How to Enhance App Security with Managed Authentication Service

September 26, 2024

TL;DR Oystehr provides a comprehensive suite of hosted services for health tech and EHR builders, including application management and sophisticated configuration of access control policies down to individual resources.

Last week we released Oystehr Apps, a Oystehr service vital for building user-facing healthcare apps.

Oystehr's APIs provide you a compliant backend out of the box so you can build better faster. To invoke Oystehr APIs securely, users need to authenticate so your application knows they are authorized. When users log into your Oystehr Application, they get a token representing their identity to Oystehr’s APIs.

Every user and role in your Oystehr project has their Oystehr API access constrained by Access Policies which you configure. For example, you might use Access Policies to constrain a patient’s account such that they can only fetch data directly related to them (using the FHIR Patient Compartment).

Example

PM Pediatric Care uses the Oystehr App Service to secure their Behavioral Health Intake Dashboard. When you first navigate to the Dashboard, you are sent to this login page on auth.oystehr.com:

A screenshot of a login page with the text "Log in to PM Behavioral Health EHR" and text inputs for email and password. There is a button labelled "Forgot password?".

After logging in, Dashboard users are brought to this page, which calls Oystehr’s FHIR APIs with the user’s auth token. By leveraging Oystehr’s FHIR APIs, the PM Pediatric Care development team is building sophisticated medical applications without the expense of building a proprietary backend.

A screenshot of an Electronic Health Record website. The navigation bar has the options "Appointments" and "Patients", and the user is on the Appointments page. This page has a list of appointments with the information: patient name, patient date of birth, appointment date, status such as booked, and created date.

Why use Oystehr Applications?

To use Oystehr’s APIs from your web and native apps, you first secure them with Oystehr’s App service. Oystehr’s authorization is built to the industry-standard OAuth 2.0 specification, providing your application with the highest level of security. In just a few clicks or API calls, you can enable multi-factor authentication for your Oystehr Applications. You won’t need to build or find your own auth platform — it can be configured using Oystehr’s APIs and a few lines of code.

Setting up Oystehr Applications

Call the Project API Create Application endpoint to create a Oystehr Application.
Add authentication to your web or native application. There are two options:

Use our hosted login screens. Here’s an example using Auth0’s React library to easily drop in a secure workflow:

<Auth0Provider domain="https://auth.oystehr.com" clientId="YOUR_CLIENT_ID_HERE" audience="https://api.oystehr.com" redirectUri="https://example.com" > ...

This is the quickest way to add authentication to your application as the hosted authentication app provides screens for logging in, resetting password, 2-factor authentication, and signing up.

Build your own auth pages. You can implement the OAuth 2.0 authorization code with PKCE flow by calling the Auth0 /authorize and /oauth/token endpoints on auth.oystehr.com.

Invite Users with the Project API Invite User endpoint
Invited users can log in to the Application with credentials set from their invite email.

Settings for Applications can be configured, such as:

Setting a logo on the provided (but optional) core login screen
Security options including the URL to redirect users to, allowed callback URLs, and allowed CORS origins
Passwordless auth using SMS, enabling users to authenticate by entering a verification code that we send to their phone
Requiring multi-factor authentication (MFA)

The Oystehr console has pages for managing Applications.

A page on the Oystehr Console for listing Applications. It has one application named "test".

An Application page on the Oystehr Console. It includes the read-only fields "zapEHR ID", "Client ID", and editable fields "Name", "Description", "Login Redirect URI", "Allowed Callback URLs".

With Oystehr’s App service launch, you can get started building user-facing apps on the Oystehr platform. Beta users are already building EHR apps to manage intake workflows, and lightweight RCM products to post insurance claims to clearing houses and manage their resolution.

If you have any questions, you can email us or join our Slack.

‍

FAQ

1. How does Oystehr ensure the security of healthcare apps built using Oystehr Apps?

Oystehr follows the OAuth 2.0 specification, ensuring a high level of security for healthcare applications. When users log into Oystehr-powered applications, they are authenticated, and their roles are constrained by customizable Access Policies. This allows developers to control access to sensitive health data, ensuring that users can only retrieve the data relevant to them (e.g., using FHIR Patient Compartment). Additionally, multi-factor authentication (MFA) can be easily enabled to further secure applications.

2. Can I customize the user login experience with Oystehr Apps, or am I limited to pre-built authentication pages?

Oystehr gives you flexibility in how you implement authentication. You can use Oystehr’s hosted login pages, which include features like password reset, two-factor authentication, and sign-up flows, or you can build your own custom authentication pages. If you choose the latter, you can implement the OAuth 2.0 authorization code with PKCE flow using Oystehr’s endpoints. This allows for a fully personalized login experience tailored to your app’s design and user needs.