FHIR AuthZ Meetup: SMART, TEFCA, & Beyond

# FHIR AuthZ Meetup: SMART, TEFCA, & Beyond [@JoshCMandel](https://twitter.com/JoshCMandel) #### Outline * Granular scopes in SMARTv2 * Focused sharing with SMART Health Links * Patient rights vis-a-vis B2B sharing in TEFCA --- ## Granular Scope Capabilities ### FHIR Resource Scope Syntax - `[level]/[Resource].[cruds]?param=value&param=value` - Example: `patient/Observation.rs?category=vital-signs` --- ### Bucketing permissions by level - `patient/` Allow access to specific data about a single patient - `user/` Allow access to all data that the authorizing user can access - `system/` Allow access to all data that the client is authorized to access --- #### Examples - `patient/Observation.rs?category=vital-signs` - Read and search all vitals for a patient - Allows an app to view a patient's vital signs, lab results, etc. - `user/Immunization.rs` - Read and search all observations that the user can access - Allows a parent to coordinate family's immunizations - `system/Observation.c` - Create observations from a backend service - Allows B2B integration that can submit new observations - Allows an app to record new vital signs, lab results, etc. for a patient ### Challenges with Custom Operations - No standardized scopes for custom operations like... - `/Patient/$export` - `/Patient/:id/$purge` - `/Patient/$update-name` - Difficult to standardize a scope for operations given - Attachment point types (`/`, `/:type`, `/:type/:instance`) - Attachment point instances (any? any visible?) - Input parameter restrictions? #### Suggestions TL;DR Define custom scopes for now. Start with your operation URL for transparency, e.g. `https://myo.example.org/OperationDefinition/locate-patient` Looking ahead, SMART might focus on standardizing data element-level permissions (example syntax only): * Read `Patient.name` - `patient/Patient.r{{name}}` * Write `Patient.address` or `Patient.photo` - `patient/Patient.u{{address | photo}}` --- ## End-User Authorization with SMART Health Links - Simple way for patients to share data directly with apps/individuals - Example: Sharing glucose measurements via a SMART Health Link - Patient generates [a link](https://joshuamandel.com/cgm/#shlink:/eyJ1cmwiOiJodHRwczovL2pvc2h1YW1hbmRlbC5jb20vY2dtL3NobC8xMjBkYXlfYWdwX2J1bmRsZV91bmd1ZXNzYWJsZV9zaGxfaWQwMDAwMDAwIiwiZmxhZyI6IkxVIiwia2V5IjoiYWdwX29ic191bmd1ZXNzYWJsZV9yYW5kb21fa2V5MDAwMDAwMDAwMDAwMCIsImxhYmVsIjoiSm9zaCdzIENHTSBEYXRhIn0) that provides access to their glucose data ![image](https://hackmd.io/_uploads/Hy4OVZnW0.png) - Can share this link with a coach, family member, or trusted app - Recipient can view/download the patient's glucose measurements - Straightforward way to grant targeted data access without complex policies --- ## TEFCA and Network-Based Exchange - Organizational-level authorization decisions with broad impact - Example: All TEFCA participants support "treatment" PoU - Participants can query *everywhere* for treatment - But what if the query seems unrelated to treatment? - Recent issues in the tech news, perceived misuse - Highlights grey areas & need for transparency - Transparency **for individuals** - 3 Principles: https://www.jmir.org/2022/11/e41750/ - See my own data - Know when/why my data are queried - Opt out of sharing