The Standard

If you can’t think of a reason to pay attention to FAST's work, we have a couple for you! Recent requirements related to TEFCA (Trusted Exchange Framework and Common Agreement) and the latest HTI-2 proposed rule have named the FAST Security Implementation Guide (IG). This recognition underscores the importance and foundational nature of FAST's contributions to healthcare interoperability. 

On July 1st, the Recognized Coordinating Entity (RCE) released the Facilitated FHIR Implementation Standard Operating Procedure (SOP), outlining the requirements for using FHIR within the TEFCA framework. Notably, these requirements include adopting the FAST HL7 UDAP Security for Scalable Registration, Authentication, and Authorization FHIR Implementation Guide (SSRAA) by January 1, 2026. This timeline allows organizations to implement FAST Security while still using SMART or other security options in the interim. 

Specifically, the SOP states: 

Prior to January 1, 2026: 

• All FHIR Adopters MAY follow the requirements of HL7 SSRAA FHIR IG 1.0.0 STU 1 US Section 3 Registration. 

• Manual registration requests for client_id MUST be resolved within 5 business days where sufficient information has been provided. Information requirements MUST NOT exceed those in Section 3 of HL7 SSRAA FHIR IG and this SOP. 

• All FHIR adopters MUST use one of the following: 
  • HL7 SSRAA FHIR IG 1.0.0 – STU 1 US Sections 4 and 5; 
  • SMART Release 1.0.0; or 
  • Another authentication and authorization framework that adheres to the QTF requirements is based on out-of-band agreements between exchange partners. 

In May 2024, the FAST Focus webinar, "Secure Health Data Exchange," brought together experts from across the healthcare industry to delve into the intricacies of the HL7 Unified Data Access Profiles (UDAP) Security for Scalable Registration, Authentication, and Authorization Implementation Guide, commonly referred to as the FAST Security IG. This session featured insights on key components and practical implementations of the FAST Security IG. 

Introduction to the FAST Security IG 

The session began with an explanation of the role of FAST in addressing healthcare interoperability challenges. The FAST Security IG aims to create a scalable, secure framework for health data exchange across national networks like TEFCA, Carequality, and CommonWell. 

The Journey to Trustworthy Information Exchange 

A historical perspective on the FAST Security IG highlighted its roots back to 2017. The goal was to leverage existing standards like public key infrastructure (PKI), OpenID Connect, and OAuth 2.0 to ensure a scalable, secure data exchange solution. The FAST Security IG integrates these standards into a cohesive framework, emphasizing the importance of trust in health data transactions. 

Key Components of the FAST Security IG 

The core elements of the FAST Security IG include: 

• JWT-Based Authentication and Authorization: Utilizing JSON Web Tokens for secure assertions of claims from trusted third parties.
• Dynamic Client Registration: Automating client registration using digital certificates to eliminate the need for shared secrets.
• Tiered OAuth: Facilitating patient-facing workflows by directing patients to trusted identity providers for authentication.

This approach ensures that both clients and servers can be securely identified and authenticated, streamlining the registration process, and enhancing trust across the network. 

Real-World Implementations and Insights 

The panel discussion featured firsthand experiences from implementers of the FAST Security IG. The discussion emphasized the collaborative effort in refining the FAST Security IG and the importance of ongoing participation in workgroups to further enhance the specification. 

Open-source solutions to facilitate implementation were highlighted, including a .NET reference implementation and a diagnostic tool called UDAP Ed. These resources help developers visualize and test their implementations, accelerating the adoption of the FAST Security IG. 

The importance of identity assurance was underscored, advocating for a centralized, trusted entity to manage high-security registrations. The FAST Security IG's reliance on well-established standards makes it a robust and scalable solution for the healthcare industry. 

March 2024 marked a pivotal moment for the healthcare IT sector, with the FHIR at Scale Taskforce (FAST) community survey revealing critical insights into the adoption, challenges, and perspectives surrounding various FAST implementation guides (IGs). This survey, engaging various stakeholders from providers to technology vendors, sheds light on the collective journey towards seamless healthcare interoperability. Let's dive into the nuanced feedback and the path it carves for the future of healthcare IT. 

Survey Results Overview 

FAST Security IG Adoption and the Quest for Clarity   

The uptake of the HL7 FAST UDAP Security for Scalable Registration, Authentication, and Authorization Implementation Guide (FAST Security IG) is on the rise, driven by an evident market need.  A notable proportion of respondents are keen to implement the HL7 FAST Security IG, likely due to its inclusion in the TEFCA FHIR Roadmap. There were some concerns expressed about market readiness. However, respondents expressed a need for clearer guidance beyond the existing FAST Security IG, suggesting the development of a companion document to aid in implementation strategies would be helpful. 

FAST Identity IG: Overcoming Adoption Barriers   

While there seems to be adoption readiness for the Interoperable Digital Identity and Patient Matching IG, the survey highlights perceived barriers to adoption. These barriers were related to industry issues such as cross-jurisdiction consent and broader market acceptance and adoption by other industry initiatives rather than any issues with the IG itself. 

HL7 applauds the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) for its April 22, 2024 Common Agreement Version 2.0 release, which announced the requirement for health information networks participating in the Trusted Exchange Framework and Common Agreement (TEFCA) to support the HL7 Fast Healthcare Interoperability Resources (FHIR^®) standard.

The HL7 FHIR at Scale Taskforce (FAST) UDAP Security for Scalable Registration, Authentication and Authorization Implementation Guide (FAST Security IG) was designed to streamline and secure data exchange across different healthcare stakeholders. This blog post seeks to dispel common misconceptions about the complexity of implementing the FAST Security IG. 

In a recent episode of HIMSSTV, two healthcare interoperability visionaries, Deepak Sadagopan and Duncan Weatherston, took the virtual stage to share their expert insights on the critical FHIR pathway within the Trusted Exchange Framework and Common Agreement (TEFCA) model. This captivating discussion was led by the co-chairs of the HL7 FHIR at Scale Taskforce (FAST), and it shed light on the transformative potential of FHIR in shaping the future of healthcare data exchange. 

Meet the FAST Community 

Before we dive into the interview, let's take a moment to acquaint ourselves with the remarkable work being done by the FAST community. The HL7 FHIR at Scale Taskforce is a dedicated group committed to identifying scalability challenges and defining solutions to overcome the barriers to broad FHIR adoption. FAST is addressing key areas like Security for Scalable Registration, Authorization, and Authentication and Interoperable Digital Identity and Patient Matching. The FAST community’s list of projects can be found on the FAST Confluence Project Page. An upcoming project on Consent is set to kick off soon, promising exciting prospects for healthcare data sharing. To get involved, reach out to fast@hl7.org.