Argonaut Steering Committee Meeting · • Use OAuth 2.0 Threat Model and Security Considerations (RFC 6819) as primary source, supplemented by OAuth 2.0 Framework (RFC 6749), Bearer

Argonaut Steering Committee Meeting

February 9, 2015

- 1 -

Agenda

Project status review Micky Tripathi

Argonaut sponsor expansion proposal Chuck Jaffe

Scope review Micky Tripathi

FHIR Team status report Grahame Grieve

Security Team status report Dixie Baker

Implementation participation plan Micky Tripathi

Wrap-up All

- 2 -

Dec Jan Feb Mar Apr May

Project Initiation and Setup

Finalize program structure, process, contracts

FHIR Team

Team Kickoff

January FHIR Connectathon (San Antonio)

FHIR Data Query and Document Query Profiles available to HL7

community

FHIR Profiles and Implementation Guides included in informative

ballots

FHIR DSTU R2 ballot

FHIR Data Query and Document Query Profiles and Implementation

Guides finalized, packaged, and made available to market

Security Team

Team Kickoff

Complete review and update of SMART Implementation Guide

Security Implementation Guide finalized, packaged, and made

available to market

Meetings

Argonaut Committee

FHIR Team

Security Team

WorkstreamMonths

High-Level Timelines (see team sections for more detail)

- 3 -

Project Management Dashboard

Owner Task Status Comment

Complete contracts with sub-contractors Complete

Create communication plan and "one-pager" On track Review at Feb 9 meeting

Create pilot/implementation plan On track Review at Feb 9 meeting

Launch document sharing portal Late

Recruit sponsors for FHIR and Security Teams Complete

Schedule FHIR and Security Team Kickoff meeting Complete

Security Team Overall status On trackAll deliverables on track

Sponsor Review Team kicked off

FHIR Team Overall status At risk

Jan Connectathon complete

Sponsor Review Team kicked off

Status of Argonaut-relevant Resources and Profiles

DSTU 2 schedule at risk

Impact on Argonaut deliverables unclear

Project Team

- 4 -

Issue Status

Owner Issue Description Date logged Status Status comment

FHIR Team DSTU 2 schedule HL7 FHIR Management Group may slip schedule

for DSTU 2. "For Comment Draft" has received

450+ comments (unprecedented).

1/14/2015 Critical DSTU 2 does not require comment-level

resolution, but prudent to address key issues

of relevance to Argonaut. Need to monitor

this and determine impact on Argonaut

deliverables.

Security Team Alignment with HEART Working

Group (ONC initiative)

HEART focusing on applying UMA to support

RESTful APIs. Is this duplicative or in conflict

with Argonaut security work?

1/11/2015 Complete HEART (UMA) not working on same timeline or

addressing same use cases as Argonaut. Josh

Mandel will maintain liason with HEART and

align as necessary.

FHIR Team Use of copyrighted CPT code

information for FHIR

specification and IGs

CPT code is owned by AMA and protected by

copyright. Need to include some CPT

information in FHIR specification and IGs in

order to make them implementable.

12/17/2014 Complete AMA contacted by John Halamka and willing to

make CPT information available. Call with

AMA scheduled 1/16/2015. Call complete --

AMA will allow CPT representations in Imp

Guides. Grahame to work with AMA on

implementation.

FHIR Team Data element definitions Need detailed operational definitions of MU

common data set data elements

12/10/2014 Complete FHIR Team will start with DAF data element

definitions and address further issues as they

arise.

- 5 -

Communication Needs

Internal

• Argonaut Committee ↔ Working Teams

• Argonaut Committee, Working Teams ↔ Sponsor organizations

• FHIR Team ↔ Security Team

• FHIR Team ↔ Team Members, Security Team ↔ Team Members

• FHIR Team ↔ HL7 FHIR groups

External

• Argonaut Project ↔ General external stakeholders

• Argonaut Project ↔ ONC, S&I Framework

• Argonaut Project ↔ IHE, other SDO (or SDO-like)

• Argonaut Project ↔ Pilot/implementation participants

- 6 -

Current Argonaut Resources

Activity Link

HL7 Argonaut Project IG website http://hl7-fhir.github.io/argonauts.html

SMART Argonaut Project website http://docs.smartplatforms.org/argonaut/

SMART Argonaut Security documents

repository bit.ly/argo-auth-gdrive

SMART Security collaboration channel

(google groups) https://groups.google.com/forum/?utm_source=digest&utm_m

edium=email#!forum/smart-on-fhir/topics

HL7 FHIR Argonaut Implementation

collaboration channel (skype)

