Medical Device Authentication System
Purpose
Enable secure machine-to-machine communication between medical equipment and the API using non-interactive credential exchange. This system provides temporary access tokens while maintaining audit trails through FHIR resource linkage.
Core Configuration
Essential Parameters
{
"device_auth": {
"valid_keys": {
"{DEVICE-NAME}": "{PWD}",
"{DEVICE-NAME}": "{PWD}"
},
"jwt_secret": "your-secure-key-here",
"token_expiry_minutes": 60
}
}
Key Components
valid_keys: Pre-registered device credentials (ID/key pairs)jwt_secret: Cryptographic signature secret (HS256 algorithm)token_expiry_minutes: Token validity window (5-1440 minutes)
Authentication Workflow
Step 1: Token Acquisition
POST /account/api/token/device/
Content-Type: application/json
{
"device_id": "device-123",
"api_key": "key-abcdefg"
}
Response Structure
{
"access": "header.payload.signature",
"expires_in": 3600
}
Step 2: API Access
# Sample Observation creation with device token
mutation CreateDeviceObservation($input: ObservationInput!) {
ObservationCreate(resource: $input) {
id
status
code {
coding {
system
code
}
}
device {
identifier {
system
value
}
}
}
Authorization Header Requirement
POST /graphql
Authorization: Bearer your.jwt.token
Content-Type: application/json
Variables Payload
{
"input": {
"status": "final",
"code": {
"coding": [{
"system": "http://loinc.org",
"code": "15074-8"
}]
},
"device": {
"identifier": {
"system": "http://yourdomain/device-system",
"value": "device-123"
}
}
}
}
Token Characteristics
Embedded Claims
| Claim | Purpose | Example |
|---|---|---|
sub | Device identifier | "device-123" |
entity_id | FHIR Device resource ID | "fhir-device-xyz" |
exp | Expiration timestamp | 1718900000 |
is_device | Authorization context flag | true |
Validity Controls
- Default expiration: 5 minutes (configurable up to 24 hours)
- Automatic revocation post-expiration
- Single-use credentials (keys remain valid until rotated)
FHIR Resource Mapping
Device Registration Template
{
"resourceType": "Device",
"identifier": [{
"system": "http://yourdomain/device-system",
"value": "device-123"
}],
"status": "active",
"deviceName": [{
"name": "ICU Monitor 05",
"type": "manufacturer"
}]
}
Identifier Requirements
- Must match
systemdefined in configuration - Values correspond to
device_identries - Multiple identifiers supported for legacy systems
Security Framework
Protection Strategies
-
Credential Storage
{
"valid_keys": {
"${DEVICE_ID}": "${ENV_VAR_KEY}"
},
"jwt_secret": "${VAULT_SECRET}"
} -
Rotation Policies
- JWT secret: Quarterly rotation minimum
- API keys: Event-based rotation (staff changes/breach suspects)
-
Network Controls
- IP allowlisting for critical devices
- Request rate limiting (10 req/sec default)
Audit Capabilities
- All device actions logged with
Device/:idassociation - Failed attempts trigger FHIR AuditEvent records
- Token issuance recorded in Azure Monitor
Production Considerations
Azure Integration Path
# Example using Azure Managed Identity
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
token = credential.get_token("https://your-api.azurehealthcareapis.com/.default")
Performance Notes
- Token validation adds 15-20ms overhead
- Cached JWKS entries refresh every 5 minutes
- Bulk device provisioning available via CSV import
Troubleshooting Guide
| Symptom | Diagnostic Steps | Resolution |
|---|---|---|
| 403 Invalid Key | Verify key case sensitivity | Regenerate API key pair |
| Token Expiration | Check system clock sync | Adjust expiry duration |
| FHIR Mapping Failures | Validate Device.identifier system | Reconcile configuration values |