HL7.FHIR.US.CORE-TG\US Core 3.1.1 Requirements for US Core General Security Considerations - XML Representation

US Core Testing Guide
3.1.1-1 - ci-build United States of America flag
US Core Testing Guide - Local Development build (v3.1.1-1). See the Directory of published versions
: US Core 3.1.1 Requirements for US Core General Security Considerations - XML Representation

Draft as of 2023-08-25


<Requirements xmlns="http://hl7.org/fhir">
  <id value="us-core-req-security"/>
  <text>
    <status value="generated"/>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>These requirements reference <a href="http://hl7.org/fhir/us/core/STU3.1.1/security.html">http://hl7.org/fhir/us/core/STU3.1.1/security.html</a></p><p>These requirements apply to the following actors:</p><ul><li><a href="ActorDefinition-us-core-requestor.html">US Core Requestor</a></li><li><a href="ActorDefinition-us-core-responder.html">US Core Responder</a></li></ul><h2>Statements</h2><table class="grid"><tr><td><b><a href="#us-core-req-security-01">us-core-req-security-01</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>Systems <strong>SHALL</strong> establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-01-a">us-core-req-security-01-a</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHOULD">SHOULD</a></td><td><div><p>In addition US Federal systems <strong>SHOULD</strong> conform with the risk management and mitigation requirements defined in NIST 800 series documents. This <strong>SHOULD</strong> include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls – policies, administrative practices, and technical controls – <strong>SHOULD</strong> be defined in the Business Associate Agreement when available.</p>
</div><p>Links:</p><ul><li>Parent: <a href="Requirements-us-core-req-security.html#us-core-req-security-01">US Core 3.1.1 Requirements for US Core General Security Considerations # us-core-req-security-01-a</a></li></ul></td></tr><tr><td><b><a href="#us-core-req-security-02">us-core-req-security-02</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>Systems <strong>SHALL</strong> reference a single time source to establish a common time base for security auditing, as well as clinical data records, among computing systems.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-02-a">us-core-req-security-02-a</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHOULD">SHOULD</a></td><td><div><p>The selected time service <strong>SHOULD</strong> be documented in the Business Associate Agreement when available.</p>
</div><p>Links:</p><ul><li>Parent: <a href="Requirements-us-core-req-security.html#us-core-req-security-02">US Core 3.1.1 Requirements for US Core General Security Considerations # us-core-req-security-02-a</a></li></ul></td></tr><tr><td><b><a href="#us-core-req-security-03">us-core-req-security-03</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>Systems <strong>SHALL</strong> keep audit logs of the various transactions.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-04">us-core-req-security-04</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>Systems <strong>SHALL</strong> use TLS version 1.2 or higher for all transmissions not taking place over a secure network connection. (Using TLS even within a secured network environment is still encouraged to provide defense in depth.)</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-04-a">us-core-req-security-04-a</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHOULD">SHOULD</a></td><td><div><p>US Federal systems <strong>SHOULD</strong> conform with FIPS PUB 140-2.</p>
</div><p>Links:</p><ul><li>Parent: <a href="Requirements-us-core-req-security.html#us-core-req-security-04">US Core 3.1.1 Requirements for US Core General Security Considerations # us-core-req-security-04-a</a></li></ul></td></tr><tr><td><b><a href="#us-core-req-security-05">us-core-req-security-05</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>Systems <strong>SHALL</strong> conform to <a href="http://hl7.org/fhir/R4/security.html#http">FHIR</a> Communications Security requirements.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-06">us-core-req-security-06</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>For Authentication and Authorization, Systems <strong>SHALL</strong> support the <a href="http://www.hl7.org/fhir/smart-app-launch/history.cfml">SMART App Launch Framework</a> for client &lt;-&gt; server interactions. NOTE: The SMART on FHIR specifications include the required OAuth 2.0 scopes for enabling security decisions.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-07">us-core-req-security-07</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHALL">SHALL</a></td><td><div><p>Systems <strong>SHALL</strong> implement consent requirements per their state, local, and institutional policies.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-07-a">us-core-req-security-07-a</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHOULD">SHOULD</a></td><td><div><p>The Business Associate Agreements <strong>SHOULD</strong> document systems mutual consent requirements.</p>
