Security

Regulatory

The information owner of the system is responsible to ensure that the consumption of information produced are only disclosed to consumers approved by the information owner. Compliance to local regulations must be evaluated when developing applications using the Cambio Open Services APIs.

Information security

The communication between client and COS service is encrypted with the protocol TLS v1.2. A public CA signed certificate is used by the COS service for this purpose.

Authentication

COS supports Oauth 2.0 client credential flow. Each COS client will receive a static client id and a secret. It is possible to obtain a access token using the client id and the secret. It is require to request a new access token at the expiry of the current token.

Authorization

Each Integration needs to be configured in COS Authentication service with relevant Access scopes based on the APIs going to be accessed. COS supports SMART on FHIR(V1.1.0) notation when defining access scopes.

All APIs using the patient header requires partner-api-client scope.