Search

Security

Introduction

Security is an important condition for exchanging information over the FHIR interface. ZorgDomein uses a FHIR client, which either requests information from a FHIR server of a XIS or sends documents to a XIS. For both requesting and sending, FHIR REST calls are used. Security for these calls is warranted by two means:

  • On network level by deploying a two-sided TLS connection in which ZorgDomein offers a client certificate for authentication purposes
  • On application level by supplying every call with an HTTP header containing a signed token.

Network level security: mutual TLS

Deploying a mutual TLS connection ensures that:

  1. All information is encrypted during transport. 
  2. ZorgDomein can authenticate the XIS by the server certificate that the XIS will present to ZorgDomein during the handshake. 
  3. The XIS can authenticate ZorgDomein by the client certificate that ZorgDomein will present to the XIS during the handshake. Please note that the XIS must actively request and validate this client certificate during handshake to setup a mutually authenticated connection!

Contact us to set up such a connection and to exchange certificates.

Conform the security guidelines of the dutch National Cyber Security Center (NCSC) we only support TLS 1.2 with the following ciphers: 

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305

Application level security: JSON Web Tokens

Next to deploying a two-sided TLS connection, ZorgDomein also includes a JSON Web Token (JWT) in the HTTP headers of every REST call. The JWT is provided with a signature, with which the XIS supplier should validate if a token is actually issued by ZorgDomein. A public key is necessary for the validation. Contact us to obtain a public key.

If ZorgDomein interacts with a FHIR endpoint after a user has logged in to ZorgDomein through SSO, ZorgDomein will provide user and organization details of the acting user in the token. This way, all user and context details that were provided in the SSO token are fed back to the XIS for each FHIR request. With this information, the XIS can determine if a user is authorized to access the requested information.

The token is included in the HTTP headers of the REST calls that ZorgDomein directs at the FHIR interface of the XIS. To this end, Authorization : Bearer is used. An example of such an HTTP header (line breaks added for readability):

Authorization : Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
	eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
	TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Token specifications

Token-header

The header of the token contains three parts:

  • typ: JWT (static value)
  • alg: RS256 (static value)
  • kid: the key id; this id can be used to determine which public key may be used to validate the signature. The kid is exchanged at the same time as the public key.

Token-payload

Parameter Description Datatype Example value
iss Identifier of XIS issuing token String (fixed) ZorgDomein
jti Identifier of the token String 4a006a12-dc2b-470a-b031-a3682b653ba7
iat Token creation timestamp NumericDate 1496275200
exp Token expiration timestamp NumericDate 1496275200 
org-id.system* System the organization identifier originates from String fixed value: local
org-id.value* Organization identifier value
NB: This parameter contains the value of the unique organization identifier that was exchanged during auto-activation.
String 10987654
user-id.system* System the user identifier originates from String agb
user-id.value* User identifier value String 01234567
responsible-id.system* System the user identifier of the responsible practitioner originates from String agb
responsible-id.value* User identifier for the responsible practitioner String 01234567
context.xis-transaction-id* Unique transaction identifier as issued by the XIS at the start of the transaction String 6fb34257-7e0d-41a1-b8a7-417a50de6d39

* These payload parameters are only set when the session with ZorgDomein started through SSO from a XIS. 

Token example

Token header

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "ZorgDomein-TIO-2017"
}

Token payload

{
  "iss": "ZorgDomein",
  "jti": "4a006a12-dc2b-470a-b031-a3682b653ba7",
  "iat": 1475482548,
	  
  "user-id.system": "agb-z",
  "user-id.value": "01029999",
  "org-id.system": "agb-z",
  "org-id.value": "05029999",
"context.xis-transaction-id": "6fb34257-7e0d-41a1-b8a7-417a50de6d39" }