Achieving RBAC on RESTful APIs for Mobile Apps Using FHIR

Abstract

Health Information Exchange (HIE) provides a morecomplete health record of an individual that improves patientcare with relevant data gathered from multiple healthinformation technology (HIT) systems. In support of HIE, theHealth Level Seven (HL7) XML standard was developed tomanage, exchange, integrate, and retrieve electronic healthinformation. In 2011, HL7 began drafting a next-generationstandard, Fast Healthcare Interoperable Resources (FHIR), tofacilitate the development and interaction of mobile health(mHealth) apps, HIT data sharing, and common format forinformation modeling. FHIR is based on RESTful APIs andsupported by a FHIR server infrastructure that facilitates theexchange in a cloud computing setting. FHIR while possessing asecurity specification, has yet to define and identify actualsecurity mechanisms for secure data exchange via RESTful APIcalls. In this paper, we incorporate role-based access control(RBAC) into FHIR to support the ability to control access ofwho can call which services of FHIR RESTful APIs that managesensitive healthcare data. The work is demonstrated utilizing amHealth application that communicates with the OpenEMRelectronic health record via the HAPI FHIR server.