Katya Samardina

SMART on FHIR® Supports Safe Access to Healthcare Data

September 13, 2016

Patient Generated Health Data

If a burglar enters your home, or there is a fire, your most high-valued and loved possessions, can be lost.

The result: you are left feeling personally invaded, or without somewhere to live.

So, to protect ourselves and our homes, we add security such as deadbolts and fire alarms. This increased security helps to deter burglars, reduce risk, and ensures your safety.

In healthcare, we face similar security challenges. We need to ensure we are aware of potential risks and do everything we can to protect our very valuable personal health information. Security measures such as SMART should also be applied to standards in healthcare data integration. SMART (Substitutable Medical Applications and Reusable Technologies) adds a layer of security in front of FHIR® interfaces to support safe access to data held within an EHR or any other repository.

FHIR®, or Fast Healthcare Interoperability Resources, is one of the next generation HL7® standards in healthcare data integration. It focuses on decreasing interoperability costs and unlocking technical innovation in healthcare by supporting an open ecosystem of information providers and consumers via open APIs. But with any API, and particularly one that exposes personal health information (PHI), security issues need consideration. So SMART adds a layer of security to reduce the risk of a patient’s medical record being “burgled,” or the information being lost in a “house fire.”

SMART is not yet as well-known as FHIR®, but healthcare organizations and national bodies, through projects such as Argonaut, are taking an active interest in its development. SMART leverages the existing standards OAuth2 for authentication and authorization, OpenID Connect for user identity, and standardizes the process of negotiating access to information and operations between app and server. It also describes a process by which an EHR application can launch an external app, preserving context (patient and user) and providing safe access to the data within the EHR or, indeed, any other repository of healthcare data.

By utilizing these commonly used standards, FHIR® and SMART work together to provide secure and safe access to data held within an EHR, or any data repository using a well-known API managed by the custodian of the clinical data. With the growing support for SMART by large healthcare organizations, vendors, providers, and national bodies, this will promote free-flowing healthcare information that in turn can lead to different “specialist” applications. These applications, each focused on some aspect of healthcare delivery, can access data from different data sources, creating numerous “sidecar” applications and truly enabling the open healthcare ecosystem.


®Health Level Seven, HL7, FHIR and the FHIR [FLAME DESIGN] are registered trademarks of Health Level Seven International, registered with the United States Patent and Trademark Office. The use of these trademarks does not reflect HL7’s endorsement.

Related Blogs

Lyniate_Rapid_illustration_api_gateway_manager (1)

Lyniate Team

Lyniate introduces Rapid, a healthcare API gateway

Rapid is a healthcare API gateway and manager designed to help health teams create and safeguard APIs, including Fast Healthcare Interoperability Resources (FHIR)-based APIs like those required by the CMS Interoperability and Patient Access Rule.

Read more

Austin Dobson

What payers need to know about integrating clinical data

Read more

Lyniate Team

FHIR®: 3 Real-World Scenarios

Learn about FHIR use cases for prior authorization support, payer coverage decision exchange, and medical reconciliation process. Links to additional tools: IHE profiles, HL7 FHIR Guides.

Read more