Details
-
Change Request
-
Resolution: Persuasive with Modification
-
Medium
-
US Da Vinci DTR (FHIR)
-
1.1.0-ballot [deprecated]
-
Clinical Decision Support
-
DTR Questionnaire for adaptive form
-
Formal Specification
-
4.16
-
-
Bob Dieterle / Isaac Vetter : 11-0-0
-
Clarification
-
Non-substantive
Description
TL;DR: With SDC Adaptive forms, the DTR App needs at least ability to write to the Payer FHIR server. Is it possible a badly behaved app can post data pretending to be real end user responses, and elicit PHI/PII out of the payer system? I am afraid of this risk. Therefore, I request a security review of the use of SDC Adaptive Forms.
---------------------------------------
In DTR, there are two connections which require authentication / security
- Between the App and the Provider/EHR FHIR server
- Between the App and the Payer FHIR server
#1 is completely taken care of using SMART on FHIR, and I am not raising any concerns there.
However, #2 is an area of concern, because "any DTR App" that the provider chooses should be allowed to function as the DTR App. The best method for authentication we have here is some form of Client Credentials, because SMART on FHIR cannot be federated/delegated.
The payer obviously does not want to expose a significant scope to the DTR app. A "generally available" FHIR Questionnaire, and a "generally available" CQL query is fine, but anything PHI/PII is not fine - because the app maybe interacting in the context of one patient, but can query stuff in context of other patients etc. Since client credentials cannot limit scope to the patient in current context like SMART on FHIR can, we have to limit scope to no patients / patient data. So the App's credentials will only allow Read operations on the FHIR Questionnaire and the CQL query. (In fact, a payer may want to stand up a dedicated sandboxed DTR "FHIR" server, which has no PHI/PII and only the stuff that is furnished to "unsafe" DTR Apps.)
In the past, a proposal to store patient data on the payer FHIR server was introduced. I had requested security review of that, and that was aborted as a result of said security review because of the above concern.
We are again now introducing SDC Adaptive Forms, which stores (or posts and reads) data to the payer FHIR server. To me, this again brings up the same security concern. Is it possible for a malicious (or passively malicious) DTR App to obtain (or modify) information about patients other than the one in the current context? (Especially, with SDC Adaptive Forms, the payer needs a real FHIR server; a sandboxed DTR "FHIR" server that only contains Questionnaire and CQL query is no longer viable.)
With SDC Adaptive forms, the DTR App needs at least ability to write to the Payer FHIR server. Is it possible a badly behaved app can post data pretending to be real end user responses, and elicit PHI/PII out of the payer system? I am afraid of this risk.
Therefore, I request a security review of the use of SDC Adaptive Forms, in the light of the previous security review that was done around DTR App saving data to Payer FHIR server referenced above. I checked with Lloyd, but apparently there isn't a Jira ticket or anything around the previous security review mentioned - it was discussed in HL7 calls and done as a follow-up of the discussion on the call. However, please make sure that the reviewers who do this requested security review are well familiar with the context of the previous review!
Attachments
Issue Links
- is voted on by
-
BALLOT-32432 Negative - Christopher Schaut : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33239 Negative - Daniel Rutz : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33261 Negative - Thanos Tsiolis : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33283 Negative - Chris Courville : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33327 Negative - Daniel Zhang : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33349 Negative - Michael Clifton : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33371 Negative - David Sundaram-Stukel : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33393 Negative - Isaac Vetter : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33415 Negative - Amit Popat : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33437 Negative - Cooper Thompson : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33459 Negative - Danielle Friend : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33481 Negative - Vassil Peytchev : 2022-May-FHIR IG DTR R2 STU
- Withdrawn
-
BALLOT-33305 Negative - Peter DeVault : 2022-May-FHIR IG DTR R2 STU
- Balloted
- mentioned in
-
Page Loading...