<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">John,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Thanks for the feedback. I can certainly make comments on the FHIR ballot. A few reactions to your comments:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Based on my reading of FHIR, chained searches are separate from includes and reverse includes, however they both provide ways to leak data.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">I realize that in designing the scopes, we will not be able to specify for a Resource Server all of the steps it must go through to authorize access to a set of information. However, as
an implementer, it seems like it would be good to find guidance along with the scopes, however they are ultimately designed, about what I need to worry about. Whether they are part of the FHIR spec and pointed to by a HEART spec, or just in HEART doesn’t really
matter to me.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Search, for obvious reasons, has many places where information can leak. It would be great to see an enumeration of things to consider.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Does this group want to say anything about FHIR operations?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Are Bundle, List, Group and Composition resources that receive additional guidance?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">~Andy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">John Moehrke <johnmoehrke@gmail.com><br>
<b>Date: </b>Thursday, September 1, 2016 at 3:16 PM<br>
<b>To: </b>"Gregorowicz, Andrew J." <andrewg@mitre.org><br>
<b>Cc: </b>"openid-specs-heart@lists.openid.net" <openid-specs-heart@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-heart] How should a FHIR Server (RS) handle some interactions with with the HEART OAuth 2.0 scopes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Hi Andy, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am co-chair of the HL7 security wg, and member of the FHIR core team.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">See the Security page on the FHIR specification for some guidance on Authorization<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <a href="http://hl7-fhir.github.io/security.html#binding">http://hl7-fhir.github.io/security.html#binding</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am noticing that the following guidance is not as clear as it could be. It is mentioned under chained search at<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <a href="http://hl7-fhir.github.io/security.html#http">http://hl7-fhir.github.io/security.html#http</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> this would be a good CP on the FHIR ballot.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">These search parameters are examples of why the OAuth token is a decision, that the Resource Server must enforce that decision. It is up to the Resource Server to determine if the search results are within the scope. If they are not all
within the scope, then there are two different things to do. Neither of these can we define is the right solution, the right solution will be based on policy. That is a local policy will tell you which of these behaviors.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1. Filter out the results that are not authorized. Returning the results that are authorized.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2. Reject the request as being not authorized. Returning no results<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Within the first option, there is additional policy determination on if you do this silently, with notice, or with specific notice. Silently means that the requester can't tell by the response that they didn't get full details. Notice would
be an indication in the response that some results were suppressed because of policy, but no specifics are given as to what or why the suppression happened. This is indicated using the OperationOutcome.issue.code of 'forbidden'<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Note that a degenerate state is use of (1) where no results are returned...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">John Moehrke<br>
Principal Engineering Architect: Standards - Interoperability, Privacy, and Security<br>
CyberPrivacy – Enabling authorized communications while respecting Privacy<span style="font-family:PMingLiU"><br>
</span>M +1 920-564-2067<br>
<a href="mailto:JohnMoehrke@gmail.com" target="_blank">JohnMoehrke@gmail.com</a><br>
<a href="https://www.linkedin.com/in/johnmoehrke" target="_blank">https://www.linkedin.com/in/johnmoehrke</a><br>
<a href="https://healthcaresecprivacy.blogspot.com" target="_blank">https://healthcaresecprivacy.blogspot.com</a><br>
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Sep 1, 2016 at 11:04 AM, Gregorowicz, Andrew J. <<a href="mailto:andrewg@mitre.org" target="_blank">andrewg@mitre.org</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Hello HEART,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">I work on maintaining a FHIR server (<a href="https://github.com/intervention-engine/fhir" target="_blank">https://github.com/intervention-engine/fhir</a>).
As part of my work, I have been implementing code that allow the server to conduct HEART profile compliant OAuth 2.0 authorized interactions as well as authenticate users using HEART profiled OpenID Connect.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Looking through the archives, it appears that there is some discussion on the FHIR OAuth 2.0 scopes. I wanted to share some implementation experience
and questions that may help the discussion going forward.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">How should the scopes interact with FHIR Search, specifically with _include and _revinclude (<a href="http://www.hl7.org/implement/standards/fhir/search.html#revinclude" target="_blank">http://www.hl7.org/implement/standards/fhir/search.html#revinclude</a>)?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Right now, we have implemented simplistic logic, where if a request is made to the server for search on a given resource, say Condition, that search
will be performed if the application generating the request has been given the user/Condition.read or user/Condition.* scope. What should happen if the search request attempts to _include Encounters for the Conditions and the requesting application has not
been granted the appropriate Encounter scopes? Should the server reject the request? Should it perform the search but not perform the _include?
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Either case of rejecting the request increases implementation complexity on the FHIR Server side.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Also, I saw some discussion in the archive on bulk. I think it makes sense to address this. I could imagine a patient wanting to load a consult note
into their FHIR Server. It may be represented as a FHIR Bundle that contains individual Conditions, MedicationOrders, Observations, etc. Right now, it is unclear to me what the FHIR Server should do with the HEART scopes if someone were to initiate a batch
transaction.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">~Andy</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt">PS – We have developed a set of go language tools for implementing HEART profiled OpenID Connect relying parties as well as HEART profiled OAuth 2.0
resource servers here: <a href="https://github.com/mitre/heart" target="_blank">
https://github.com/mitre/heart</a>. Feedback is welcome.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>