</div><p>Links:</p><ul><li>Parent: <a href="Requirements-us-core-req-security.html#us-core-req-security-07">US Core 3.1.1 Requirements for US Core General Security Considerations # us-core-req-security-07-a</a></li></ul></td></tr><tr><td><b><a href="#us-core-req-security-08">us-core-req-security-08</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-SHOULD">SHOULD</a></td><td><div><p>Systems <strong>SHOULD</strong> provide Provenance statements using the <a href="http://hl7.org/fhir/us/core/STU3.1.1/StructureDefinition-us-core-provenance.html">US Core Provenance Profile</a> resource and associated requirements.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-09">us-core-req-security-09</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-MAY">MAY</a></td><td><div><p>Systems <strong>MAY</strong> implement the <a href="http://hl7.org/fhir/R4/security.html#digital%20signatures">FHIR Digital Signatures</a> and provide feedback on its appropriateness for US Core transactions.</p>
</div></td></tr><tr><td><b><a href="#us-core-req-security-10">us-core-req-security-10</a></b></td><td><a href="http://hl7.org/fhir/R5/codesystem-conformance-expectation.html#conformance-expectation-MAY">MAY</a></td><td><div><p>Systems <strong>MAY</strong> protect the confidentiality of data at rest via encryption and associated access controls. The policies and methods used are outside the scope of this specification.</p>
</div></td></tr></table></div>
  </text>
  <url
       value="http://hl7.org/fhir/us/core-tg/Requirements/us-core-req-security"/>
  <version value="3.1.1-1"/>
  <name value="USCoreReqSecurity"/>
  <title
         value="US Core 3.1.1 Requirements for US Core General Security Considerations"/>
  <status value="draft"/>
  <date value="2023-08-25"/>
  <publisher value="HL7 FHIR Infrastructure WG"/>
  <contact>
    <name value="HL7 FHIR Infrastructure WG"/>
    <telecom>
      <system value="url"/>
      <value value="https://hl7.org/Special/committees/fiwg"/>
    </telecom>
  </contact>
  <contact>
    <name value="Richard Ettema"/>
    <telecom>
      <system value="email"/>
      <value value="mailto:richard.ettema@aegis.net"/>
    </telecom>
  </contact>
  <description
               value="**Patient Privacy and Security**&lt;br/&gt;&lt;br/&gt;US Core transactions often use patient-specific information, which could be exploited by malicious actors resulting in the exposure of patient data. For this reason, all US Core transactions must be secured appropriately with access to limited authorized individuals, data protected in transit, and appropriate audit measures taken.&lt;br/&gt;&lt;br/&gt;Implementers **SHOULD** be aware of these [security considerations](http://hl7.org/fhir/R4/security.html) associated with FHIR transactions, particularly those related to:&lt;br/&gt;&lt;br/&gt;* [Communications](http://hl7.org/fhir/R4/security.html#http)&lt;br/&gt;* [Authentication](http://hl7.org/fhir/R4/security.html#authentication)&lt;br/&gt;* [Authorization/Access Control](http://hl7.org/fhir/R4/security.html#authorization/access%20control)&lt;br/&gt;* [Audit Logging](http://hl7.org/fhir/R4/security.html#audit%20logging)&lt;br/&gt;* [Digital Signatures](http://hl7.org/fhir/R4/security.html#digital%20signatures)&lt;br/&gt;* [Security Labels](http://hl7.org/fhir/R4/security-labels.html)&lt;br/&gt;* [Narrative](http://hl7.org/fhir/R4/security.html#narrative)"/>
  <jurisdiction>
    <coding>
      <system value="urn:iso:std:iso:3166"/>
      <code value="US"/>
    </coding>
  </jurisdiction>
  <reference value="http://hl7.org/fhir/us/core/STU3.1.1/security.html"/>
  <actor
         value="http://hl7.org/fhir/us/core-tg/ActorDefinition/us-core-requestor"/>
  <actor
         value="http://hl7.org/fhir/us/core-tg/ActorDefinition/us-core-responder"/>
  <statement>
    <key value="us-core-req-security-01"/>
    <label value="us-core-req-security-01"/>
    <conformance value="SHALL"/>
    <requirement
                 value="Systems **SHALL** establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements."/>
  </statement>
  <statement>
    <key value="us-core-req-security-01-a"/>
    <label value="us-core-req-security-01-a"/>
    <conformance value="SHOULD"/>
    <requirement
