Health Information Exchange(HIE)provides a more complete health record with the aim to improve patient care with relevant data gathered from multiple Health Information Technology(HIT)systems.In support of HIE,the Health Level Seven(HL7)XML standard was developed to manage,exchange,integrate,and retrieve electronic health information.In 2011,the Fast Healthcare Interoperable Resources(FHIR)standard,based on HL7,was proposed to facilitate the development of mobile Health(mHealth)apps with HIT data sharing via a common modeling format.FHIR utilizes RESTful APIs enabled with a FHIR server for information usage and exchange in the cloud.FHIR has a security specification,but does not define actual security mechanisms for secure data exchange via service invocations.If services are the primary means of access,there must be a way to control who can invoke which service at which time.This paper proposes the use of Role-Based Access Control(RBAC)and Mandatory Access Control(MAC)to define permissions based on role and/or the sensitivity level of services.This is accomplished by evolving RBAC and MAC to support permissions on services(as opposed to the usual object view)at a model level applied to a setting where a mobile application is using RESTful APIs.The resulting servicebased model is incorporated into the FHIR standard to control the access of who can invoke which services of FHIR RESTful APIs that manage the sensitive healthcare data;work is demonstrated via an mHealth application that interacts with the OpenEMR HIT system via the HAPI FHIR server.
展开▼
