Northern Region Eclair Orders and Results FHIR API

This page provides security standards for API consumers.

Introduction

This document describes, at a relatively high level, the security standards that a consumer of HA API’s must be able to comply with in order to consume those services.

This document does not cover development standards such as OWASP that would apply to internal API developers, nor does it attempt to prescribe any standards for external API consumers for the development of software.

This document does not cover commercial and contractual requirements.

Security Controls

The following security controls are built into all API’s and as such become mandatory controls that a consumer MUST adhere to

All connections to an API will be via the HA API Gateway

Connections to an API endpoint must be made using static IP addresses dedicated to the Consumer.

All connections to an API end-point will be by way of an HTTPS connection, using a minimum of TLS1.2 with AES256-SHA256 encryption

All API access must use (Azure) AD Authentication with an OAUTH Client Credential Grant

Consuming systems must provide the mandatory x-ha-metadata header containing a JWT token encrypted using symmetrical HMACS-SHA384 encryption for which HA will supply the symmetrical key

Additional considerations

Consuming systems must be able to audit calls to the API made by their users and systems.

In anticipation of there being a need to assist HA to investigate an incident the following information should be included in Consumer logging mechanisms

· Date & Time of an API request where the time is synchronized to an external time source

· Identity of calling user

· Parameters supplied to the API call.

If you are unable to meet these control and exemption must be sought and signed off by the SRO and CISCO