System Based Authorization | Individual User Access to Cerner

[Aditya Waghmare]

Hi Team,

Need some clarification regarding the authorization on behalf of any system/hospital registered with Cerner to access sandbox API using REST APIs.

Are the majority of hospitals which have partnered with Cerner use any Authorization framework like OAuth or rely on any REST API’s for authorization.

My use case also revolves around practitioners accessing Cerner FHIR using System access, so how do practitioners authenticate themselves with Cerner to access/update EMR data. Is it done using OpenID ?

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

Hello,

Cerner’s implementation of the HL7® FHIR® Standard is protected using the SMART® on FHIR® authorization framework. SMART® on FHIR® defines a profile of the OAuth 2 framework for obtaining authorization to act on behalf of users; it is highly recommended that developers review and understand the OAuth 2 framework prior to implementing their authorization workflow

Why would you want to use System Access for a Provider Application? if you use a System App on behalf of Provider, the App would need to know the identity of the provider and provide authentication mechanism.

To use idtoken, the App needs to be a provider Application, embedded within Cerner or Standalone. 

http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-system

http://fhir.cerner.com/authorization/#requesting-authorization-on-behalf-of-a-user

Thanks,

Fenil

[Aditya Waghmare]

Hi Fenil / Team,

Thanks for the response. To design the right architecture for authorization flow of our application, we are trying to understand the Cerner structure. 

Can you confirm if our understanding about below points is proper:

1) One Instance of Cerner can have multiple EMRs hosted on it. For example: as in table below, Instance “Cerner 1” can have 3 EMRs hosted on it, with EMR 1 and 2 belonging to Hospital 1 and EMR 3 belonging to Hospital 2.  Is this understanding correct?

2) If I register a System app at code.cerner.com, the client ID and Client Secret is generated. Does this give me access to the data across EMRs hosted on that Cerner instance? For example: in the above case, let's say I created a System App at Cerner 1, and a clientID was generated for me. Using this clientID, can I access data from EMR 1, EMR 2 and EMR 3?

3) One provider can work across multiple hospitals. But he/she would have separate login credentials for each EMR. For example: Let's say Dr. John Smith works at Hospital 1 and 2 above. So will he have different credentials for EMR 1, EMR 2 and EMR 3?

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

There is 1 Cerner System which has multiple Health Systems/Hospitals/EMR. Each of the Health System can further have multiple locations. The key differentiation here would be a unique identifier called TenantId ,from FHIR perspective, which differs for each health Systems as well as each domain within the Health System. Within each domain,  patient ID would be unique. TenantID+PatientID would form a unique identifier and hence data cannot be cross-referenced from one hospital to another.

Once you register a System Account and corresponding System Application, the same Application can be used across all the Health Systems. The TenantId would change per health System but clientID and clientSecret remains the same.

Registering the Application does not give you auto access to all Health Systems. 

Thanks,

Fenil

[Aditya Waghmare]

Hi Fenil/Team,

Thanks for the response. Have few more queries and need your help in validating some understanding.

1) What is the definition of Domain within the Health System?

2) As a patient moves across hospitals across locations within the same hospital; What identifier could be used to uniquely map to the patient ?            Ex: MRN

3) Registering the Application does not give you auto access to all Health Systems. 

    → Understanding: Once we have system token(post authorization), we can query all domains/tenants under that system, Please Confirm?

In order to access another health system can we use the same credentials (client ID + Client Secret) to authenticate my application across multiple systems or do we need to create separate Credentials for each health system/ hospital?

4) In Order to onboard a new health system we will therefore need to store the following parameters:

           i. Our’s application Client ID registered on Cerner system

          ii. Our’s application Client Secret registered on Cerner system

          iii. Authorization URL → Authorization URL to retrieve Authorization Code.

          iv. Token URL → URL to retrieve Access token

          v. Server URL → Unique Cerner Instance URL for Hitting FHIR APIs.

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

• A domain can be PROD or Non-PROD
• You can use unique identifiers such as Patient ID or Federated Principal Alias
• Once you have the token, you can query for any resource your App has been enabled for, within a domain your App has been whitelisted for
• Same ClientID/Secret will be used across all client PROD domains
• Authorization URLs can be fetched from the calling the metadata endpoint. The FHIR base url/service URL would be provided to you by the Health System or Cerner.

[Aditya Waghmare]

Hi Fenil/Team,

As suggested I am trying to request authorization on behalf of User/Provider/practitioner using following request: 

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?response_type=code&scope=user/Patient.read user/Appointment.read user/Condition.read user/DocumentReference.read user/Encounter.read user/Observation.read user/Patient.read user/Practitioner.read user/Procedure.read user/Condition.write user/DocumentReference.writeuser/Account.read openid launch fhirUser&launch=a17aba51-1395-48d3-b3a9-73f2baf784da&aud=https://fhir-ehr-code.cerner.com/dstu2/ec2458f2-1e24-41c8-b71b-0e701af7583d/&state=a4c16a46-2c46-482c-8d66-4cc4a2990bda&client_id=ce6f6a5e-9a97-4ed3-9027-536ccfdae0fb

I am redirected to the https://millennia.cerner.com/ Login Page, where i am trying to input Login Credentials for Portal, but unable to login as a provider. Please suggest whether its proper way to request authorization on behalf of User/Provider/practitioner.

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

The launch code is invalid.  If you are performing standalone launch, you do not require launch scope and param.

