Post on 16-Feb-2017
FHIR + OAuth2
Kevin Mayfield
Information Governance
(Why FHIR)
Confidentiality
Data Protection 1998 Data Protection Principles
Processed fairly and lawfully Processed for specified purposes Adequate, relevant and not excessive Accurate and kept up-to-date Not kept for longer than necessary Processed in accordance with the rights of
data subjects Protected by appropriate security (practical
and organisational) Not transferred outside the EEA without
adequate protection
Patient Choices
Consent/Dissent to share Sealing Sealing and Locking Consent/Dissent to store
Information Security (INFOSEC)
Confidentiality Information must be secured against
unauthorised modification Integrity
Information must be safeguarded against unauthorised modification
Availability Information must be accessible to
authorised users at times when they require it.
Current Situation
Extract, Transform and Load
Trust Integration Engine
FHIR Mission
Resource API
DocumentRepository
TIE / API RouterLaboratory Information System
PAS / EPR
NHS England (Spine, CP-IS,FGM, etc)
GP and Community Record
OAuth 2FHIR
Trusted Applications
Resource Owner Password Credentials Grant
Enterprise Integration everywhere
TIE (API Router)
EDMSPAS
Dictation
Vital Signs
PASWeb
Patient Identity Feed (HL7v2)
Provide Documents (HL7 FHIR)
Provide Documents (HL7 FHIR)
Retrieve Document (HL7 FHIR)
Retrieve Document (HL7 FHIR)Patient Demographic
Query (SQL)
Patient Demographic Query (HL7 FHIR) Document Registry
Query (HL7 FHIR)
Resource Owner Password Credentials Grant
ClientApp
Auth Server
Resource Server
Access Token Request
Access Token Response
GET Patient – Resource Request
Protected Response
Oauth2
Resource
Web Server Applications
Authorisation Code Grant
Document Sharing (Local)
Cross Enterprise Document Registry
(XDS +FHIR)
GP Document Repository
Social Services
Dcoument Repository
Acute Document
Repositories
Mental Health Doc Repository
GP Document Repository
GP Document Repository
Consent/Dissent to shareSealingSealing and LockingConsent/Dissent to store
Patient Consent
ConsultantNurseGPSocial Worker
Health worker Role
Community, Acute, Sexual Health, Child Services, Social Service, GP, Mental, etc
Service
Authorisation Code Grant Flow
ClientApp
Auth Server
Resource Server
Access Token Request
Access Token Response
‘GET CarePlan’ – Resource Request
Protected Response
Oauth2
Resource
User (or Patient
Consent)
Authorisation Request
Redirect for authorisation
Login and consent
Authorisation Code
Patient Consent
Stack
Any QuestionsMayfield.g.kev@gmail.com
+44 (0) 771 888 1774Skype: kevingmayfield
Twitter: KevinGMayfieldwww.mayfield-is.co.uk