Security Model > Privacy and Security Considerations
The following security items must be considered when integrating with IAR Visual App:
When a new patient is put in context in the Client Application, a relaunch of the IAR Visual App will take place. At this point, any existing user and patient related data (from the previous patient and user context) is removed from the IAR Visual App. This includes removal of the OAuth access and refresh tokens.
When browser window hosting the IAR Visual App is closed, all of the existing access tokens will be removed, and invalidated. The same access token will be able to be reused in a different context.
Authentication and Authorization JWT contains the exp
data fields (corresponding to the expiration date/time). As best practice, this has to be set-up with very short time period so that it cannot be used for extended period of time.
In addition, Client Application and IAR servers should have system clocks synchronized for correct handling of this field.
The OAuth access token that is used by the IAR Visual App to retrieve data from IAR also contains exp
field. It is set up for longer period of time allowing end-user to keep interacting with IAR Visual app. If the user still communicates with IAR VIsual App after the access token expited the appropriate message wll be returned. The user have to have an ability to re-launch IAR Visual App with new JWT tokens.
IAR Data API supports Cross-Origin Resource Sharing (CORS). The domain name of the Client Application should be configured in IAR to allow the cross-origin HTTP requests coming from Client Application.
IAR Visual App will adhere to the same IAR consent model as the clinical portal.
End user access to IAR data via the Visual App will be audited. The following client application user attributes are captured:
Powered by SIMPLIFIER.NET