SMART vs. OAuth

[Shamil]

Reading posts and documentation I noticed that SMART and OAuth either contrasted or used interchangeably. This, in conjunction with the "SMART application" term, is a bit confusing.

Could someone clarify what each term means in context of Cerner development (please do not post links to IETF OAuth draft or smarthealthit.org) and what differences are? How does an application retrieving data using OAuth differ from a SMART application retrieving data using OAuth? 

Regards,
Shamil

[Kevin Shekleton]

First, everything I'm about to say is not specific to Cerner development -- nothing we're doing with SMART or FHIR is proprietary. I just want to make that clear. :)

OAuth (and specifically in this context, OAuth 2) is an authorization framework used by many different companies & products. For instance, Google, Twitter, PayPal, and Microsoft all use OAuth 2 to authorize access to their resources (eg, APIs).

SMART is a framework that defines how we can build interoperable healthcare applications. At a high level, SMART outlines three things:

1. SMART communicates the EHR FHIR server URL to the SMART app being launched. This will ultimately allow the SMART app to call that FHIR server to read/write data from the EHR

2. SMART dictates that the FHIR server resources should be protected by an EHR authorization server leveraging OAuth 2.

3. SMART defines how the EHR shares context (what patient chart is open, what encounter is open, what user is logged in) with the 3rd party application. This context sharing model is defined in a secure manner and piggy backs onto the OAuth 2 workflow.

Cerner supports SMART on top of our EHR, Millennium. Let's say that another EHR provider, Acme, also support SMART. This means that both Cerner and Acme are talking the same authorization model (OAuth 2), using the same data model (FHIR), and sharing context in the same manner (see SMART item #3 above). Thus, a SMART app will be interoperable with both Cerner and Acme EHRs and their application code shouldn't have any Cerner specific or Acme specific code.

Of course, there are lots of little details which make this not as easy/simple as I've described things thus far. However, we have work with other companies and vendors to make this a reality. At HIMSS last year we demonstrated several SMART applications written by some great companies running on multiple EHRs -- illustrating that interoperability is possible! It's really an exciting time right now in this space.

Could you make an application that leverages FHIR to read/write data from the EHR but isn't a SMART app? Sure, you could. However, you'd need to hard code the FHIR server URL in your app (since you've lost SMART item #1 from above). Additionally, you'd lose the patient context sharing (SMART item #3 from above). There are certain use cases where this is fine (like services/systems without any user interaction), but if your app is used by an end user (provider or patient), SMART is a great framework to leverage.

I hope this all made sense. Let me know if you have any additional questions.

Regards,

Kevin

[Kevin Mayfield]

Is it possible to use other grants and not use SMART OAuth2 grants which is aimed at apps?

Our ESB (Integration Engine and API Gateway) currently use OAuth2 and FHIR with password grant. We're using basic OAuth2 as our PAS is being replaced with Cerner late this year, when I presume we would move to Cerner OAuth,

. 

[Kevin Shekleton]

Hi Kevin. I'm not sure if I understand your questions completely, can you clarify them for me?

From what I think I understand, your Patient Administration System (PAS) is protected by your own OAuth 2 server. It sounds like your PAS also leverages FHIR for it's data.

You asked "Is it possible to use other grants and not use SMART OAuth2 grants which is aimed at apps?". I'm probably not understanding your question completely but if you have your own OAuth 2 server today, you can have it handle any grants you wish.

I don't understand your comment/question, "our PAS is being replaced with Cerner late this year, when I presume we would move to Cerner OAuth". I don't know what your PAS is being replaced with, so I'm not sure what you meant by 'Cerner OAuth'. Our OAuth 2 server today only protects our FHIR resources and not any existing Cerner application.

[Kevin Mayfield]

Maybe I've put a few things together and got the wrong answer. Anyway starting from:

Cerner OAuth https://dev.cernerhealth.com/doc/api/oauth/3-legged

1. Is it possible to access FHIR resources this way? Apps could be started as standalone but are using Cerner for identity and authorisation. So a user when accesses the app would be redirect the user to Cerner to logon and the returned tokens are used to access Cerner FHIR Server.

2. If so, is it possible to have server connections. So would want to use something like a 'resource owner password credentials grant'. So the server would use a predefined username/password to get an access token (from Cerner OAuth server) and use that to access the FHIR servers. [This is something we currently do, using our own OAuth server]

[Kevin Shekleton]

Ah, I see where the confusion is coming from. The Cerner OAuth you linked to (https://dev.cernerhealth.com/doc/api/oauth/3-legged) is for Cerner Health, our patient portal solution. This is completely different from SMART on FHIR and the OAuth documented in this link is different than the OAuth I'm talking about for our SMART on FHIR solution.

Currently, our SMART on FHIR support is limited to provider facing applications. We're actually working right now to support patient facing SMART on FHIR applications which goes a bit to your questions.

Best,

Kevin

[kko...@gmail.com]

Thanks for the great responses Kevin S. If I may ask a related question, we've build a provider application that users Cerner OAuth2 conformance (millennium+) for authentication & authorization, and FHIR API for patient search and further data access. I'm curious what issues we might potentially face when we install our application at Cerner EMR customers. I know this is a vague question, but as we go through our initial conversations with potential customers that have Cerner EMR, we are often asked how long it will take to integrate.

Thanks,

_K

[Kevin Shekleton (Cerner)]

Yes, that is a bit vague. ;-)

Cerner clients can always reach out to their Cerner representative for questions on timeframes on this type of stuff; they will have better answers than myself. Additionally, if you're in the Cerner code program then these are things the folks on the business side can help answer.

Best,

Kevin

[kko...@gmail.com]

Thanks Kevin S. To ask in another way, can one expect that most Cerner EHR deployments (in the past 12 months) are FHIR ready? As for the code program, we have applied already a couple of weeks back, awaiting some response.

[Kevin Shekleton (Cerner)]

No, probably not. Today, clients must ask for the SMART on FHIR support. However, our SMART on FHIR support is part of our MU3 release so we will quickly see much more broad adoption over the course of this year.