                 value="In addition US Federal systems **SHOULD** conform with the risk management and mitigation requirements defined in NIST 800 series documents. This **SHOULD** include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls – policies, administrative practices, and technical controls – **SHOULD** be defined in the Business Associate Agreement when available."/>
    <parent value="#us-core-req-security-01"/>
  </statement>
  <statement>
    <key value="us-core-req-security-02"/>
    <label value="us-core-req-security-02"/>
    <conformance value="SHALL"/>
    <requirement
                 value="Systems **SHALL** reference a single time source to establish a common time base for security auditing, as well as clinical data records, among computing systems."/>
  </statement>
  <statement>
    <key value="us-core-req-security-02-a"/>
    <label value="us-core-req-security-02-a"/>
    <conformance value="SHOULD"/>
    <requirement
                 value="The selected time service **SHOULD** be documented in the Business Associate Agreement when available."/>
    <parent value="#us-core-req-security-02"/>
  </statement>
  <statement>
    <key value="us-core-req-security-03"/>
    <label value="us-core-req-security-03"/>
    <conformance value="SHALL"/>
    <requirement
                 value="Systems **SHALL** keep audit logs of the various transactions."/>
  </statement>
  <statement>
    <key value="us-core-req-security-04"/>
    <label value="us-core-req-security-04"/>
    <conformance value="SHALL"/>
    <requirement
                 value="Systems **SHALL** use TLS version 1.2 or higher for all transmissions not taking place over a secure network connection. (Using TLS even within a secured network environment is still encouraged to provide defense in depth.)"/>
  </statement>
  <statement>
    <key value="us-core-req-security-04-a"/>
    <label value="us-core-req-security-04-a"/>
    <conformance value="SHOULD"/>
    <requirement
                 value="US Federal systems **SHOULD** conform with FIPS PUB 140-2."/>
    <parent value="#us-core-req-security-04"/>
  </statement>
  <statement>
    <key value="us-core-req-security-05"/>
    <label value="us-core-req-security-05"/>
    <conformance value="SHALL"/>
    <requirement
                 value="Systems **SHALL** conform to [FHIR](http://hl7.org/fhir/R4/security.html#http) Communications Security requirements."/>
  </statement>
  <statement>
    <key value="us-core-req-security-06"/>
    <label value="us-core-req-security-06"/>
    <conformance value="SHALL"/>
    <requirement
                 value="For Authentication and Authorization, Systems **SHALL** support the [SMART App Launch Framework](http://www.hl7.org/fhir/smart-app-launch/history.cfml) for client &lt;-&gt; server interactions. NOTE: The SMART on FHIR specifications include the required OAuth 2.0 scopes for enabling security decisions."/>
  </statement>
  <statement>
    <key value="us-core-req-security-07"/>
    <label value="us-core-req-security-07"/>
    <conformance value="SHALL"/>
    <requirement
                 value="Systems **SHALL** implement consent requirements per their state, local, and institutional policies."/>
  </statement>
  <statement>
    <key value="us-core-req-security-07-a"/>
    <label value="us-core-req-security-07-a"/>
    <conformance value="SHOULD"/>
    <requirement
                 value="The Business Associate Agreements **SHOULD** document systems mutual consent requirements."/>
    <parent value="#us-core-req-security-07"/>
  </statement>
  <statement>
    <key value="us-core-req-security-08"/>
    <label value="us-core-req-security-08"/>
    <conformance value="SHOULD"/>
    <requirement
                 value="Systems **SHOULD** provide Provenance statements using the [US Core Provenance Profile](http://hl7.org/fhir/us/core/STU3.1.1/StructureDefinition-us-core-provenance.html) resource and associated requirements."/>
  </statement>
  <statement>
    <key value="us-core-req-security-09"/>
    <label value="us-core-req-security-09"/>
    <conformance value="MAY"/>
    <requirement
                 value="Systems **MAY** implement the [FHIR Digital Signatures](http://hl7.org/fhir/R4/security.html#digital%20signatures) and provide feedback on its appropriateness for US Core transactions."/>
  </statement>
  <statement>
    <key value="us-core-req-security-10"/>
    <label value="us-core-req-security-10"/>
    <conformance value="MAY"/>
    <requirement
                 value="Systems **MAY** protect the confidentiality of data at rest via encryption and associated access controls. The policies and methods used are outside the scope of this specification."/>
  </statement>
</Requirements>
<prev
top
next>
IG © 2023+ HL7 FHIR Infrastructure WG. Package hl7.fhir.us.core-tg#3.1.1-1 based on FHIR 4.0.1. Generated 2023-09-06
Links: Table of Contents | QA Report | Version History | | Propose a change