How would you handle consents/permissions? #1
Comments
|
Hi Thomas, thank you! FHIS does not offer such a security implementation out of the box. This is left to the solution architect who must design a production FHIR system with some kind of security sub-system that administers users, user authentication, and user authorization. Read more here: FHIR Security - General Considerations |
|
This is what I was thinking - but it's good to hear I was not completely wrong. Do you know a product (like WSO2?) which would out-of-the-box support such security implementations? |
|
I personally have no experience with similar products, as the WSO2 shows exactly what you are looking for (Patient Access API Policy, etc.). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear Matjaz. It's a very comprehensive article you wrote, congrats! The one thing is still don't understand: How can you make sure that a patient can only request his/her own data - and does not retrieve data of other patients? Does FHIR (like HAPI or Firely) implement such security or would it be your own *Controller classes that need to read Consent resources and evaluate if a user is allowed to read/write data?
The text was updated successfully, but these errors were encountered: