Jumpstart_Health_data_with_FHIR_on_Azure.pdf

Transcript

1. Jumpstart Your Health Data Solutions with FHIR on Azure By

   Ahsan Alam October 16, 2019

2. Who Am I Heads Down Coder Developer/Architect Architect/Strategist

3. web console desktop device assembly c/c++ vb vb .net c#

   asp .net database ui control systems Who Am I middle tier

4. Finance Energy Trading Healthcare HR Supply Chain Insurance Life Science

   Healthcare Insurance Life Science Who Am I

5. Why Today’s Demo  Challenges with healthcare data exchange is

   not new  Cloud strategy has changed Enterprise Integration landscape  Hybrid integration is a reality (for many organization)  Organizations are also rethinking the usage of costly middleware FHIR on Azure simply made sense for me

6.  Option 1 – Azure API for FHIR (Preview) by

   Microsoft  Securely manage Protected Health Information (PHI)  Provides Role-Based Access Control (RBAC)  Available within Azure portal  It’s a managed Platform-as-a- Service (PaaS) solution  A black box with reliance on Cosmos DB and Azure AD  Option 2 – Open Source FHIR Server by Microsoft  Securely manage Protected Health Information (PHI)  Provides Role-Based Access Control (RBAC)  Available in GitHub  It’s built with logical separation (Hosting, API, Logic, Persistence)  Allows developers more controls Options That Stood Out Note: We can deploy options 1 and 2 using Azure Portal, Bash and PowerShell
7. None

8. Create FHIR Resource 1 2

9. Basic Settings  Subscription – Select a subscription  Resource

   Group –  Create new or select existing  Azure follows this convention to organize resources  Account name – Select a name for the resource (keep it consistent with API name)  Location – Pick desired deployment location  FHIR Version – Pick between R4 and STU 3

10. Advance Settings  Authority – Tenant specific URI for Azure

    AD  Audience – Target resource (FHIR API) the authorization token is intended for  Allowed Object IDs – Identifying object IDs that should be allowed to access this Azure API for FHIR  Can be a user or a service principal in Azure AD  It’s my id for the demo  SMART on FHIR proxy – Check if the API will be consumed by SMART on FHIR application  Serves as an adapter between SMART on FHIR convention and Azure AD  Cosmos DB throughput (RU/s) – Throughput utilized to calculate Cosmos DB cost

11. Traditional Approach in Securing API System Account Internal Apps External

    Apps User ID/Password or Token or Certificates API handled Authentication/Authorization

12. Modern Approach in Securing API Internal Apps External Apps Token

    Decouple API from Identity & Access Mgmt. Identity & Access Mgmt. Token Token + Request Resources Token + Request Resources

13. Securing FHIR API on Azure Azure AD FHIR API Client

    Applications 1 2 3 4 5 6 1. Azure AD serves as the gatekeeper for FHIR API • API is registered as a resource application • Define fine-grained permissions if needed 2. The client applications also need to get registered with the Identity Provider • Receive Client ID, Security Keys etc. 3. The client application needs to provide • Details (such as Client ID, Security Key and FHIR API resource) to Azure AD • Receive Access Token 4. The client application invokes FHIR API resource with Client ID, Security Key, and Access Token 5. API confirms with Azure AD 6. Returns results/errors

14. Types of Application Traditional Web App: • The user logs

    into the application. • The user requests are handled by the server • So, the server needs to get authorization on behalf of the user before calling the API • Considered confidential client since the server can keep critical authorization info secret Desktop App, Mobile App, SPA or SMART on FHIR • The user may not log in • The apps need to get authorization on behalf of the user before calling the API • Considered as public client since it can’t keep critical authorization info secret Agent (or daemon) • No users • The apps need to get authorization before calling the API o Typically uses a system account • Sometimes referred to as service client Web App Desktop App SPA Agent Mobile App Referred to as Resource application

15. Cross-Origin Resource Sharing (CORS) Items Description Origin A list of

    domains allowed to make cross-origin requests to the FHIR API. Asterisk (*) means allow calls from any domain Headers A list of headers that the origin request will contain. To allow all headers, enter an asterisk (*). Methods PUT, GET, POST, DELETE Max Age The value in seconds to cache preflight request results for Access-Control-Allow-Headers and Access-Control- Allow-Methods Allow Credential CORS requests normally don’t include cookies to prevent cross-site request forgery (CSRF) attacks. If you select this setting, the request can be made to include credentials, such as cookies. You can't configure this setting if you already set Origins with an asterisk (*). Can be used to apply more restriction on the API

16. Register FHIR API as Resource Application 1 2 3 4

17. Delegated Permission for Public Client 1 2 3 4

18. Get Access Token in Postman Items Description Token Name Meaningful

    name Grant Type Authorization Code Callback URL https://www.getpostman.com/oauth2/callback Auth URL https://login.microsoftonline.com/{TENANT- ID}/oauth2/authorize?resource=<audience> <audience>: API URI Access Token URL https://login.microsoftonline.com/{TENANT ID}/oauth2/token Client ID Client “Application ID” defined in Azure AD Client Secret Secret client key defined in Azure AD Scope NA State NA Client Authentication Send client credentials in body
19. None

20. FHIR Dashboard SMART on FHIR FHIR Server Function (bulk load)

    Blob Storage Blob Storage Data Factory FHIR Dashboard SMART on FHIR FHIR Server My Desktop App How the Samples are Deployed? How the sample can be deployed How I customized and incorporated my Desktop Importer App

21. API Configuration In Azure AD 1 2 3

22. Register My Desktop App 1 2 3 4

23. None

24. FHIR Server Comparison Azure API for FHIR Open Source FHIR

    Server General Architecture PaaS .NET Core implementation of the FHIR standard with logical separation Deployment Options Azure Portal, PowerShell Scripts, Bash Azure Portal, PowerShell Scripts, Bash Database Cosmos DB Cosmos DB, Azure SQL IAM Microsoft Identity Platform Microsoft Identity Platform Other Azure Resources NA Application Insight, Key Vault, App Service & App Service Plan Audit Logs Available (not visible yet) Available (not visible yet) Access to Source Code No Yes Customization/Extension Only Cosmos DB throughput All layers Samples Extensive Extensive Deployment Scripts Extensive Extensive

25. FHIR Server Comparison Azure API for FHIR Open Source FHIR

    Server Default Resources 1

26. Use Case 1 (Somewhat Standalone App) Integration Layer FHIR Server

    Analytics Azure API for FHIR (Option1) is a good candidate

27. Use Case 2 (Clinical Trial Landscape) Integration Layer FHIR Server

    CTMS Analytics Labs EDC Open Source FHIR Server (Option 2) is a good candidate

28. Resources Details on Azure API for FHIR (both options) https://docs.microsoft.com/en-us/azure/healthcare-

    apis/ Open Source FHIR Server Git Repo https://github.com/Microsoft/fhir-server FHIR Server Samples https://github.com/Microsoft/fhir-server-samples Synthea (patient data generator) https://github.com/synthetichealth/synthea Microsoft Identity Platform https://docs.microsoft.com/en-us/azure/active- directory/develop/ Translate Token (good for troubleshooting) https://jwt.ms Enterprise Integration Patterns https://www.enterpriseintegrationpatterns.com/
29. None