[NEW STANDARD] - _include and _revinclude scopes

[ChrisSquats]

Summary

When searching or retrieving resources, if _include/_revinclude query modifiers are included, the authorisation should extend to the other resources.

For example, GET Immunization/{id}?_include=patient, should include authorisation scopes of :

1. system/Immunization.r
2. system/Patient.r

Drawbacks

Potential complexity in scope and token requests.

Which area of the standards does this apply to?

• [ ] Part A - API Concepts
• [X] Part B - API Security
• [ ] Part C - API Design and Development
• [ ] Part D - FHIR
• [ ] Community guidelines

[ChrisSquats]

@swithinfoote / @daniel-thomson / @charllanghout01 - do you have any opinion on whether this should be a MUST or SHOULD requirement?

[charllanghout01]

From a security point of view, I recommend making this requirement a "MUST" for the following reasons:

• Ensuring that authorization is properly extended helps protect sensitive health data across all resource types.
• Adhering to regulatory requirements (e.g., HIPAA, GDPR) to maintaining legal and ethical standards in healthcare.
• Ensuring that all implementations maintain the same high standard of security and authorization.

Given the potential complexity, if there is significant resistance or practical difficulties, it might be worth revisiting this decision to explore ways to mitigate the drawbacks while maintaining the necessary security standards.

[ChrisSquats]

Thanks @charllanghout01, agree. I've also had a conversation with @kyle-mwnz @daniel-thomson who also agree.

I'll raise a change for a MUST requirement.

[kyle-mwnz]

This is defined a MUST by FHIR https://build.fhir.org/security.html#6.1.0.5.1