MHealthDossier Guide: Difference between revisions
Jump to navigation
Jump to search
JohnMoehrke (talk | contribs) Created page with "Guidance to using the Mobile access to Health Documents (MHD) profile Introduction Common Technology Patient Identification Patient ID resolution from one identifier domain to a..." |
JohnMoehrke (talk | contribs) No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This page is HISTORIC, and not representative of current MHD. Please go to [[Mobile access to Health Documents (MHD)]] | |||
=HL7 FHIR= | |||
The HL7 [http://hl7.org/fhir FHIR] initiative has looked at MHD profile and prototyped a FHIR version. I think this would be a great chance for IHE and HL7 to work together on this. | |||
* http://hl7.org/implement/standards/fhir/xdsentry.htm | |||
=User Authentication= | |||
There has been much discussion around user authentication and application authorization. There is a profile proposal for this coming year on this topic. The biggest problem is that the standards in the RESTful pattern are not mature. The leading contender is OAuth. OAuth 2.0 just finished standardization. | |||
SAML can be used, but one must use the SAML SSO Profile. | |||
* http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf | |||
OAuth 1.0 can be made to work. Take a look at Keith’s blog. He has implemented this and blogged the details, and put the code he wrote into the public. | |||
* http://motorcycleguy.blogspot.com/2012/10/oauth-enabling-web-application.html | |||
OAuth 2.0 is more likely to be the way to go. | |||
* RFC-6749 The OAuth 2.0 Authorization Framework http://tools.ietf.org/html/rfc6749 | |||
* RFC-6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage http://tools.ietf.org/html/rfc6750 | |||
Google has a good toolkit in this space. | |||
* https://developers.google.com/accounts/docs/OAuth2 | |||
* http://oauthssodemo.appspot.com/step/1 | |||
* http://android-developers.blogspot.com/2012/09/google-play-services-and-oauth-identity.html | |||
* http://oauth2-preso.appspot.com/ - 1 | |||
* https://developers.google.com/oauthplayground/?code=4/semICgFimm6icOwpnGyhCZ7ufpOv.kmA_Z3sG_NITuJJVnL49Cc_AhXATdAI | |||
In the USA there was a government sponsored profiling effort this summer. I think that IHE is going to pick this up and further develop it. | |||
* http://wiki.siframework.org/RHEx | |||
John's blog on the topic | |||
* http://healthcaresecprivacy.blogspot.com/2012/06/what-user-authentication-to-use.html | |||
=Possible white paper outline= | |||
Guidance to using the Mobile access to Health Documents (MHD) profile | Guidance to using the Mobile access to Health Documents (MHD) profile | ||
Introduction | *Introduction | ||
Common Technology | *Common Technology | ||
Patient Identification | **Patient Identification | ||
Patient ID resolution from one identifier domain to another (PIX) | **Patient ID resolution from one identifier domain to another (PIX) | ||
Fully specified Patient ID vs without domain identifier | **Fully specified Patient ID vs without domain identifier | ||
Pseudonym Patient ID – used to mask real patient ID (e.g. in an ATOM feed) | **Pseudonym Patient ID – used to mask real patient ID (e.g. in an ATOM feed) | ||
How to go from demographics to a patient ID | **How to go from demographics to a patient ID | ||
Scoped out | ***Scoped out | ||
Could be through: | ***Could be through: | ||
Device configuration | ****Device configuration | ||
Prior workflow – browser navigation | ****Prior workflow – browser navigation | ||
Application setup – | ****Application setup – | ||
PHR like application initial configuration could resolve the patient ID as part of the application setup | ****PHR like application initial configuration could resolve the patient ID as part of the application setup | ||
Other application | ****Other application | ||
Future profile | ****Future profile | ||
ATOM feed of workflow items to a careprovider, with the content containing a MHD URL. | *****ATOM feed of workflow items to a careprovider, with the content containing a MHD URL. | ||
Metadata JSON encoding | **Metadata JSON encoding | ||
DocumentEntry and SubmissionSet, Folders, Relationships | ***DocumentEntry and SubmissionSet, Folders, Relationships | ||
ATOM encoding | **ATOM encoding | ||
JSON body | **JSON body | ||
Date-Time conversions and interpretations | **Date-Time conversions and interpretations | ||
Use of the submission set | **Use of the submission set | ||
Encoding of arguments | **Encoding of arguments | ||
Error handling | **Error handling | ||
Service Side | *Service Side | ||
Examples in Java or pseudocode | **Examples in Java or pseudocode | ||
How to implement PIX inside the service | **How to implement PIX inside the service | ||
How to implement GET DocumentEntry given that you only get the EntryUUID and PatientID | **How to implement GET DocumentEntry given that you only get the EntryUUID and PatientID | ||
As a Proxy service grouped with XDS Document Source | **As a Proxy service grouped with XDS Document Source | ||
As a Proxy service grouped with XDS Document Consumer | **As a Proxy service grouped with XDS Document Consumer | ||
As a Proxy service grouped with XCA Initiating | **As a Proxy service grouped with XCA Initiating | ||
As a service interface to a Direct Project HISP | **As a service interface to a Direct Project HISP | ||
Including a RID Information Source (?) | **Including a RID Information Source (?) | ||
Security and Privacy Considerations | **Security and Privacy Considerations | ||