skype:?chat&blob=TR07WpBouafQSo_1iReFC39MHHZVJW62h

NvA6KFtQLWLgqf41uy8UE2QKBZgpMWE2zQJ9GaHtGRACU4e

1-M61L-0kiKq573VaML484Nxv_sOtgo74YsuI_qYv9IH2L2kmDE

HL7 FHIR Specification homepage

(DSTU1) http://www.hl7.org/implement/standards/fhir/

HL7 FHIR DSTU2 homepage http://hl7.org/implement/standards/FHIR-Develop/

FHIR Currently Underway DSTU2

Implementation Guides http://hl7-fhir.github.io/iglist.html

http://hl7-fhir.github.io/argonauts.html




http://docs.smartplatforms.org/argonaut/

http://docs.smartplatforms.org/argonaut/

bit.ly/argo-auth-gdrive






https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/smart-on-fhir/topics








http://www.hl7.org/implement/standards/fhir/



http://hl7.org/implement/standards/FHIR-Develop/





http://hl7-fhir.github.io/iglist.html





- 7 -

Agenda







Wrap-up All

- 8 -

Agenda







Wrap-up All

- 9 -

Argonaut Deliverables

FHIR Resources

required for

MU Common Data Set

DAF Profiles

Argonaut Implementation Guides

for Data and Document FHIR

Resources and Profiles

(for Informative Ballot to accompany

FHIR DSTU2 ballot)

Argonaut OAuth2 Implementation

Guide for Argonaut Use Cases

SMART on FHIR OAuth2 IG FHIR DSTU2 Resources and DAF Profiles

FHIR API Security

Starting Point

Deliverables

- 10 -

99 FHIR Resources (50 DSTU1, 49 DSTU2**) 16 Argonaut Common MU Dataset Resources in blue

Clinical Administrative Infrastructure Financial

AllergyIntolerance

CarePlan

CarePlan2**

ClinicalAssessment**

Condition (aka Problem)

Contraindication**

DiagnosticOrder

DiagnosticReport

FamilyHistory

Goal**

ImagingObjectSelection**

ImagingStudy

Immunization

ImmunizationRecommendation

Medication

MedicationAdministration

MedicationDispense

MedicationPrescription

MedicationStatement

NutritionOrder**

Observation

Procedure

Questionnaire

QuestionnaireAnswers**

ReferralRequest**

RiskAssessment**

Specimen

VisionPrescription**

Alert

Appointment Response**

Appointment**

Communication**

CommunicationRequest**

Contract**

Device

DeviceComponent**

DeviceMetric**

DeviceUseRequest**

DeviceUseStatement**

Encounter

EpisodeOfCare**

Group

HealthcareService**

Location

Order

OrderResponse

Organization

Patient

Person**

Practitioner

ProcedureRequest**

RelatedPerson

Schedule**

Slot**

Substance

Supply

Basic**

Binary**

Bundle**

Composition

ConceptMap**

Conformance

DataElement**

DocumentManifest

DocumentReference

ExtensionDefinition**

List

Media

MessageHeader

NamingSystem**

OperationDefinition**

OperationOutcome

Other

Profile

Provenance

SearchParameter**

SecurityEvent

Subscription**

ValueSet

ClaimResponse**

Coverage**

EligibilityRequest**

EligibilityResponse**

EnrollmentRequest**

EnrollmentResponse**

ExplanationOfBenefit**

InstitutionalClaim**

OralHealthClaim**

PaymentNotice**

PaymentReconciliation**

PendedRequest**

PharmacyClaim**

ProfessionalClaim**

Readjudicate**

Reversal**

StatusRequest**

StatusResponse**

SupportingDocumentation**

VisionClaim**

- 11 -

Argonaut Requirements: FHIR Resources and DAF Profiles

16 Resources required for Argonaut 5 DAF (or other?) Profiles still to be created

11 DAF Profiles still to be confirmed

- 12 -

Argonaut Current and Future Scope

authenticate user

authorization

server

FHIR

resource

server

health care organization A

hosted

application

health care organization B

• register app

• authenticate app

• authorize app

• query/retrieve

documents & data

• register app

• authorize app

• query/retrieve

documents & data

mobile

application

launch app

Current scope: “within” enterprise Future scope: cross-enterprise

authenticate user

authorization server

FHIR

resource

server

• authenticate enterprise

• authenticate federated

user identity across

enterprises

• authorize app for access

scope

• query/retrieve

documents & data

current Argonaut security scope

future Argonaut security scope

current Argonaut FHIR scope

access

access

- 13 -

Agenda







Wrap-up All

- 14 -

<<insert slides from Grahame>>

- 15 -

Agenda







Wrap-up All

- 16 -

Security Team Report Agenda

Security task objectives and scope

Timeline and milestones

Draft use cases

Overview of SMART on FHIR EHR Authorization Profiles

Risk assessment status

- 17 -

Security Task Overview

Objectives

• To identify and characterize authentication and authorization risks associated

with RESTful, FHIR-based transactions

• To enhance “SMART on FHIR” EHR Authorization Profiles as needed to

address identified risks

Roles and responsibilities

• Primary Team: Dixie Baker (task lead) and Josh Mandel, (implementation

lead)

