FHIR Security Model
Healthcare data requires robust security measures. FHIR provides several layers of security:
| Layer | Description |
|---|---|
| Authentication | Verify identity |
| Authorization | Control access |
| Audit Logging | Track who accessed what |
| Encryption | Protect data in transit and at rest |
| Consent | Manage patient permissions |
Key Security Resources
| Resource | Purpose |
|---|---|
| Provenance | Track resource origin and history |
| AuditEvent | Record security-relevant events |
| Consent | Manage patient consent directives |
| CapabilityStatement | Declare system capabilities |
Security Headers
All API requests must include:
Authorization: Bearer <token>
Content-Type: application/fhir+json
Common Security Standards
- SMART on FHIR - OAuth 2.0 based authentication
- HIPAA - US health privacy regulation
- GDPR - European data protection
- HL7 FHIR Consent - FHIR consent management
Threat Model
- Unauthorized access - Prevented by authentication
- Data breaches - Prevented by encryption
- Audit failures - Prevented by logging
- Consent violations - Prevented by consent checks