RBAC FHIR Extension to Define and Enforce

Security Policies on FHIR Resources

Mohammed Baihan, Ph.D. Student

Steven A. Demurjian, Professor Computer Science & Engineering Department

Thomas Agresta, MD, Professor & Director Medical Informatics Family Medicine Department

The University of Connecticut

mohammed.baihan@uconn.edu, steven.demurjian@uconn.edu, agresta@uchc.edu

http://www.engr.uconn.edu/~steve/UConnUCHCFHIR.pdf

1

Motivation

• Unauthorized access to a larger set of patients data in

multiple systems:

– FHIR provides unrestricted access to its Resources and API

• Users (e.g. patients) need to control access to their data:

– patients may grant/revoke a physician access to specific part of

their medical record

• Apps developers need an easy way to add security:

– most developers focus only on the app functionalities

2

Background

• Connecticut Concussion Tracker (CT2) mHealth App

– New State Law (HB6722) to track concussion of kids between ages

7 to 19 in public schools

– iOS and Andriod Versions

– MySQL Database and RESTful API

– Screens for: Student Demo, Cause, Symptoms, Follow-up, Return

• Collaboration Between Departments of:

– Physiology and Neurobiology

– Computer Science & Engineering

– Schools of Nursing and Medicine

3

CT2 (iOS Version)

4

CT2 (iOS Version)

5

Multi-Focal Approach

• Incorporate RBAC into CT2 to Control by User/Role

– Accessible Screens

– Read/Enter/Edit Content on Screen-by-Screen Basis

– Control which RESTful Services are Called

• Integrate CT2 with OpenEMR for a Central Secure

Repository

• Investigate Alternative Blueprints for Integration via FHIR

• Design and Develop an RBAC Interceptor for HAPI FHIR

for CT2 integrated with OpenEMR

• End Result: A user/role is Restricted to only the needed

data (FHIR resources) at API level (FHIR CRUD APIs)

6

Specific Steps

• Map CT2 Database Content to OpenEMR via FHIR

• Explain the RBAC Interceptor in HAPI FHIR

• Extend the Mapping with RBAC Interceptor

• Sample RBAC Policy for CT2

• Illustrate HAPI FHIR RBAC Interceptor (AuthInterceptor)

• Code Level Demonstration:

– AuthInterceptor usage:

• JSON format for policy

• Extending AuthInterceptor

– Policy enforcement example

• Allowed Access

• Denied Access 7

Map CT2 DB Content to OpenEMR via FHIR

8

Role-based Access Control Interceptor

• Extends HAPI FHIR reference library with Access Control on the CRUD APIs of FHIR Resources.

• Specifically, the InterceptorAdapter Class of HAPI FHIR is extended with a new interceptor class (AuthInterceptor) to support: – Definition of policy: assign roles to users, and authorize FHIR

resources (with CRUD) to roles

– Specific JSON format for policy

– Dynamic policy enforcement: restrict a user to access specific set of FHIR resources (with CRUD) based on the user’s role

Contact mohammed.baihan@uconn.edu for AuthInterceptor Code

9

HAPI FHIR InterceptorAdapter

10

HAPI FHIR AuthInterceptor

11

12

HAPI FHIR AuthInterceptor

Sample RBAC Policy for CT2

• Four different roles:

– Athletic Trainer, Coach, Nurse, Parent

13

How to use AuthInterceptor

14

• A developer needs to:

– Design simple API that retrieves RBAC policy

– Extend the AuthInterceptor class and provide a link to

the RBAC policy API

JSON format for policy

15

Extending AuthInterceptor

16

Allowed Access

17

Denied Access

18

Relevant Work Published

• Rivera Sánchez, Y., K. Demurjian, S., and Baihan, M. “Achieving

RBAC on RESTful APIs for Mobile Apps using FHIR,” accepted, to

appear in http://www.mobile-cloud.net/, April 2017.

• Baihan, M., K. Rivera Sánchez, Y., Shao, X., Gilman, C., Demurjian,

S., and Agresta, T., “A Blueprint for Designing and Developing an

mHealth Application for Diverse Stakeholders Utilizing Fast Healthcare

Interoperability Resources”, accepted, to appear in Contemporary

Applications of Mobile Computing in Healthcare Settings, R. Rajkumar

(ed.), IGI Global. http://www.igi-global.com/publish/call-for-papers/call-

details/2287

• Baihan, M., and Demurjian, S., “A Framework for Secure and

Interoperable Cloud Computing,” accepted, to appear in Springer

Research Advances in Cloud Computing, under second review, S.

Chaudhary (ed.), http://www.cloudbus.org/racc/ .

19

Current Ongoing BMI Research

Current Ph.D. Doctoral Students:

• Framework for Secure and Interoperable Cloud

Computing – Mohammed Baihan

• Role-Based Access Control (RBAC) for Mobile

Computing – Yaira Rivera Sanchez

• Adaptive Trust Negotiation for Time-Critical Access to

Healthcare Data – Eugene Sanzi

• Spatio-Situation-Based Access Control Model for

Dynamic Permissions – Xian Shao

• Architectural Alternatives for HIE using FHIR – Timo

Ziminski

20

Questions & Answers

Thanks!

21