| ITIZ | ITIZ-001 | to be reviewed | Testable |
0
|
0
| | Any operation that results in, or requires submission of, a collection of resources is done via a Resource Bundle mechanism | 6 | Section Z.1 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-002 | to be reviewed | Testable |
0
|
0
| | Actors providing http server functionality shall publish a CapabilityStatement on the metadata endpoint as described in FHIR http://hl7.org/fhir/R4/http.html#capabilities. | 7 | Section Z.3 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-003 | to be reviewed | Testable |
0
|
0
| | The server actor shall support both message encodings (XML and JSOON). | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-004 | to be reviewed | Testable |
0
|
0
| | The client actors shall support one message encoding (XML or JSON). | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-005 | to be reviewed | Testable |
0
|
0
| | The client actors may optionally support both message encording (XML and JSON). | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-006 | to be reviewed | Testable |
0
|
0
| | The server actor shall support both methods indicating the preference for encoding: the use of HTTP content negociation and the _format query parameter. | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-007 | to be reviewed | Testable |
0
|
0
| | The value of the _format parameter must be a subset of the HTTP content negotiation. | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-008 | to be reviewed | Testable |
0
|
0
| | A client actor shall indicate preference for response format, using at least one method, with at least one of the following values (application/fhir+json or application/fhir+xml). | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-009 | to be reviewed | Testable |
0
|
0
| | A server actor may support other encodings than XML and JSON. | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-010 | to be reviewed | Testable |
0
|
0
| | To enable simpler query encoding, the value of _format may be the short “json” or “xml”. | 8 | Section Z.6 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-011 | to be reviewed | Testable |
0
|
0
| Should be clearly defined in each IHE profile | Return a Success with Bundle containing zero results – This result is indistinguishable from the case where no data is known. When consistently returned on Access Denied, this approach will not expose which patients exist, or what data might be blinded. This method is also consistent with cases where some results are authorized while other results are excluded from the results. This can only be used when returning a Bundle is a valid result. | 8 | Section Z.7 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-012 | to be reviewed | Testable |
0
|
0
| Should be clearly defined in each IHE profile | Return a 404 “Not Found” – This approach also protects from data leakage, as it is indistinguishable from a query against a resource that does not exist. It does however leak that the user is authenticated | 9 | Section Z.7 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-013 | to be reviewed | Testable |
0
|
0
| Should be clearly defined in each IHE profile | Return a 403 “Forbidden” – This approach communicates that the reason for the failure is an Authorization failure. It should only be used when the client and/or user is trusted to be given this information. Thus, this method is used mostly when the user is allowed to know that access is forbidden. It does not explain how the user might change things to become authorized. This approach may leak that content exists. | 9 | Section Z.7 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-014 | to be reviewed | Testable |
0
|
0
| Should be clearly defined in each IHE profile | Return a 401 “Unauthorized” – This communicates that user authentication was attempted and failed to be authenticated. This approach may leak that content exists. | 9 | Section Z.7 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-015 | to be reviewed | Testable |
0
|
0
| | When the server needs to report an error, it shall use HTTP error response codes. | 9 | Section Z.7 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-016 | to be reviewed | Testable |
0
|
0
| | When the server needs to report an error, it should include a FHIR OperationOutcome with more details on the failure. | 9 | Section Z.7 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-017 | to be reviewed | Testable |
0
|
0
| | Actors should not communicate any patient information unless proper authentication, authorization, and communications security have been performed. | 9 | Section Z.8 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-018 | to be reviewed | Testable |
0
|
0
| | The use of TLS is encouraged, specifically the use of the ATNA Profile. | 9 | Section Z.8 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-019 | to be reviewed | Testable |
0
|
0
| | User authentication on mobile devices is encouraged using Internet User Authorization (IUA) Profile. | 9 | Section Z.8 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|
| ITIZ | ITIZ-020 | to be reviewed | Testable |
0
|
0
| | Security audit logging (e.g., ATNA) is recommended. | 9 | Section Z.8 | 1/7/20 2:37:45 PM by Anne-Gaëlle Bergé |
|