Client Side | *Client Side | ||
Examples in JavaScript | ***Examples in JavaScript | ||
Generally how to use MHD client side | **Generally how to use MHD client side | ||
Discovery of documents | ***Discovery of documents | ||
Using the ATOM feed | ***Using the ATOM feed | ||
Retrieve a Document | **Retrieve a Document | ||
Not in scope to describe how to consume the document (CDA) | ***Not in scope to describe how to consume the document (CDA) | ||
Retrieve a Display Ready (RID) | ***Retrieve a Display Ready (RID) | ||
Create of a Document | ***Create of a Document | ||
Security and Privacy Considerations | **Security and Privacy Considerations | ||
Risks of retrieving and storing local health information | ***Risks of retrieving and storing local health information | ||
Client responsibility to identity | ***Client responsibility to identity | ||
Security and Privacy | *Security and Privacy | ||
Operational issues | **Operational issues | ||
To what degree is the device itself involved in authentication. Is it a second-factor | ***To what degree is the device itself involved in authentication. Is it a second-factor | ||
To what degree is device location (GPS, WiFi identifiers) | ***To what degree is device location (GPS, WiFi identifiers) | ||
Use of OpenID | **User Authentication | ||
Use of OAuth | ***Use of OpenID | ||
Use of HTTPS | ***Use of OAuth | ||
Audit Logging | ***Use of HTTPS | ||
To use ATNA formally or not? | **Audit Logging | ||
On the Client | ***To use ATNA formally or not? | ||
Only on the Server | ***On the Client | ||
Both | ***Only on the Server | ||
Conclusion | ***Both | ||
*Conclusion | |||
Latest revision as of 08:27, 13 October 2017
This page is HISTORIC, and not representative of current MHD. Please go to Mobile access to Health Documents (MHD)
HL7 FHIR
The HL7 FHIR initiative has looked at MHD profile and prototyped a FHIR version. I think this would be a great chance for IHE and HL7 to work together on this.
User Authentication
There has been much discussion around user authentication and application authorization. There is a profile proposal for this coming year on this topic. The biggest problem is that the standards in the RESTful pattern are not mature. The leading contender is OAuth. OAuth 2.0 just finished standardization.
SAML can be used, but one must use the SAML SSO Profile.
OAuth 1.0 can be made to work. Take a look at Keith’s blog. He has implemented this and blogged the details, and put the code he wrote into the public.
OAuth 2.0 is more likely to be the way to go.
- RFC-6749 The OAuth 2.0 Authorization Framework http://tools.ietf.org/html/rfc6749
- RFC-6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage http://tools.ietf.org/html/rfc6750
Google has a good toolkit in this space.
- https://developers.google.com/accounts/docs/OAuth2
- http://oauthssodemo.appspot.com/step/1
- http://android-developers.blogspot.com/2012/09/google-play-services-and-oauth-identity.html
- http://oauth2-preso.appspot.com/ - 1
- https://developers.google.com/oauthplayground/?code=4/semICgFimm6icOwpnGyhCZ7ufpOv.kmA_Z3sG_NITuJJVnL49Cc_AhXATdAI
In the USA there was a government sponsored profiling effort this summer. I think that IHE is going to pick this up and further develop it.
John's blog on the topic
Possible white paper outline
Guidance to using the Mobile access to Health Documents (MHD) profile
- Introduction
- Common Technology
- Patient Identification
- Patient ID resolution from one identifier domain to another (PIX)
- Fully specified Patient ID vs without domain identifier
- Pseudonym Patient ID – used to mask real patient ID (e.g. in an ATOM feed)
- How to go from demographics to a patient ID
- Scoped out
- Could be through:
- Device configuration
- Prior workflow – browser navigation
- Application setup –
- PHR like application initial configuration could resolve the patient ID as part of the application setup
- Other application
- Future profile
- ATOM feed of workflow items to a careprovider, with the content containing a MHD URL.
- Metadata JSON encoding
- DocumentEntry and SubmissionSet, Folders, Relationships
- ATOM encoding
- JSON body
- Date-Time conversions and interpretations
- Use of the submission set
- Encoding of arguments
- Error handling
- Service Side
- Examples in Java or pseudocode
- How to implement PIX inside the service
- How to implement GET DocumentEntry given that you only get the EntryUUID and PatientID
- As a Proxy service grouped with XDS Document Source
- As a Proxy service grouped with XDS Document Consumer
- As a Proxy service grouped with XCA Initiating
- As a service interface to a Direct Project HISP
- Including a RID Information Source (?)
- Security and Privacy Considerations
- Client Side
- Examples in JavaScript
- Generally how to use MHD client side
- Discovery of documents
- Using the ATOM feed
- Retrieve a Document
- Not in scope to describe how to consume the document (CDA)
- Retrieve a Display Ready (RID)
- Create of a Document
- Security and Privacy Considerations
- Risks of retrieving and storing local health information
- Client responsibility to identity
- Security and Privacy
- Operational issues
- To what degree is the device itself involved in authentication. Is it a second-factor
- To what degree is device location (GPS, WiFi identifiers)
- User Authentication
- Use of OpenID
- Use of OAuth
- Use of HTTPS
- Audit Logging
- To use ATNA formally or not?
- On the Client
- Only on the Server
- Both
- Operational issues
- Conclusion