Introduction to SMART on FHIR
hellonisit
110 views
33 slides
Jun 23, 2024
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
SMART on FHIR provides a standard, universal API for accessing EHI. The end-goal is to ensure that patients are able to access their EHI from the app and the device of their choosing as they move from provider to provider or payer to payer throughout their care journey.
Slide Content
Introduction to SMART on FHIR By Nishit Charania https :// www.linkedin.com/in/nishit-charania Tuhin Das Gupta https ://www.linkedin.com/in/tuhin-das-gupta-14a11b32 /
Genesis
Evolution of SMART
About- HL7, FHIR fundamentals HL7- Health Level Seven Found in 1987 ANSI-accredited Standards Development Organization HL7’s mission is to develop standards and framework for global health data interoperability Focus on the application layer, which is "layer 7" in the OSI model.
About- HL7, FHIR fundamentals What is ? https:// api.sit.com / Patient / 00012345 https:// api.sit.com / fhir /QuestionnaireResponse ? identifier=uuid:g1|& questionnaire=Questionnaire/2
HTTP Basic Authentication PROS Easy to implement Small systems CONS Only username / password Hard to integrate No distinction between users and machines A little history of authentication
About- OAuth What Is OAuth ? An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. OAuth 2.0 : Terminology
Resource Owner Resource Server Authorization Server Client OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client I want to see a list of Photos OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Hey, backend, could you please give me a list of Photos? OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Sorry, this is a protected resource. You will need to present me an access token OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Hi Authorization, can I get an access token please? Backend is asking OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Sure thing sir. I just need to ask a few details to the user first OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Hi, could you please provide me your credentials? I need to verify your identity OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client No problem at all. I am [email protected] and my password is *****. OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client The user is who claims to be. Here is your access token: ser345ggs2sf34t.2343ysfaaerwetr78wgr.seer34 OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Hi Backend, this is my token: ser345ggs2sf34t.2343ysfaaerwetr78wgr.seer34 OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Hi, can you please validate access token ser345ggs2sf34t.2343ysfaaerwetr78wgr.seer34 ? OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Of course. It is valid token OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Everything is alight. This is the list of photos. OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client Here you have the list of photos OAuth 2.0 : protocol flow
Resource Owner Resource Server Authorization Server Client OAuth 2.0 is a delegation protocol, as Client has no idea about the credentials of User OAuth 2.0 : protocol flow
authorization-code: The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. (For more Ref: https://oauth.net/2/grant-types/authorization-code/ ) PKCE: PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks. (For more Ref : https://oauth.net/2/pkce/ ) client-credentials: The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. (For more Ref : https://oauth.net/2/grant-types/client-credentials/ ) device-code: The Device Code grant type is used by browserless or input-constrained devices in the device flow to exchange a previously obtained device code for an access token.(For more Ref : https://oauth.net/2/grant-types/device-code/ ) OAuth 2.0 : grant types
Substitutable Medical Apps and Reusable Technologies (SMART) To allow apps that run across heterogeneous security environments, SMART on FHIR specifies how apps obtain authorization tokens, but allows servers to apply any necessary policies to determine a user's permissions. Every representational state transfer (REST) API call includes an authorization token obtained and transmitted via OAuth 2. The scope of access tokens is kept narrow so that, for instance, an app working with a single patient record requests a limited-scope access token that is only valid for querying that patient's data
Healthcare Apps Clinical Systems (e.g., EHR, Patient Portal, Data Warehouse) SMART UX Integration Authorization Single Sign-On FHIR APIs SMART Apps- Core focus
App EHR 1. Authorization request (scopes) 3. FHIR API request (with access token) 3. FHIR Resources 3. Display Data 1. Response (yes/no; scopes) 2. Token request 2. Response (access token, id token, context) OAuth based Standalone App Launch
App EHR OAuth Based EHR App Launch 1. Authorization request (scopes) 3. FHIR API request (with access token) 3. FHIR Resources 3. Display Data 1. Response (yes/no; scopes) 2. Token request 2. Response (access token, id token, context) 0. Launch request (server URL, launch id)
Scopes convey what access an app needs Access Type FHIR Resource Permission Patient / Immunization . read SMART Authorization scopes, v1 examples patient/ Patient.read , patient/ Observation.read patient/*.read patient/ MedicationOrder.write user/*.read
Goal Scope Notes Read and search for all observations about a patient patient/Observation.rs Read demographics about a patient patient/ Patient.r Note the difference in capitalization between “patient” the permission type and “Patient” the resource. Add new blood pressure readings for a patient patient/Observation.c Note that the permission is broader than the goal: with this scope, an app can add not only blood pressures, but other observations as well. Note also that write access does not imply read access. Read all available data about a patient patient/*.cruds See notes on wildcard scopes below. SMART Authorization scopes, v2
SMART App Gallery offer a single place to find and learn about SMART and FHIR apps Vendor and license neutral Not restricted to a single EHR platform Hosts commercial and open source apps No cost to list or browse apps Public App gallery
https://apps.smarthealthit.org Public App gallery
Thank You
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 110
- Slides 33
- Age 531 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
51 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
49 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
39 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
38 views
21
Know for Certain
DaveSinNM
24 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
27 views