• Security SME Team: Objectively review and contribute expertise to help

assure quality, applicability, implementability, and adoption

- 18 -

Security Task Scope

Authentication and authorization for RESTful, FHIR based transactions

• Does not include identity management (e.g., identity proofing, credentials

management)

• Does not include identity federation between organizations

OAuth 2.0 Implementation Guidance (including OpenID Connect)

• Focus on enhancing “SMART on FHIR” implementation guidance, informed

by other existing OAuth 2.0 implementation guidance

- 19 -

Milestones and Timeline

Milestone Deliverable Target Date

Security Implementation Guide Team

Kickoff – agree on scope, requirements,

milestones, deliverables, & timeline

Updated PPT slides Week of Dec 15, 2014

Define Use Cases Use Case Document Week of Jan 26, 2015

Identify authentication and authorization

risks associated with use case(s)

Identified risks Week of Feb 2, 2015

Complete review of SMART and other

applicable implementation guidance

Assessment w.r.t.

identified risks

Week of Feb 23, 2015

Recommend and field test changes

(iterative)

Recommendations Mar-Apr, 2015

Complete review and update of SMART

implementation guidance

Final updates Early Apr, 2015

- 20 -

Use Case Considerations

These specifications will introduce a new architectural pattern (REST), a new style for

accessing data and services (FHIR), and new, more flexible and open, methods for

authorizing access to health information (OAuth 2.0)

For a healthcare organization, “newness” represents risk

Therefore, we defined use cases that are simple, yet functional, and that address both

real security risks and trust risks associated with potential discomfort with these new

ways of doing things, as both of these can impede vendor and provider adoption

Once these methods and technologies are safely implemented, greater functionality

will follow

- 21 -

Draft Use Cases

1. Patient uses provider-approved, hosted web application to access health

data

• Client type: Deployment-specific "client_id" with pre-registered "redirect_uri”

and with "client_secret”)

2. Patient uses provider-approved mobile app to access health data

• Client type: Deployment-independent "client_id" with pre-registered

"redirect_uri" and without "client_secret”

3. Clinician uses provider-approved, hosted web application to access health

data

4. Clinician uses provider-approved mobile app to access health data

- 22 -

Broad Definitions

“EHR System” – any system that holds and controls individually identifiable health data

“Provider approved” – named application that has been approved and registered by

the data holder

“Web application” – hosted on trusted server and capable of protecting a secret used

to authenticate its own identity

“Mobile app” – incapable of providing assured protection of secrets

- 23 -

Overview of SMART on FHIR EHR Authorization Profiles (1 of 2)

Two OAuth 2.0 profiles:

• Confidential clients – apps that have server-side business logic and are capable of

protecting a secret for use in authenticating the app’s identity (e.g., hosted apps)

http://docs.smartplatforms.org/authorization/confidential/

• Public clients – apps that run entirely on the end-user’s device and that are unable

to protect a secret usable for authenticating the app’s identity (e.g., mobile apps)

http://docs.smartplatforms.org/authorization/public/

Implementation guidance for Scopes and Launch Context for both profiles are given in

a separate document

• http://docs.smartplatforms.org/authorization/scopes-and-launch-context/

http://docs.smartplatforms.org/authorization/confidential/

http://docs.smartplatforms.org/authorization/public/

http://docs.smartplatforms.org/authorization/scopes-and-launch-context/








- 24 -

Overview of SMART on FHIR EHR Authorization Profiles (2 of 2)

Intended audience is app developers (not server implementers)

All of the OAuth 2.0 actors (authorization server, resource server, OpenID provider)

are encompassed in a single “EHR” actor

Apps may be launched from within an EHR/Portal or standalone – the former get

context from the EHR

Guidance for requesting OpenID profile is given in Scopes and Launch Context

document; defers to the OpenID specification profile for details regarding ID Token

validation

- 25 -

Risk Assessment

Approach

• Use OAuth 2.0 Threat Model and Security Considerations (RFC 6819) as

primary source, supplemented by OAuth 2.0 Framework (RFC 6749), Bearer

Tokens (RFC 6750), and OpenID Connect Core specifications

• Assess applicability to Argonaut use cases

• Assess SMART on FHIR specifications approaches for countering identified

risks

• Recommend and coordinate changes as warranted

Current status

• Preliminary assessment complete

• Discussions underway

- 26 -

Agenda







Wrap-up All

- 27 -

Argonaut Pilot/Implementation Plan

Key aims of the Argonaut Project are to facilitate rapid adoption of FHIR APIs through:

