Make TLS a SHOULD, not SHALL - SDC #5

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Not Persuasive
    • Priority: Medium
    • Structured Data Capture (SDC) (FHIR)
    • STU3
    • FHIR Infrastructure
    • (profiles) [deprecated]
    • 3.1 General Security
    • Hide

      If it's a controlled network, it is by definition a secured channel and thus this rule would not apply.

      Show
      If it's a controlled network, it is by definition a secured channel and thus this rule would not apply.
    • Clem McDonald/Ed Hammond: 10-0-2
    • Correction

      Existing Wording: o When transmitting PHI (Personally Identifiable Healthcare Information) or other confidential information over an unsecured channel, systems SHALL use TLS or other equivalent secure transport protocols (determined to be sufficient through risk analysis) to provide a secure channel

      Proposed Wording: o When transmitting PHI (Personally Identifiable Healthcare Information) or other confidential information over an unsecured channel, systems SHOULD use TLS or other equivalent secure transport protocols (determined to be sufficient through risk analysis) to provide a secure channel

      Comment:

      In the case this occurs in a controlled network this might not be needed. Although I recognize the need, mandating this in all situations goes to far. Suggest replace it with SHOULD

      Summary:

      Make TLS a SHOULD, not SHALL

            Assignee:
            Unassigned
            Reporter:
            Bas van den Heuvel
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: