Security

Note: This page is an early draft and will most likely undergo significant revisions.

Logging

It is recommended to follow the logging guidelines specified by the Directorate of e-Health.

Servers may choose to store and communicate access information with the use of FHIR resources designed around this purpose. The AuditEvent resource may be used for audit logging. The Provenance resource can provide information around the process in which a resource came to be, which is critical in maintaining data integrity.

Security labels

If a server chooses to transform resources by anonymizing/redacting elements, or otherwise modify them in such a way that the resource presents itself differently from the origin resource, security labels could provide metadata around this. For example, the REDACTED code is used as a flag for indicating that some part of the resource was filtered.

Directorate of e-Health

The Norwegian Directorate of e-Health publishes guidelines and standards on healthcare security. Full lists of standards and guidelines based on Normen have been published. Some documents that could be relevant are:

• Authorization guidelines
• Guidelines for IT Security in Welfare technology