SMART on FHIR

The Veradigm FHIR API supports SMART on FHIR application development. For more information on SMART application development, go to HL7’s SMART App Launch page. Authentication Standalone launch (outside the context of an EHR) Configure a SMART launch in Veradigm EHR SMART on FHIR Backend Services (System Callers) Keys JWKS endpoint Veradigm processes the certificate updates Authentication flow

Authentication

There are three methods of authentication for FHIR applications. The first two methods are used by human users:

• User/provider: Authenticates with Veradigm EHR application credentials
• Patient: Authenticates with patient portal (such as FollowMyHealth or AHC) credentials

In the third method, a computer system or third-party application calls the FHIR API. For example:

• An insurance company might connect to the FHIR endpoint to query the next week of appointments for patients to perform prior authorization tasks.
• The EHR might call the FHIR API to create data to send to another system in the FHIR format.
• Requests for bulk data are initiated, monitored, and then eventually transferred.

Standalone launch (outside the context of an EHR)

The Veradigm FHIR API follows the standalone launch process recommended by HL7 described here. When a SMART application is launched in standalone mode, the application user selects a healthcare organization, and then enters the EHR credentials (for provider applications) or portal credentials (for patient applications).

The standalone launch for a provider application may require the user to select a patient when the patient is not included in the token response.

Note: A patient must have already registered with the patient portal to launch a FHIR application.

The application developer needs information about the client (healthcare organization) to successfully test the standalone launch. They can obtain that information directly from the client, or they can go to the Veradigm Endpoint Directory to obtain the client’s FHIR endpoint URLs. Before the developer tests the application against a client’s endpoint, they should communicate their intention to the client.

The application developer can get the Capability Statement from the metadata URL or get the well-known SMART configuration information from the Veradigm FHIR API.

EHR launch (from within the EHR UI)

*The following sections apply to Veradigm Connect Integrator tiers or above.

The Veradigm FHIR API follows the EHR launch process recommended by HL7 described here. When the SMART application is launched from the EHR, the application provides two parameters:

• iss: FHIR endpoint URL.
• launch: Temporary launch authorization code provided by the EHR.

SMART application testing using an EHR launch in a Veradigm sandbox requires credentials. Use these credentials to connect to the appropriate Veradigm sandbox, and then sign into the EHR with the appropriate provider username and password.

• To request credentials, complete this form.
• To view FHIR endpoint information, go to the FHIR Sandboxes page on the Veradigm Connect portal.

Configure a SMART launch in Veradigm EHR

Configuring a SMART application launch in Veradigm EHR is performed by the client. Patient ID context can be passed in the launch.

Note: If a vendor is testing a SMART app in the Veradigm sandbox, they cannot configure the launch button. Submit a support ticket on the Veradigm Connect portal. Set Request Type to Sandbox, and include the button label name and launch URL.

1. Log into Veradigm EHR with credentials associated with a user who has read/write access in the Administration module.
2. Go to Administration Module > Site Settings > SMART on FHIR Apps.
3. Press Insert on your keyboard or click the green plus sign to display Smart App.
4. Enter the name, description, and launch URL of the SMART app.
5. Verify that Enabled is selected.
6. Click OK.

SMART on FHIR Backend Services (System Callers)

In the case of system applications, there are no user credentials on which to authenticate, and thus a form of cryptography is required.

A JSON Web Token (JWT) is used for authenticating a system application in the Veradigm FHIR API. In these types of authentication systems, there are two constraints on which the systems are trying to match:

• Establish the identity of the caller
• Ensure the highest level of security possible

Keys

In cryptography, there is a concept of public and private key infrastructure.

• The private key is owned by the application developer and never shared. An option is to have only one private key to ensure it is easy to manage and not mistakenly exposed.
• The public key is shared and used for verification with the different FHIR API implementations (such as the Veradigm FHIR API). The traditional method of creating a public key is to contact a certificate authority, and the authority signs the public key. The vendor then has a .CER file.

With that in mind, a piece of information is signed by a private key, and then verified by the public key.

When an application wants to access the FHIR API, it generates a JSON Web Token (JWT). This is referred to as the JWT Client Assertion (also known as a “system token”). This system token includes an expiration time, generally two to 20 minutes, and can only be used once.

JWKS endpoint

HL7 FHIR architects have implemented a mechanism to avoid expiring certificates. (This is different from an expiring system token.) For SMART on FHIR applications, the application developer specifies an endpoint at the time they register their application. That endpoint is where the public key can be retrieved.

It is expected that a SMART on FHIR application developer can stand up a JWKS endpoint for their public key. That way, the application developer can recycle the keys when necessary, without having to contact all the FHIR API vendors they communicate with.

Veradigm processes the certificate updates

As part of the Veradigm FHIR API implementation infrastructure, a nightly job is run “downtown” that cycles through all registered FHIR system applications. It downloads the JWKS information and updates the OAuth clients. If information has changed, then the normal mechanism of distributing OAuth information, including OAuth secrets, kicks in. That information is then downloaded to the client systems.

Authentication flow

The system application’s client credentials (client ID and client secret) establish the authentication flow. However, unlike user/provider and patient applications, the authentication workflow for system applications includes communication with only the FHIR API token endpoint, not the authentication and token endpoints.

The JWT is created programmatically, based on the information supplied by the application. For a code sample used to generate a token, go here.

Call the token endpoint with the following in the body of the POST:

• client_assertion: the system token generated above
• client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
• grant_type: client credentials
• scope

If the verification passes, then an access token is granted, and the SMART on FHIR parameters are exchanged (if requested).

If you are testing the authentication in Postman, you can manually copy the access token and paste it into Authorization tab > Current Token section > Token. Enter the URL for the request, and then click Send.