This page is part of the FHIR Specification (v4.0.1: R4 - Mixed Normative and STU (v1.0.2: DSTU ) in it's permanent home (it will always be available at this URL). 2). The current version which supercedes this version is 5.0.0 . For a full list of available versions, see the Directory of published versions . Page versions: R5 R4B R4

Valueset-research-study-phase.xml

D.24 General Security Considerations Vocabulary Work Group

DAF transactions often make use of patient-specific information which could be exploited by malicious actors resulting in exposure of patient data. For this reason, all DAF transactions must be secured appropriately with access to limited authorized individuals, data protected in transit, and appropriate audit measures taken.

Implementers should be aware of the security considerations associated with FHIR transactions, particularly those related to:

• Maturity Level : N/A Communications
• Standards Status : Informative Authentication
• Authorization/Access Control
• Raw XML ( canonical form Audit Logging + also see XML Format Specification
• Digital Signatures ) Definition for Value SetResearchStudyPhase <?xml version="1.0" encoding="UTF-8"?> Codes for the stage in the progression of a therapy from initial experimental use in humans in clinical trials to post-market evaluation. Include all codes defined in Codes for the stage in the progression of a therapy from initial experimental use in humans in clinical trials to post-market evaluation. </ ValueSet
• Security Labels >
• Narrative

Usage note: every effort has been made For the purposes of DAF, security conformance requirements are as follows:

• Systems SHALL establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements. In addition US Federal systems SHOULD conform with the risk management and mitigation requirements defined in NIST 800 series documents. This SHOULD include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls – policies, administrative practices, and technical controls – SHALL be defined in the Business Associate Agreements.
• Systems SHALL reference a single time source to establish a common time base for security auditing, as well as clinical data records, among computing systems. The selected time service SHOULD be documented in the Business Associate Agreements.
• Systems SHALL use the AuditEvent resource to capture audit logs of the various transactions. Systems SHOULD capture as many AuditEvent resource data elements as appropriate based on local policies. The following events SHOULD trigger an audit event:
• Every successful and unsuccessful Resource Request (GET, READ, vREAD etc.)and corresponding Response.
• Every Authentication and Authorization request
• Security decisions related to consent, digital signatures, data release and security labelling of returned resources

• Systems SHALL use TLS version 1.0 or higher for all transmissions not taking place over a secure network connection.
  (Using TLS even within a secured network environment is still encouraged to provide defense in depth.) US Federal systems SHOULD conform with FIPS PUB 140-2.
• Systems SHALL conform to FHIR Communications requirements.
• For Authentication and Authorization, Systems SHALL use the Smart On FHIR OAuth2 profiles. NOTE: The Smart On FHIR specifications include the required OAuth2 scopes for enabling security decisions.
• Systems SHOULD implement requirements from FHIR Security Labels to provide information on the type and sensitivity of data.
• Systems SHALL implement consent requirements per their state, local, and institutional policies. The Business Associate Agreements SHOULD document systems mutual consent requirements. DAF actors SHALL ensure that the examples are correct any necessary consent records exist and useful, but they are not reviewed prior to each exchange of patient-identifiable healthcare information. This verification should be logged in the same manner as other transactions, as discussed above under General Security Considerations .
• Systems SHOULD track the provenance meta data of a normative part resource using FHIR Provenance resource and associated requirements.
• Systems SHOULD implement the FHIR Digital Signatures and provide feedback on it's appropriateness for DAF transactions.
• Systems MAY protect the confidentiality of data at rest via encryption and associated access controls. The policies and methods used are outside the scope of this specification.