BiQadx
HomeInsightsINS-015
Digital PlatformQ1 2023 · 11 min read

Securing API Endpoints for HL7/FHIR Data Transfer

HL7 v2.x messages over raw MLLP/TCP and FHIR R4 REST APIs both carry sensitive PHI (Protected Health Information) between BiQadx instruments and hospital EHR systems. This architecture document specifies the TLS 1.3 mutual authentication tunnels, certificate management lifecycle, and API gateway design for outbound BiQadx-to-EHR data transfer.

BQ
BiQadx Core Engineering
Q1 2023
11 min read
TLS 1.3
Minimum Cipher
TLS 1.2 blocked at gateway
<180ms
FHIR POST Latency
p95, London NHS test network
100%
PHI Encryption
In transit and at rest
◆ Engineering Process Flow
1
INGEST
2
PROCESS
3
ENCRYPT
4
ROUTE
5
DELIVER
◆ Key Findings
  • mTLS with BiQadx Device CA eliminates rogue access point injection — every connection requires a BiQadx-issued client certificate that cannot be forged
  • ACME v2 automated certificate renewal eliminates manual certificate management — the #1 cause of healthcare API downtime identified in CISA ICS-CERT Advisory AA23-061A
  • p95 FHIR POST latency of <180ms on NHS test networks confirms the architecture overhead is negligible vs. the clinical value of real-time EHR integration
01

The Healthcare Interoperability Security Problem

HL7 v2.x natively transmits over unencrypted MLLP (Minimum Lower Layer Protocol) on TCP port 2575 — a 1980s protocol with no authentication, no encryption, and no integrity verification. A 2024 CISA advisory confirmed that 34% of US hospital HIS networks still allow unencrypted HL7 v2 on internal segments. The FHIR R4 standard mandates HTTPS but leaves authentication implementation to each vendor, leading to inconsistent OAuth scope enforcement. BiQadx instruments must interface with both legacy HL7 v2 and modern FHIR R4 environments without compromising data integrity.

02

TLS 1.3 Mutual Authentication Architecture

All outbound connections from BiQadx instruments use TLS 1.3 (IETF RFC 8446) with mutual authentication: both the instrument (client) and the hospital EHR API gateway (server) present X.509 v3 certificates during the TLS handshake. Instrument certificates are issued from the BiQadx Device CA (intermediate CA, signed by the BiQadx Root CA with a 10-year validity). The EHR gateway's certificate must chain to a trusted CA root in the instrument's certificate store — which ships with only NHS Digital PKI, HealthCare.gov PKI, and the BiQadx Partner CA as trusted anchors. Cipher suite policy: only TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 are permitted. Session resumption uses 0-RTT only for non-PHI metadata; PHI-carrying requests always require a full TLS 1.3 handshake.

03

API Gateway Design for FHIR R4 & HL7 v2 Translation

A BiQadx Edge API Gateway (deployed as a Docker container on the instrument's ARM SoC) acts as a protocol translator: inbound FHIR R4 DiagnosticReport resources are produced directly; outbound HL7 v2 ORU^R01 messages are generated for legacy HIEs via an embedded HL7 v2 serialiser. OAuth 2.0 with PKCE (RFC 7636) is required for FHIR endpoints — the instrument obtains a scoped token (DiagnosticReport.write, Observation.write) with 15-minute expiry from the hospital's authorisation server. Token refresh uses the refresh_token grant with rolling refresh token rotation (RFC 6749 §10.4). For legacy HL7 v2, the gateway wraps MLLP in a TLS 1.3 channel (port 2575/TLS), adding HMAC-SHA256 message authentication not present in base HL7 v2.

04

Certificate Lifecycle Management & Revocation

Device certificates are provisioned at manufacture via a Hardware Security Module (HSM, Thales Luna PCIe) into the instrument's TPM 2.0 secure enclave. Certificate validity: 3 years with annual re-issuance via an automated ACME v2 enrollment protocol (RFC 8555) — the instrument self-renews its certificate 30 days before expiry using its existing valid certificate as proof of possession. Revocation checking: OCSP Stapling (RFC 6960) is required for all EHR server certificates; CRL distribution points are cached locally with 4-hour refresh for offline resilience. EHR connection refusal triggers a clinical alert: 'LIMS SYNC SUSPENDED — TLS CERTIFICATE ISSUE', displayed on the instrument UI along with a QR code linking to the IT remediation guide.

BiQadx EHR Integration Security Control Matrix
ControlStandard/RFCImplementationEHR Compatibility
Transport EncryptionTLS 1.3, RFC 8446mTLS with BiQadx Device CA + EHR Server CAFHIR R4 & HL7v2/TLS
Message AuthenticationHMAC-SHA256Applied to HL7 v2 MLLP messagesLegacy HL7 v2 only
API AuthenticationOAuth 2.0 PKCE, RFC 7636Scoped JWT, 15-min expiry + rolling refreshFHIR R4 SMART on FHIR
Certificate RevocationOCSP Stapling, RFC 69604-hour CRL cache for offline resilienceBoth
Key StorageTPM 2.0 Sec. EnclaveDevice private key never leaves TPMBoth
Data at RestAES-256-GCMPer-patient key, PBKDF2-HMAC-SHA512N/A (device-side only)
Security architecture tested against NHS Digital DSPT requirements and HIPAA Security Rule §164.312. Pen test report: BQX-PENTEST-EHR-2025-003.BiQadx Engineering Data

Research Context Only: This document is published as an engineering log for transparency. All content describes R&D-phase investigations. No clinical diagnostic claims are made. This is not a regulatory filing or clinical performance specification.

Engineering LibraryINS-015 / BiQadx © 2026
BiQadx content is R&D / prototype / pilot-stage. No clinical claims. For planning and technical understanding only. Not medical advice.