See chat thread https://chat.fhir.org/#narrow/stream/implementers/topic/Attachments.20workflow.20in.20practice

that points out that Binary resources are hard to know that they need to be protected as patient specific.

This all a good example of the Security WG proposal for a "Security/Privacy Consideration" section to be added to every resource, not to duplicate the security page but to point out special considerations of that specific resource.

Given the Binary resource might contain a wide variation of patient specific not not patient specific data, there shoudl be a consistant use of the Security_labels to indicate when a Binary is patient specific sensitive vs very pubic. This would be a good use of the _confidentiality evaluation. Where "U" would be used to indicate that the Binary instance is unrestricted. Where as a "N" indicates it is normal patient specific data. "R" would be restricted patient specific...