Requirement
Resource IDs may be exposed on GET over HTTP and hence should not include protected health information (PHI) found in the Patient.identifier (Israeli ID number, passport number etc)
We assume:
If identifiers are used in resource IDs then this will occur in almost 100% of instances hence a small sample should suffice for detection.
Identifiers may be combined with other strings (prefixed by resourceType, combined with primary key etc) hence ids should be checked if they CONTAIN the identifiers (anywhere in the id).
For some identifiers we have prior knowledge about how they may show slightly transformed in Resource.id - for example, on Israeli ID number (Patient.identifier:il-id)
Leading zeros may be trimmed
A separating character such (a dash or other) can be added between the control digit and the id number
Hence, for some identifiers,
Implementation
[ ] Randomly sample N (small 10-20) patients (can be out of the patients sampled for certification).
[ ] Check if Patient.identifier.value itself or any variation as mentioned in article 3 of the assumption above is contained in any of the resource ids in the compartment (including Patient itself).
Requirement Resource IDs may be exposed on GET over HTTP and hence should not include protected health information (PHI) found in the Patient.identifier (Israeli ID number, passport number etc)
We assume:
Implementation