FHIR OperationOutcome to handle Consent - hl7-fhir

Refer to FHIR R4 and potentially R5.
We have the following scenario:
Our client invokes our FHIR server, which returns a Bundle of the requested resources.
Optionally, we can return an OperationOutcome in the Bundle in case of any issue.
Some resources may be unauthorized or partially hidden because of a consent rule.
The issues are:
There is no element inside issue that allows specifying issues for specific returned resources rather than an element expression (resource reference).
No element allows referring to a hint (i.e., the Consent ID) that blocks a specific resource and probably allows unlocking it.
Question: Is there any alternative response that enables the requested requirement?
If you ask why the client would like to know that level of detail, there are several alternatives:
The client is indeed another system that may complete the consent acceptance workflow or notify another module about the authorization requirement in an automated way.
The client is a UI with the capability to lead the user to a resource authorization or authorization request page.
The client may have a "break the glass" capability for certain Consent types

If a resource was completely suppressed, there'd be no path for the OperationOutcome to point to. All that can be done is display a generic warning indicating "Your search results may have been filtered to exclude certain results. If you wish to access all records, please follow "break the glass process X". If a resource was but redacted to show less than full information, that would be conveyed by the meta.security tag on the impacted issue, though you could also include a generic warning along the lines of "Some of the returned resources have been redacted for security/consent reasons. If you need to see the complete content, please follow break-the-glass process X".
There is no standard break-the-glass process, so there is no standard set of elements conveyed in the OperationOutcome that allow more computably defining the interface for invoking it. However, you could define extensions for your particular implementation space if that was useful.

Related

Is there an FHIR Extension to indicate a Practitioner or Patient Resource has been validated against a registry

When I construct a Patient or Provider resource from incoming data I query a registry to confirm the incoming data is correct.
What I'd like to do is put a field in the resource to notify the receiving system that the data is either correct or is out of sync with the registry. I cold create my own extension, however wondering if an extension currently or will soon exit?
I've reviewed the HL FHIR site and cannot find reference to an extension like this
The VerificationResult resource is intended for that purpose, as if you're interested in verification information it's typically more than just a simple boolean - at least when the data is being shared outside a tight context where the verifying entity, verification mechanism, etc. might be able to be implicit.

Articulate storyline 360 launch xapi course with adlnet/xAPIWrapper

One of my clients sent me a xAPI course which is created using Articulate Storyline 360 and published as Tin Can API for LMS. I am able to launch the course using method mentioned in below link:
Incorporating a Tin Can LRS into an LMS
So using the above method the launch URL looks like:
http://my.lms.com/TCActivityProvider/story.html
?endpoint=http://my.lms.com/lrs/endpoint/
&auth=Basic OjFjMGY4NTYxNzUwOGI4YWY0NjFkNzU5MWUxMzE1ZGQ1
&actor={"name": ["First Last"], "mbox": ["mailto:firstlast#mycompany.com"]}
&activity_id=61XkSYC1ht2_course_id
&registration=760e3480-ba55-4991-94b0-01820dbd23a2
Using the above URL which has an endpoint and credentials information, the course gets launched successfully and sents xAPI statements to LRS automatically.
But I don't want to send the parameters like auth, actor or endpoint in the URL for security reasons.
I googled for an alternative method and found the adlnet/xapi-launch and adlnet/xAPIWrapper library.
I explored the above two libraries but am confused about how it can be integrated into the LMS?
Does Articulate Storyline 360 support adlnet/xAPIWrapper?
The adlnet/xAPIWrapper is just a library that makes it easier to communicate with the LRS and requires you to determine how the endpoint and authentication credentials will be passed to the library. In other words it isn't necessarily intended to be used via LMS launch (it will work there, but doesn't have special handling for it). The xapi-launch specification you found as far as I know (at this time) has effectively zero adoption.
The other alternative would be to use cmi5 which is another specification that includes the concepts of packaging, import and launch for content that communicates via xAPI. It uses a different credential handshake process that is similar to both the launch guidelines you linked and the xapi-launch method. It uses query string parameters for the endpoint, but the LRS credentials are accessed via a separate, single use request. It has better adoption (though still early at this time), has been peer reviewed, is under the ADL umbrella, and is on more of a standards path. See https://xapi.com/cmi5/ for more about cmi5. I don't believe Articulate has yet implemented cmi5 in their products (at this time) as they are waiting for more indication for market desire, you should contact them about your interest in it if you feel it is a suitable option.

