Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
Is it possible to authenticate an xDBC (ODBC/JDBC) connection to InterSystems IRIS via (a 3rd party) OAuth server?
For REST APIs this is possible, but could this be achieved with OAuth?
Out-of-the-box the ODBC/JDBC Drivers don't seem to have this option, but maybe some custom code could enable this? perhaps via Delegated Authentication and some OAuth classes customization, or some other way?
Has anyone done this already and can share how it was implemented, or someone with some guideline suggestions?
I'm trying to lock down access in our IRIS system.
I notice there is no current %DB_X resource (which I want to add to add a read-only role for it).
If I add resource %DB_X will there be an immediate effect or will it only be applicable to roles (and users linked to that role)?
Healthcare billing isn’t a pipeline. It’s a conversation about trust.
Every day, millions of clinical transactions flow from doctors’ keyboards to insurance ledgers. Standard health IT systems are built to count these transactions. They store them. They organize them.
They route them. But standard systems don't notice them.
We’ve built faster and faster databases to process claims, but we forgot to ask: Does this claim make sense?
Because we don’t ask in real-time, we’ve accepted a compromise. We pay first, wait six months, and then hire forensic auditors to find the mistakes.
Hello everyone.
After trying to run Python methods in the intersystemsdc/irishealth-community Docker container, which no longer allows any Python methods to be executed, I decided to abandon this version and start working with containers.intersystems.com/intersystems/iris-community.
In this environment, the Python methods work, which was a significant improvement.
I'm trying to import my libraries with pip install -r requirements.txt
What logging and auditing strategies are commonly recommended for InterSystems IRIS environments?
I’m interested in learning about best practices for tracking user activity, troubleshooting issues, monitoring integrations, and maintaining compliance in enterprise or healthcare systems.
Are there built-in tools or external integrations that work especially well for this purpose?
I’m currently working with REST APIs in InterSystems IRIS and would like to better understand the recommended security practices for production environments.
I’m especially interested in:
I would also appreciate learning about common mistakes to avoid when deploying APIs publicly or integrating with external systems.
What approaches or tools have worked best in your environments?
In v2026.1 we introduced support for a more robust and real-life secure authorization for your FHIR endpoints.
This is achieved by using SMART on FHIR v2 fine-grained scopes.
Data privacy regulations such as GDPR, LGPD, and HIPAA demand that organizations know exactly where Personally Identifiable Information (PII) lives inside their databases. Yet in practice, most teams rely on manual inventories, tribal knowledge, or external scanning tools that require data to leave the database engine — a process that itself creates privacy and security risks.
This article presents an MVP that takes a different approach: it runs PII detection inside InterSystems IRIS using Embedded Python, analyzing data where it lives and never exporting it to an external process.
As an experiment in agentic coding in ObjectScript I'm using VS Code to try and create an implementation of an SFTP server.
SFTP is built on top of SSH, so the first phase involves implementing an SSH server. While working on the KEX part of that the agent (using GPT-5.3-Codex) reported:
It then offered these options:
In v2026.2 (currently available as a Developer Preview), we are adding a feature that can help in a FHIR Endpoint SMART/OAuth authorization - more out-of-the-box flexibility in audience value validation.
. . . you are not alone.
Help is available.
This took me a while to figure out, and I assume there may be others struggling too. I made my way through all the Entra stuff to set up a client credentials workflow to send email through a Microsoft 365 account. I was able to successfully retrieve my token, but I couldn't ever get it to authenticate with the SMTP server using the %Net.SMTP class. There were two parts to fixing this.
First, the authenticator's access token needs to be more than JUST the access token. It has to be formatted as:
set smtp.authenticator.AccessToken = "user="_emailaddress_$C(1)_"auth=Bearer "_token_$C(1,1)A very important feature for HL7 FHIR has been introduced with the release of v2026.1 - the support for SMART on FHIR v2 fine-grained granular Scopes.
This enables you to be much stricter and more accurate in the access you provide to the data in your FHIR repository.
Part of this new support is to refuse requests that don't match the scopes, but an even more interesting ability is to filter the results according to the provided scopes.