• Narrowly focused initial use cases: Simple low-risk use cases that offer low barrier to

entry, and an opportunity for organizations to get comfortable with new ways of doing

things

• Specification and Implementation Guides: Rapid development of focused

implementation guides for RESTful FHIR APIs and OAuth 2.0 security

• Market feedback: Market testing, pilot implementations and feedback, ideally while

specification is still unstable

• Market diffusion: Engagement of broad array of market participants (vendors and

providers)

Argonaut Implementation Community will be mechanism for engaging external participants in

Argonaut development activities

• Make available emerging specification and documentation artifacts for vendor and

provider participants

• Participation in collaborative community for Q&A, information sharing, and results

dissemination

• Regular communications and updates

• Pilot implementations

- 28 -

Key Implementation Goals and Principles

Participation

• Agree to write and deploy working code

• Participate at the level most appropriate to your organization’s interest and capacity

• Share learnings with others through Argonaut channels

• Communicate results through Argonaut channels

• Abide by HL7 rules for IP and anti-competitive practices

Scope

• Implement, test and pilot both FHIR API(s) and security

• Minimally test Argonaut-specific specs/IGs and use cases

Argonaut specs/IGs

• FHIR document-level API: IHE Mobile Access to Health Documents (MHD) to access static CCDA and

other IHE X* documents

• FHIR data-level API: Query for MU common data set (DAF definitions)

• Security: SMART on FHIR OAuth 2.0 implementation guides for implementing mobile and hosted apps

Argonaut use cases

• Patient uses provider-approved, hosted web application to access health data

• Patient uses provider-approved mobile app to access health data

• Clinician uses provider-approved, hosted web application to access health data

• Clinician uses provider-approved mobile app to access health data

- 29 -

Three Argonaut Implementation Tiers

Pilot

Implementations

Synchronous

Testing and

Connectathons

Asynchronous

Testing

• Recruit vendors for pilot

implementations of Argonaut use

cases

• Demonstrate production pilots at

industry forums – HIMSS?

• Collaboration through organized

channel

Incre

asin

g p

roje

ct m

an

ag

em

en

t

• Organized in-person or remote

connectathons

• Active testing among partners

• Self-service testing against public

and private servers

- 30 -

Scope of Argonaut Pilots

• Intra-organization: pilot with existing mobile

or hosted apps

• Multi-organization: multiple organizations

pilot with common mobile or hosted app

• Inter-organization: Cross-enterprise not in

current Argonaut security use cases so would

be more difficult to execute and support

- 31 -

Pilot Implementations

Most engaged and valuable testing activity

Leverage sponsor organizations (vendors and providers)

Best opportunity to provide timely “implementation focused review” of FHIR and

security specifications and implementation guides

Create focused implementation teams based on pilot participation and

implementation patterns

- 32 -

Synchronous and Asynchronous Testing

Synchronous testing and connectathon(s)

• In-person or remote orchestrated connectathon(s)

• HL-7 style – organized tracks covering range of use cases or technical areas

• Leverage HL-7 community/activities where possible

• Collaboration through organized channel

• Bilateral testing or multi-party parallel testing

Asynchronous testing

• Periodic community calls (perhaps meetings)

• Collaboration through organized channel

• Make available specifically-identified Argonaut specs and documentation

- Public servers – already available to HL7 FHIR community, need to specifically

identify Argonaut artifacts

- Private servers – same as public servers but with additional access to de-

identified clinical data; available only to authorized Argonaut implementation

partners

• Recruit implementation partners and provide light program structure to motivate and

sustain engagement

- 33 -

Next Steps

Finalize approach to Argonaut Implementation Program (today)

Communicate with interested parties

• Identify implementation preferences

Organize Pilot Implementation Team(s) for sponsor organizations agreeing to

pilot production

Finalize project and technical infrastructure (public/private servers) for

synchronous and asynchronous testing

• Establish FHIR and Security “release schedules” for testing artifacts

Launch Argonaut Implementation Program

- 34 -

Agenda







Wrap-up All

- 35 -

Calendar

Argonaut Committee

• Mar 17 (3-5pm ET)

• Apr 21 (3-5pm ET)

• May 19 (3-5pm ET)

FHIR Team

• Kickoff meeting completed: Jan 27, 2015

• Future meetings:

- Feb 26 (3-5pm ET)

- Mar 24 (3-5pm ET)

- Apr 28 (3-5pm ET)

- May 26 (3-5pm ET)

Security Team

• Kickoff meeting completed: Jan 28, 2015

• Future meetings:

- Feb 25 (1-3pm ET)

- Mar 25 (1-3pm ET)

- Apr 29 (1-3pm ET)

- May 27 (1-3pm ET)