Interface security

Introduction

Security is an important condition for exchanging information over the FHIR interface. ZorgDomein uses a FHIR client, which either requests information from a FHIR server of a XIS or sends documents to a XIS. For both requesting and sending, FHIR REST calls are used. Security for these calls is warranted by two means: by deploying a two-sided TLS connection in which ZorgDomein offers a client certificate for authentication purposes, and by supplying every call with an HTTP header containing a signed token.

Two-sided TLS connection

By deploying a two-sided TLS connection, all information during transport is encrypted. It also creates the possibility to set up authentication to make sure only clients with a recognized certificate gain access to the FHIR interface of a XIS. Contact us to set up such a connection and to exchange certificates.

Conform the security guidelines of the dutch National Cyber Security Center (NCSC) we only support TLS 1.2 with the following ciphers: 

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

Server Token specifications

Next to deploying a two-sided TLS connection, ZorgDomein also includes a JSON Web Token (JWT) in the HTTP headers of every REST call. The JWT is provided with a signature, with which the XIS supplier may validate if a token is actually issued by ZorgDomein. A public key is necessary for the validation. Contact us to obtain a public key.

From the payload of the token, the user that executed the call can be determined. This is achieved on the basis of a combination of organization id and user id, just like with the SSO token. With this information, the XIS can determine if a user is authorized to access the requested information.

The token is included in the HTTP headers of the REST calls that ZorgDomein directs at the FHIR interface of the XIS. To this end, Authorization : Bearer is used. An example of such an HTTP header (line breaks added for readability):

Authorization : Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
	eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
	TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Token specifications

Token-header

The header of the token contains three parts:

  • typ: JWT (static value)
  • alg: RS256 (static value)
  • kid: the key id; this id can be used to determine which public key may be used to validate the signature. The kid is exchanged at the same time as the public key.

Token-payload

Parameter Description Datatype Example value
iss Identifier of XIS issuing token String (fixed) ZorgDomein
jti Identifier of the token String 4a006a12-dc2b-470a-b031-a3682b653ba7
iat Token creation timestamp NumericDate 1496275200
org-id.system* System the organization identifier originates from String, see: Table 3 fixed value: local
org-id.value* Organization identifier value
NB: This parameter contains the value of the unique organization identifier that was exchanged during auto-activation.
String 10987654
user-id.system* System the user identifier originates from String, see: Table 2 agb
user-id.value* User identifier value String 01234567
responsible-id.system* System the user identifier of the responsible practitioner originates from String agb
responsible-id.value* User identifier for the responsible practitioner String 01234567
context.xis-transaction-id* Unique transaction identifier as issued by the XIS at the start of the transaction String 6fb34257-7e0d-41a1-b8a7-417a50de6d39

* These payload parameters are only set when the session with ZorgDomein started through SSO from a XIS. 

Example of a token

Token header

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "ZorgDomein-TIO-2017"
}

Token payload

{
  "iss": "ZorgDomein",
  "jti": "4a006a12-dc2b-470a-b031-a3682b653ba7",
  "iat": 1475482548,
	  
  "user-id.system": "agb-z",
  "user-id.value": "01029999",
  "org-id.system": "agb-z",
  "org-id.value": "05029999",
"context.xis-transaction-id": "6fb34257-7e0d-41a1-b8a7-417a50de6d39" }
  • Deze informatie is alleen beschikbaar in het Engels.
  • The information on this page applies to ZorgDomein Integrator FHIR Edition.