Healthcare Provider Directory Access Control

Introduction

In the Australian context, a healthcare provider can be defined as an individual or organisation involved in the delivery of healthcare services.

This broad definition encompasses a range of individuals, including doctors, nurses, and other health professionals, as well as organisations like hospitals, clinics, and aged care facilities.

Individual Healthcare Providers

These are individuals who provide, have provided, or are intending to provide healthcare services. This includes registered health professionals such as medical practitioners, nurses, dentists, pharmacists, and allied health professionals.

Note: Individual healthcare providers are also referred to as healthcare practitioners.

Organisational Healthcare Providers:

These are organisations that deliver healthcare services. Examples include hospitals, day procedure centers, aged care facilities, and pathology or radiology services.

Healthcare Identifiers

Healthcare Provider Identifiers (HPI-I and HPI-O) are used to uniquely identify individuals and organisations involved in the delivery of healthcare services.

Healthcare Provider Directory

A healthcare provider directory is a repository of information (where data is stored and mantained) about healthcare providers.

FHIR Resources

There are a number of provider-related FHIR resources.

For example:

• Practioner
• Practioner Role
• Organization
• Healthcare Service
• Location

Note: As per the FHIR specifcation, the spelling of FHIR resource names (like "Organization") follows the American English standard.

FHIR Operations

FHIR operations are interactions defined by the FHIR standard for manipulating healthcare data. They follow a RESTful paradigm, allowing for Create, Read, Update, Delete (CRUD) and Search actions on FHIR resources.

For example, to read Organisation information:

GET /Organization/{id}

Access Control

How do we define coarse-grained access control?

Coarse-grained access control is when access to resources is granted or denied based on broad, general criteria, often at the role (RBAC) level. However, one or more scopes or claims may also be required.

How do we define fine-grained access control?

Fine-grained access control is when access to resources is granted or denied based on multiple conditions and may combine different access control mechanisms (ABAC, RBAC, ReBAC, UBAC).

In the Australian Healthcare context, support for fine-grained access control is often required.

For example, a Practitioner must be granted the Organisation Maintenance Officer role (RBAC) and have a membership relationship with an Organisation (ReBAC) in order to maintain healthcare service information on an Organisation's behalf.

Keycloak

Keycloak can provide course-grained FHIR resource access control:

• Add support for SMART on FHIR to HAPI FHIR with APISIX and Keycloak

Also see: Keycloak - Server Administration Guide

Keycloak can also provide fine-grained FHIR resource access control:

• Getting started with the APISIX authz-keycloak plugin

Also see: Keycloak - Authorization Services Guide

What's Next

In the next post, we'll take a look at Open Policy Agent. A general-purpose policy engine that you can use to enforce (access) policies in API gateways, microservices and more.

References

OAuth 2.0

• IETF: The OAuth 2.0 Authorization Framework
• IETF: The OAuth 2.0 Authorization Framework: Bearer Token Usage
• IETF: OAuth 2.0 Dynamic Client Registration Protocol
• IETF: OAuth 2.0 Token Exchange
• IETF: OAuth 2.0 for Browser-Based Applications
• Spring docs: Implementation Guidelines for Browser-Based Applications

HL7

• HL7: Implementation Guide
• HL7: FHIR NPM Packages
• AU Core: Publication (Version) History
• AU Core FHIR Implementation Guide: AU Core - 1.0.0-preview
• AU Core FHIR Implementation Guide: Testing FAQs
• Sparked AU Core Test Data: Postman collection
• HL7 AU: Australian Provider Directory Implementation Guide

SMART on FHIR

• HL7: SMART App Launch
• SMART Health IT: SMART on FHIR

SMART on FHIR - Standalone Launch

• Project Alvearie: SMART App Launch
• Project Alvearie: Keycloak extensions for FHIR
• Keycloak extensions for FHIR: Upgrade to the Quarkus-based distribution
• Keycloak discussion: Fine grained scope consent management

SMART on FHIR - EHR Launch

• GitHub: Zedwerks - Keycloak extensions for FHIR

Keycloak

• Keycloak docs: Configuring Keycloak for production
• Keycloak docs: Configuring TLS
• Keycloak docs: Configuring trusted certificates
• Keycloak docs: Configuring the hostname
• Keycloak docs: Using a reverse proxy
• Keycloak docs: Running Keycloak in a container
• Keycloak docs: Migrating to the Quarkus distribution
• Keycloak docs: Upgrading Guide - 26.1.0
• Keycloak docs: Authorization Services Guide

Keycloak-based Development

• GitHub: Keycloak Project Example
• GitHub: Awesome Keycloak

Keycloak Support

• Google Group: Keycloak User
• Google Group: Keycloak Dev

APISIX

• APISIX docs: Deployment modes
• APISIX docs: SSL Protocol
• APISIX docs: Certificate
• APISIX docs: Plugins - OpenID Connect

HAPI FHIR

• HAPI FHIR: Website
• HAPI FHIR: Documentation
• Google Group: HAPI FHIR