Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
What logging and auditing strategies are commonly recommended for InterSystems IRIS environments?
I’m interested in learning about best practices for tracking user activity, troubleshooting issues, monitoring integrations, and maintaining compliance in enterprise or healthcare systems.
Are there built-in tools or external integrations that work especially well for this purpose?
I’m currently working with REST APIs in InterSystems IRIS and would like to better understand the recommended security practices for production environments.
I’m especially interested in:
I would also appreciate learning about common mistakes to avoid when deploying APIs publicly or integrating with external systems.
What approaches or tools have worked best in your environments?
In v2026.1 we introduced support for a more robust and real-life secure authorization for your FHIR endpoints.
This is achieved by using SMART on FHIR v2 fine-grained scopes.
Data privacy regulations such as GDPR, LGPD, and HIPAA demand that organizations know exactly where Personally Identifiable Information (PII) lives inside their databases. Yet in practice, most teams rely on manual inventories, tribal knowledge, or external scanning tools that require data to leave the database engine — a process that itself creates privacy and security risks.
This article presents an MVP that takes a different approach: it runs PII detection inside InterSystems IRIS using Embedded Python, analyzing data where it lives and never exporting it to an external process.
As an experiment in agentic coding in ObjectScript I'm using VS Code to try and create an implementation of an SFTP server.
SFTP is built on top of SSH, so the first phase involves implementing an SSH server. While working on the KEX part of that the agent (using GPT-5.3-Codex) reported:
It then offered these options:
In v2026.2 (currently available as a Developer Preview), we are adding a feature that can help in a FHIR Endpoint SMART/OAuth authorization - more out-of-the-box flexibility in audience value validation.
. . . you are not alone.
Help is available.
This took me a while to figure out, and I assume there may be others struggling too. I made my way through all the Entra stuff to set up a client credentials workflow to send email through a Microsoft 365 account. I was able to successfully retrieve my token, but I couldn't ever get it to authenticate with the SMTP server using the %Net.SMTP class. There were two parts to fixing this.
First, the authenticator's access token needs to be more than JUST the access token. It has to be formatted as:
set smtp.authenticator.AccessToken = "user="_emailaddress_$C(1)_"auth=Bearer "_token_$C(1,1)A very important feature for HL7 FHIR has been introduced with the release of v2026.1 - the support for SMART on FHIR v2 fine-grained granular Scopes.
This enables you to be much stricter and more accurate in the access you provide to the data in your FHIR repository.
Part of this new support is to refuse requests that don't match the scopes, but an even more interesting ability is to filter the results according to the provided scopes.