Azure FHIR Service continued...  

Introduction: This article is a continuation of the series of articles starting with the description of SignalR service which was followed by a discussion on Azure Gateway service, Azure Private Link, and Azure Private Endpoint and the benefit of diverting traffic to the Azure Backbone network. Then we started reviewing a more public internet-facing service such as the Bing API. and the benefits it provided when used together with Azure Cognitive Services. We then discussed infrastructure API such as Provider API, ARM resources, and Azure Pipeline and followed it up with a brief overview of the Azure services support for Kubernetes Control Plane via the OSBA and Azure operator. Then we followed it with an example of Azure integration service for Host Integration Server (HIS). We started discussing the Azure FHIR service next. We were reviewing its search capabilities and now we will view its regulatory compliance and security policies. 

Description:   

The regulatory compliance in Azure Policy provides Microsoft created and managed initiative definitions known as built-ins for the compliance domains and security controls related to different compliance standards. The assignment is not automatic and must be provisioned on the FHIR resource to help it be compliant with a specific standard. The built-ins are organized by responsibility as (Customer, Microsoft, Shared) in its list of controls and compliance domains. 

A regulatory compliance initiative definition has a grouping portion each of which defines a name for the control, a category for the compliance domain, and a reference to the policy metadata that has information about the policy metadata with information about the control. These definitions can be original or copied and edited by the customer. A link to the regulatory compliance initiative is also visible on the Azure security dashboard. The SDK lists a summarize method that counts the number of definitions under the “compliant” and the “non-compliant” categories. 

As an example of compliance, the Cybersecurity Maturity Model Certification is mentioned, and it attempts to prevent the theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity.  The FedRamp High and FedRamp moderate are shared responsibilities in the cloud. Azure provides certain compliance by virtue of being a cloud provider. The use of FHIR resources in compliance with these standards must be specified by the user provisioning the resource via the portal. FedRamp High and FedRamp moderate both pertain to account management, monitoring, and role-based access controls and have different impact levels. HIPAA HITRUST 9.2 targets both privilege management and role-based access control. 

There are a number of other standards and versions that can be met with the same technique as above.