I sent something similar to this to the HL7 Security workgroup today:
This strikes me as an interesting use case for SMART or
similar OAuth2 based authentication.
The use case is thus:
Through an API, a user wants to include certain kind of
information into the record. A given example might be an uncoded
medication. The provider organization wants to ensure that any uncoded
medications have a SEPARATE provider authorization before entry, specific to
the API call that attempted the request. For example, in a system that I
am familiar with, if using the EHR client, when an uncoded medication is
attempted to be entered, the provider is requested to verify their intent (via
a button click). In another case, to “sign” a document, it requires them
to re-enter their password information.
An authorization protocol that might work with a server and 3rd party applications wishing to adhere to these rules would be one in
which:
API call which failed due to these sorts of rules would generate a user override
authorization request token and pass it back to the caller in an extension to
the OperationOutcome resource. Such a token may also need to be
communicated in an out-of-band manner to an authorization endpoint (but could
also just be a signed JWT). The code associated with the OperationOutcome might indicate that additional user authorization is required.
The application would call the authorization server with this token to request user authorization to complete the API request via a web-based UI that used redirection much in the same way that SMART on FHIR does today. It might also include its current user's access token, although that seems unnecessary since the token supplied by the application would seem to be enough validation of the user.
The authorization server would interact with
the user to request their authorization to complete the request. On
receipt of the user authorization (either by clicking yes, or
reauthenticating, or whatever), it would provide an override token to the calling application. Such token could then be
passed in to a repeat of the API call. The API call would find the same
problem, but having been given the override token, would be able to accept the
request.
Such a protocol might also include in the given override request token a signal
with regard to the degree of user reauthentication/authorization necessary. For example,
many systems that have a physician “sign” a document, require the physician to
reauthenticate to the application, whereas other override responses are simply
a button click (e.g., uncoded medication).
An application that is aware of these special cases might
also want to have a way to short circuit the API failure part of the request
loop, and preemptively obtain provider authorization.
Your thoughts? Is this a reasonable thing to consider?
Keith