[Aditya Waghmare]

Hi Fenil,

I tried hitting the Authorization Server with following Request:

https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/personas/provider/authorize?scope=openid fhirUser&state=5a01cd16-cb1f-4b47-83ab-da2554acfaa8&client_id=ce6f6a5e-9a97-4ed3-9027-536ccfdae0fb&aud=https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d&response_type=code

It's redirecting me to the https://millennia.cerner.com/ Login Page, where i am trying to input Login Credentials for code.cerner.com Portal, but still unable to login as a provider. Suggest whether its proper way to authenticate on behalf user/provider. (I wish to obtain provider details from Authorization Server).

Also i tried generating the same on https://authz-demo.cerner.com/client/demo but facing same issue.

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

Are you getting any error after logging in or it won't even accept the credentials? Can you share the error screenshot?

Was credentials do you use? I'm successfully able to login as portal.

[Aditya Waghmare]

Hi Fenil,

I am using credentials through which developer account is created at code.cerner.com (Cerner Care). Is it correct to use same as provider/user credentials?

On entering the credentials getting message as "Invalid Username and Password" and post multiple tries the account gets locked for the day.

Regards,

Aditya Waghmare
 

[Fenil Desani (Cerner)]

You need to use the username and password as: portal

[Aditya Waghmare]

Hi Fenil,

Regarding Patient Search based on MRN/identifier, multiple urn:oid responses are received for Patient in Patient/Encounter search responses in sandbox environment. 

For searching patients, using the following Endpoint url: https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d/Patient?identifier=urn:oid:2.16.840.1.113883.6.1000|6930

Whereas going through the group messages I found the urn:oid for Sandbox environment to be 7.7.7.7.7.7 ; which is present for some records.

I wanted to understand more about this urn:oid ; How it can be availed from health system ? or is it unique for particular domain?

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

Hello,

• A patient can have multiple identifiers such as (MRN, CMRN, Messaging Alias, etc.) each associated with a different OID. 
• A patient can also have more than one MRN. 
• Not all patients have all the identifiers.
• The OID configuration is done on Cerner side and each Health System generally has different sets of OIDs.
• The OIDs will either be provided by the Health System or Cerner associates/Health System representative working on your Application if you are part of the CODE program

Thanks,

Fenil

[Aditya Waghmare]

Hi Fenil,

Thanks for the response.

Need your help with following query:

Does Cerner provide any UI login portal for system account to check for patient/provider data in sandbox environment; to correlate any data pushed to any test patient. Or do we need to rely on API's for the purpose.

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

You would need to rely on the APIs. The only accessible UI is launching your App from code Console or access to our chart in Sandbox once you sign the CODE program.

[Aditya Waghmare]

Hi Fenil,

Thanks for the response.

Have few other queries related to retrieving Patient/Clinical Information from EMR systems.

1) Is it possible to get all Patients/Clinical information under a hospital system or Provider from Cerner EMR using System application ?

2) Is there any way to keep track of patient data updated in EMR system via any APIs or web hooks (eg. CDS Hook) ?

3) Is storing of Patient/Clinical data obtained from EMR systems for analytics purpose complaint with standards (eg. HIPAA) ?

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

1) Is it possible to get all Patients/Clinical information under a hospital system or Provider from Cerner EMR using System application ?

• Technically yes, one-by-one, if you have the required identifiers or search params. Remember, the APIs are not meant for bulk queries

2) Is there any way to keep track of patient data updated in EMR system via any APIs or web hooks (eg. CDS Hook) ?

• CDS Hooks is yet not available from Cerner 

3) Is storing of Patient/Clinical data obtained from EMR systems for analytics purpose complaint with standards (eg. HIPAA) ?

• You would need to have a business agreement with the health system on how your app would use any data from the health system

[Aditya Waghmare]

Hi Fenil / Team,

Going through HL7 FHIR documentation, for retrieving patient LAB results from EMR systems, we should query the DiagnosticReport for the patient. However I couldn't find resource for the same in Cerner Millenium R4 documentation. Checking the forum I understood its not yet implemented as of now we can add DSTU2 scope in the application and access the patient data.

Our application uses mostly R4 FHIR endpoint for DiagnosticReport we need to use dstu2 endpoints because of unavailability of equivalent R4 endpoints.

As I can not dstu2 scopes for R4 from console, It was suggested in this forum to request addition of them manually from support. So requesting the same.

Add scope to my app Voythos System (App Id: fa23cc89-a0a6-4ff0-9b7d-ddfc7bf181c2) System/DiagnosticReport.read

Thanks & Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

As requested, system/DiagnosticReport.read scope has been added to your Application. Please re-test after 15 minutes.

[Aditya Waghmare]

Hi Fenil,

Thanks for your response. Able to fetch DiagnosticReport Scope in R4 context and able to get Radiology data in PDF/ HTML Form.

Need a validation on my understanding. In order to fetch lab chemistry results (Eg. Potassium, CO2, AGAP, Creatinine, etc) can it be obtained using Observation.Read endpoint providing the LOINC code as search parameter for patient ? Or is there any alternate way to do so?

Imaging Study resource http://hl7.org/fhir/imagingstudy.html to get information about diagnostics (X-ray, ECG, CT Scan,) for a particular patient is it available in Millenium r4 release?

Also any timeline for availability of Pathology data in sandbox environment for DiagnosticReport endpoint in R4 context?

Regards,

Aditya Waghmare

[Fenil Desani (Cerner)]

Lab results can be retrieved from Observation resource.

ImagingStudy is not yet available. List of available R4 resources - http://fhir.cerner.com/millennium/r4/

DiagnosticReport R4 is yet not available.