SMART on FHIR® (Substitutable Medical Applications and Reusable Technologies on Fast Healthcare Interoperability Resources) has an important role in securing a "FHIR ecosystem" and supporting safe access to data which enables the open healthcare ecosystem. What else is required?
FHIR is the next generation HL7® standard for healthcare data integration. It focuses on decreasing interoperability costs and unlocking technical innovation in healthcare, and it does this by supporting an ecosystem of information providers and consumers via open APIs. But with any API, and particularly one that exposes personal health information (PHI), security issues need consideration.
In a recent whitepaper, we discussed the role of SMART on FHIR in establishing a layer of security around FHIR applications and identifying users and applications with sources of information. SMART describes how to use OAuth2 in a healthcare setting and a number of server "roles" that are needed.
But security is only part of the story—there are other server roles that can play an important part in a FHIR-based ecosystem, and this post describes some of them. The following diagram illustrates: