clair054

My last article was regarding if XUA (SAML) was useful in a Service-to-Service SOAP exchange . The same question came to me regarding FHIR and http REST. It was not as well described, as it was in a phone call. But essentially the situation is very similar. There are two trading partners that have an agreement (Trust Framework) that one will be asking questions using FHIR http REST interfaces of the other party. Using Mutual-Authenticated TLS The initial solution they were thinking of was to simply use Mutually-Authenticated TLS in place of the normal (Server Authenticated) https. This is easy to specify, and is consistent with IHE-ATNA. This solves authentication of the server to the client, and authentication of the client to the server. This solves the encryption and data integrity (authenticity) problem. Thus keeping EVERYONE else on the internet out of the conversation. The negative of this is that one must manage Certificates. One issued to the Client, One issued to the Server. T...

I got an email question asking if the use of XUA is proper for situations of service-to-service communication. I am not sure how far XUA really got in the IHE world, but we have an HIE in XYZ [sic] that seems to want to implement it on every IHE transaction, even those without a document consumer. Our role with them is strictly at a system level as a document provider and of course we are using Mutual Authentication Reading the XUA spec it seems that IHE was gunning for consent authorization of a document consumer and those transactions, though it never actually came out and said "just" those transactions. SO my questions. Does the IHE have a stance on this ? Are all transactions(XDS and PIX PDQ) to use SAML ? Or is the spirit of the law about consent and document consumption calls ? How much is XUA used... very hard to know. But the concept of XUA is simply that a requesting party identify the requesting agent using SAML. Where that agent is usually a human in an interactiv...

Sorry to my audience for not getting much from my blog lately. The transition to working life again has been distracting me. I am very sick of forms. I realize that I benefit from the forms being online using browser from the comfort of my home. I can only imagine a few years ago when all of this training and forms would be in-person and on paper. Some blog topics: IHE (ITI and possibly others) Plans for next year... Finish out my Privacy Consent topic with detailed breakdown of the abstract (done) into  IHE-BPPC,  IHE-APPC,  HL7-CDA-Consent,  HL7-FHIR-Consent,  Kantara-Consent-Receipt, and  OAuth and UMA IHE role in a FHIR world Adding sensitive data to a Health Information Exchange Something useful about Blockchain...  Something assertive about OAuth and FHIR I often write an article based on some random question I got via email.. so please ask me random questions. You can try to use my blog " Ask Me A Question "

I start my new job today. No office to go to, home is my office. I now work for a consulting organization "By Light Professional IT Services, Inc" that has a 4 year contract supporting and enhancing the Health Information Exchange capability of the VA healthcare (VHA) to the rest of healthcare. I am a Standards Architect, doing the same thing I did for GE, standards creation and use. Working for the government I have had a few dozen forms to fill out; get fingerprinted; then hours of training. I will still be blogging about the standards developments, and implementation guidance on implementing those standards. I likely will be covering Privacy and Security less; heading more into transports and content.