How to analyze large amount of URI logs

I have about 1 million URI logs of user activity on my network, I want to know how many of those 1 million are for Facebook, how many are for Twitter, and so on..
It's easy to link URIs like cdn.xyz.twitter.com , platform.twitter.com to Twitter
However, the problem I'm facing is that I'm not able to link no more than 40% of the URLs captured to real websites, a URL like xys.1234.com can be something in facebook for example, but there isn't a link between that URL and facebook.com domain, thus will just be listed as a stand-alone website, which is wrong (or not what I want).
Also, all API calls won’t also be easily linked to their domains because some websites are maybe using amazon web services and that's what is being logged.
And Many of the URIs are generated from ad services, I want to know where this ad is generated from ( on what website or mobile application did the user click on the ad? ).
Snapshots of URIs so you would understand the whole picture.
https://imgur.com/a/2Ocqi
https://imgur.com/a/bmhNv
So you're trying to match up outgoing requests? How do you expect to know that a user who accessed xyz.1234.com did it through Facebook rather than independently by typing the URL into the address bar? Or by clicking a link from some other page? Your log doesn't contain information that tells you which URLs are linked from which page. Without another source of information, you can't be sure.
You could examine the requests for multiple users and infer relationships. That is, if you notice that all (or a majority of) requests to xyz.1234.com occur after a Facebook request, you can infer that the request occurred as a result of a click on a Facebook page. Doing so will require some interesting pattern matching. How well it works will depend on how much data you have to work with, how well you write the pattern matching, and how much time you're willing to let the algorithm run.
There's no simple answer, though. If you don't have data that explicitly says, "this request was made by clicking on a link from Twitter," then you have to either get another source of information or you have to write code that will infer that information.

Is there a CSRF protection implemented in Boomla?

I want to implement a tool (a website that can edit a user's own websites) that receives uploads from the browser and stores them in a website specified in the request. However, I want to protect the user from other sites creating requests to my endpoint and doing dirty things with the user's data.
The industry standard for this is to include a randomized token in every rendering of the page, submit it together with the input data, and check the validity of the token on the server side before processing the submitted request.
Is there an automated mechanism for this in the Boomla framework, or is something like this planned?
Implemented, no. Planned, yes.
Currently (v0.9.1), I believe Boomla does check the Referer header, but it stops there. So long, maybe you could implement a cryptographic solution yourself?
How pressing is the issue for you?
Consider that currently, side effects are not possible (eg. send data), thus data leaks are not possible, it won't cause data loss, since we have built in version control. (We are going to expose a casual version control mechanism that works automatically, without commiting, so you'll be backed up even without commiting.) Thus, in effect, your users are safe.
Please disagree if you think otherwise.

Google Analytics event tracking dependent on source of visit

I am looking to test different traffic patterns within Google Analytics (Direct traffic abnormally high). I was curious if anyone knows how to create an event that fires when source =wildcard To make this event more difficult, this would be set up within Google Tag Manager using Universal Analytics.
I see the 6 event tags but none of them sounds like it would perform my need?
Thanks
Google Tag Manager is not a tracking tool and knows nothing about the traffic source, so no preconfigured macro could be used in a rule to fire tags depending on source.
If you use "classic" asynchronous analytics you can set up a macro that reads the _utmz-cookie and checks in a rule if it contains a source string ("direct","cpc" etc.).
However Universal Analytics determines the traffic source on the server and does not store it clientside, so with UA this would not work.
A few traffic sources are easily recognizable on the respective landing page:
If no referrer is present it's a direct visit/bookmark
if there are campaign (utm) parameters in the url you can use those
if there is a gclid parameter in the url you know it google/cpc
if the referrer is a google domain with a country tld and the parameter "q" is present (will be empty with encrypted search but should still be there) it's an organic google search
if the referrer is a bing domain with the parameter q present it's an organic bing search (and similar for other search engines)
However this will only work on landing pages. You need to write you own cookie to store the source for subsequent pages.
You can refine this approach to give rather similar results to Google Analytics but it will never match perfectly.
One of the most common reasons for abnormal high direct traffic is that no campaign parameters are present in paid traffic, either because you forgot to enable autotagging in your adwords campaigns or because you have redirects that strip out campaign parameters (so paid traffic is lumped together with direct). The above approach would not help you to discover this so I suggest you check this manually first before you do anything else.

Resources