Orders Service — Security Model
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template
1. Authentication and Authorization
- Authentication: Keycloak JWT (RS256). Every request must carry a valid Bearer token.
- Authorization: RBAC via Keycloak realm roles + module entitlement guard (
clinical.orders). - Tenant isolation: PostgreSQL RLS with
app.tenant_idsession variable set from JWT claim.
2. RBAC Matrix
| Operation | CLINICIAN | PRESCRIBER | NURSE | PHARMACIST | PATIENT | ADMIN |
|---|---|---|---|---|---|---|
| Create order (any type) | Yes | Yes | Lab/nursing only | No | No | No |
| Activate order | Yes | Yes | No | No | No | No |
| Acknowledge CDS warning | Yes | Yes | No | No | No | No |
| Cancel order | Yes | Yes | Own nursing | No | No | Admin only |
| Hold/resume order | Yes | No | No | No | No | No |
| Correct (enter-in-error) | Yes | No | No | No | No | Yes |
| Create order set | Yes | No | No | No | No | Yes |
| Instantiate order set | Yes | Yes | No | No | No | No |
| View orders | Yes | Yes | Yes | Yes (medication) | Own | Yes |
| View CDS alerts | Yes | Yes | No | No | No | Yes |
| View referral detail | Yes | Yes | Yes | No | Own | Yes |
3. CDS Override Audit
Any clinician acknowledgement of a CDS hard-stop (requires ADMIN escalation) or warning must be logged with:
- Actor ID and role
- Alert rule ID
- Override reason (free text, required)
- Timestamp
This audit record is immutable and retained for 7 years.
4. Encryption
| Data class | At rest | In transit |
|---|---|---|
| Order records | AES-256 (PostgreSQL TDE or volume encryption) | TLS 1.3 |
| CDS alert content | Standard encryption | TLS 1.3 |
| Referral clinical summary | AES-256 | TLS 1.3 |
| Allergy cache | AES-256 | TLS 1.3 |
| NATS event payloads | Encrypted at rest on JetStream volume | TLS 1.3 |
5. PII and Sensitive Fields
| Field | Classification | Masking rule |
|---|---|---|
patientId | PII | Resolved to display name for NURSE; full resolution for CLINICIAN/ADMIN |
referralDetail.clinicalSummary | Clinical / PII | Visible to CLINICIAN only; hidden from NURSE in list views |
medicationDetail | Clinical data | Visible to CLINICIAN, PRESCRIBER, PHARMACIST |
orderedBy | PII | Visible to CLINICIAN, ADMIN; hidden in patient-facing views |
6. Medication Order Security
- Medication orders require
PRESCRIBERorCLINICIANrole; NURSE role cannot create medication orders. - Controlled substance orders (where applicable) require dual-sign: second clinician acknowledgement before activation.
- All medication order activations are captured in the audit log.
7. Module Entitlement Guard
Requests are rejected with 403 MODULE_NOT_ENTITLED if the tenant's Keycloak realm does not include the clinical.orders entitlement scope.
8. GDPR / Patient Rights
| Right | Implementation |
|---|---|
| Right to access | GET /v1/orders?patientId= for patient-owned orders |
| Right to rectification | PUT /v1/orders/:id/correction (clinical correction, not patient self-service) |
| Right to erasure | Not applicable for clinical orders (legal hold); pseudonymization on platform delete request |
| Right to portability | FHIR ServiceRequest/MedicationRequest export |