This article reflects my recent experiences at trying to connect an IRIS Business Operation to a secure Kafka Server, using SSL tunnels to encrypt the communications and using SASL (Simple Authentication and Security Layer) password hashing with SCRAM-SHA-512.
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Resilience by Design - Business Continuity Through Secure Backup @ Ready 2025
Hi folks!
Is there an easy setting, e.g., to merge.cpf so that it will disable the management portal on a deployed IRIS container?
The idea is to let only one of my particular web apps be available and everything else not even accessible on IRIS.
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Operationalizing Cybersecurity - Making it Real and Relevant @ Ready 2025
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Data on the Move - Securing InterSystems IRIS Connections with TLS @ Ready 2025
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Ahead of the Threats - The Future of Secure Systems @ Ready 2025
Hello Community!
We're pleased to invite you to the upcoming webinar in Hebrew:
👉Getting Started with OAuth 2.0 on InterSystems👈
📅 Date & time: March 25th, 3:00 PM IDT
SQL injection remains one of the most critical vulnerabilities in database-driven applications, allowing attackers to manipulate queries and potentially access or compromise sensitive data. In InterSystems IRIS, developers have access to both Dynamic SQL and Embedded SQL, each with distinct characteristics. Understanding how to use them securely is essential for preventing SQL injection.
Dynamic SQL constructs queries as strings at runtime. While this offers flexibility, it also creates a vulnerability if user input is not handled correctly.
With the release of InterSystems IRIS Cloud SQL, we're getting more frequent questions about how to establish secure connections over JDBC and other driver technologies. While we have nice summary and detailed documentation on the driver technologies themselves, our documentation does not go as far to describe individual client tools, such as our personal favourite DBeaver. In this article, we'll describe the steps to create a secure connection from DBeaver to your Cloud SQL deployment.
.png)
IRIS makes SIEM systems integration simple with Structured Logging and Pipes!
IRIS can use a KMS (Key Managment Service) as of release 2023.3. Intersystems documentation is a good resource on KMS implementation but does not go into details of the KMS set up on the system, nor provide an easily followable example of how one might set this up for basic testing.
The purpose of this article is to supplement the docs with a brief explanation of KMS, an example of its use in IRIS, and notes for setup of a testing system on AWS EC2 RedHat Linux system using the AWS KMS. It is assumed in this document that the reader/implementor already has access/knowledge to set up an AWS EC2 Linux system running IRIS (2023.3 or later), and that they have proper authority to access the AWS KMS and AWS IAM (for creating roles and polices), or that they will be able to get this access either on their own or via their organizations Security contact in charge of their AWS access.
What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.
A JWT is typically composed of three parts:
1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature
These parts are encoded in Base64Url format and concatenated with dots (.) separating them.
Hi, Community!
Do you need a way to securely manage your passwords, API keys, and other credentials? See how the Secure Wallet in InterSystems IRIS® data platform can help:
There is a Master Table within IRIS that I am populating from Epic but want to share it with our Enterprise Application Development Team (Web). As a test I was able to use _SYSTEM from postman to execute the following.
POST /api/atelier/v1/xxxx/action/query HTTP/1.1
Host: xxxxxxxx
Content-Type: application/json
Authorization: ••••••
Cookie: CSPSESSIONID-SP-443-UP-api-atelier-=00f0000000000AKyLjBfUvU$MpFD8UT8y$EoNKNw1ixZeXN4_Q; CSPWSERVERID=hzZAT5rb
Content-Length: 86
{"query": "SELECT * FROM osuwmc_Epic_Clarity.DepartmentMaster WHERE ID = '300000000'"}Also in previous versions you could define your FHIR Server to accept requests via OAuth 2.0 (e.g. for a SMART on FHIR client) but nowadays with v2024.3, which was released a while ago, there is a new feature, that enables doing this more easily - the OAuth FHIR Client QuickStart.
.png)
It was encouraging to see more people building VS Code extensions for the recent contest. However I noticed that of of the three extensions requiring credentials with which to make their connections only mine, gj :: dataLoader, leverages the long-established and officially-supported InterSystems Server Manager extension to obtain the connection definitions and to handle credentials securely.