The security page shows how to establish initial security credentials (where necessary) with the an ITK3 Messaging Solution

What is ITK3 Messaging Solution Security?

ITK3 Messaging Solution Security often encapsulates authentication and encryption. However, various concepts requiring diverse expertise and approaches need to be considered especially concerning testing and quality:

  • Authentication: reliably identify end user
  • Authorisation: identified user access to correct resources/data
  • Encryption: hide information from unauthorized access
  • Signatures: ensure information integrity

Two common ways of accessing and managing ITK3 Messaging Solution security based on the need to balance access to ITK3 Messaging Solutions with the permissions to access the information contained within the ITK3 FHIR Documents and messages include:

  • Federation: reusing Credentials & Spreading Resources
  • Delegation: access and rights can be given to authorized users

Authentication and Authorisation

Authentication and authorisation are commonly used together:

  • Authentication: reliably identify end user
  • Authorisation: identified user access to correct resources/data

Authentication is most often implemented with a user-name and password. To increase the security this can be supplemented by adding

  • software certificates,
  • hardware keys and
  • external devices.

Authorisation occurs once the user is authenticated, the system decides which resources or data to allow access to.

Security and ITK3 Messaging Solutions

Security is a key consideration when establishing ITK3 Messaging Solution projects and should be considered within the design from the start of any project. The four key principles to consider are:

  • Authentication
  • Authorisation
  • Encryption
  • Signatures

For more information on the wider design decisions involved in providing safe access to information please see:

  • Safe, legal and secure guide from developer.nhs.uk provides an overview of some design decisions and considerations to consider when implementing APIs.
Tags: design