FHIR Proxies
Last month I gave a talk at FHIR DevDays in Amsterdam on the need to build a FHIR proxy.
Every company I work with who use a commercial FHIR server end up building a version of a proxy layer. They may call it something different, but at some point in the project they have a requirement to intercept requests before they reach the FHIR server or to intercept responses before they reach the consumer. This is where the proxy comes in.
My talk was well received on the day, with a lot of feedback and “nodding of heads” that suggest this is far more common than many realize. It’s not something you expect to have to do at the outset of a large FHIR project, but it’s invariably where you end up.
Here are examples of what you can do inside a proxy layer:
- Apply custom business validation
- Make changes to the request body before it reaches the server
- Extend FHIR via custom operations
- Manage multi-tenancy
- Cache queries
- Implement attribute based access control
- Anonymize data before it reaches the consumer
- Trigger custom events and notifications
Microsoft maintain an open source project they call the “Azure Health Data Services Toolkit.” One key component of this project implements a proxy layer just like the one I’ve described. You build each individual feature yourself inside input and output channels.
This project is many years old and is continuously updated by Microsoft — a clear indication to me that they see this as almost a requirement when using their FHIR servers on real-world projects. I’ve been on support and exploratory calls with Microsoft engineers where they recommend using the toolkit as a fix or approach to many architectural issues and problems.
The Microsoft project: https://github.com/microsoft/azure-health-data-services-toolkit
FHIR Data Anonymization
Staying with Microsoft, another open source project they maintain that I’ve used with more than one client is their “FHIR and DICOM data anonymization” project. I confess not to have used the DICOM part of this project but have introduced variations of the FHIR anonymizer in more than one project.
It’s a highly configurable C# project that relies on FHIRpath expressions and a rules engine to remove or anonymize specific elements of resources or specific attributes in a host of different ways.
I’ve encountered the need for anonymizing FHIR data where an individual consumer is not allowed access to PII data. An example might be a dashboard that displays aggregated metrics over time. An app like this would normally not need access to Patient resources or identifiers, but often would need to ingest Observation and other resource types.
Incorporating this open source project into an output channel in the proxy layer I mentioned earlier makes it possible to anonymize FHIR data “on the fly” — after the query response leaves the FHIR server and before it reaches the consumer.
The FHIR Anonymization project: https://github.com/microsoft/Tools-for-Health-Data-Anonymization
“The Business of FHIR” Podcast
In case you haven’t noticed, there’s a lot of AI generated content popping up on LinkedIn and similar social websites lately. My feeling is that we’ll soon reach a situation where text content can no longer be trusted to come from the source at all.
With this in mind I’m kicking off a new podcast where I talk about FHIR topics from a business perspective. The spoken word and corresponding YouTube videos where I show my face may offer some reassurance that I am who I say I am and that I’m saying it myself.
These are short episodes of 5-10 minutes where I go a little deeper than I normally do on my website and on LinkedIn.
In episode 1 I ask “Should you use FHIR at all?”. Not at all controversial!
In episode 2 I walk through the different types of FHIR implementations and the servers that support them.
You’ll find podcast links on this page: https://podcast.darrendevitt.com/
And a YouTube playlist here: https://www.youtube.com/playlist?list=PLs4w8kiwmI5l-J1FOdt5egYdgbBmTmIHu
---