find the release note of the version here.



"EHMI® is the registered trademark of MedCom and is used with the permission of MedCom."