Edit

Get started with Azure Health Data Services

  • Article

This article outlines the basic steps to get started with Azure Health Data Services. Azure Health Data Services is a set of managed API services based on open standards and frameworks that enable workflows to improve healthcare and offer scalable and secure healthcare solutions.

To get started with Azure Health Data Services, you need to create a workspace in the Azure portal.

The workspace is a logical container for all your healthcare service instances such as Fast Healthcare Interoperability Resources (FHIR®) service, Digital Imaging and Communications in Medicine (DICOM®) service, and MedTech service. The workspace also creates a compliance boundary (HIPAA, HITRUST) within which protected health information can travel.

Before you create a workspace in the Azure portal, you must have an Azure account subscription. If you don’t have an Azure subscription, see Create your free Azure account today.

Screenshot showing a Azure Health Data Services flow diagram.

Deploy Azure Health Data Services

To get started with Azure Health Data Services, you must create a resource in the Azure portal. Enter Azure Health Data Services in the Search services and marketplace box.

Screenshot of the Azure search services and marketplace text box.

After you locate the Azure Health Data Services resource, select Create.

Screenshot of the create Azure Health Data Services resource button.

Create workspace

After the Azure Health Data Services resource group is deployed, you can enter the workspace subscription and instance details.

For steps, see Deploy an Azure Health Data Services workspace by using the Azure portal.

Note

You can provision multiple data services within a workspace, and by design, they work seamlessly with one another. With the workspace, you can organize all your Azure Health Data Services instances and manage certain configuration settings that are shared among all the underlying datasets and services where it's applicable.

Screenshot showing the Azure Health Data Services workspace.

User access and permissions

Azure Health Data Services is a collection of secured managed services using Microsoft Entra ID. For Azure Health Data Services to access Azure resources, such as storage accounts and event hubs, you must enable the system managed identity, and grant proper permissions to the managed identity. Client applications are registered in the Microsoft Entra ID and can be used to access the Azure Health Data Services. User data access controls are done in the applications or services that implement business logic.

Authenticated users and client applications of the Azure Health Data Services must be granted with proper application roles. After being granted with proper application roles, the authenticated users and client applications can access Azure Health Data Services by obtaining a valid access token issued by Microsoft Entra ID, and perform specific operations defined by the application roles. For more information, see Authentication and Authorization for Azure Health Data Services.

Furthermore, to access Azure Health Data Services, you register a client application in the Microsoft Entra ID. It's with these steps that you can find the application (client) ID, and you can configure the authentication setting to allow public client flows or to a confidential client application.

As a requirement for the DICOM service (optional for the FHIR service), you configure the user access API permissions or role assignments for Azure Health Data Services managed through Azure role-based access control (Azure RBAC).

FHIR service

The FHIR® service in Azure Health Data Services enables rapid exchange of data through FHIR APIs backed by a managed Platform-as-a Service (PaaS) offering in the cloud. It makes it easier for anyone working with health data to ingest, manage, and persist Protected Health Information (PHI) in the cloud.

The FHIR service is secured by a Microsoft Entra ID that can't be disabled. To access the service API, you need to create a client application, also known as a service principal in Microsoft Entra ID, and then grant it with the right permissions. You can create or register a client application in the Azure portal, or by using PowerShell and Azure CLI scripts. This client application can be used for one or more FHIR service instances. It can also be used for other services in Azure Health Data Services.

You can also:

  • Grant access permissions.
  • Perform create, read (search), update, and delete (CRUD) transactions against the FHIR service in your applications.
  • Obtain an access token for the FHIR service.
  • Access the FHIR service using tools such as cURL, Postman, and REST client.
  • Load data directly by using the POST or PUT method against the FHIR service.
  • Export ($export) data to Azure Storage.
  • Convert HL7 v2 and other format data to FHIR
  • Create Power BI dashboard reports with FHIR data.

For more information, see Get started with FHIR service.

DICOM service

The DICOM® service is a managed service within Azure Health Data Services that ingests and persists DICOM objects at multiple thousands of images per second. It facilitates communication and transmission of imaging data with any DICOMweb™ enabled systems or applications via DICOMweb Standard APIs like Store (STOW-RS), Search (QIDO-RS), Retrieve (WADO-RS).

DICOM service is secured by Microsoft Entra ID that can't be disabled. To access the service API, you must create a client application, also known as a service principal in Microsoft Entra ID, and then grant it with the right permissions. You can create or register a client application from the Azure portal, or using PowerShell and Azure CLI scripts. This client application can be used for one or more DICOM service instances. It can also be used for other services in Azure Health Data Services.

You can also:

  • Grant access permissions or assign roles from the Azure portal, or using PowerShell and Azure CLI scripts.
  • Perform create, read (search), update, and delete (CRUD) transactions against the DICOM service in your applications or by using tools such as Postman, REST client, cURL, and Python.
  • Obtain a Microsoft Entra access token using PowerShell, Azure CLI, REST CLI, or .NET SDK.
  • Access the DICOM service by using tools such as .NET C#, cURL, Python, Postman, and REST client.

For more information, see Manage medical imaging data with the DICOM service.

MedTech service

The MedTech service transforms device data into FHIR-based observation resources and then persists the transformed messages into the FHIR Service in Azure Health Data Services. The MedTech service provides a unified approach to health data access, standardization, and trend capture, enabling the discovery of operational and clinical insights, connection of new device applications, and enablement of new research projects.

To ensure that your MedTech service works properly, it needs access permissions to the Azure Event Hubs and FHIR service. The Azure Event Hubs Data Receiver role allows the MedTech service assigned this role to receive data from this event hub. For more information about application roles, see Authentication & Authorization for Azure Health Data Services

You can also:

  • Create a new FHIR service or use an existing one in the same or different workspace.
  • Create a new event hub or use an existing one.
  • Assign roles to allow the MedTech service to access Event Hubs and FHIR service.
  • Send data to the event hub, which is associated with the MedTech service.

For more information, see Get started with the MedTech service.

Next steps

Authentication and Authorization for Azure Health Data Services.

What is Azure Health Data Services?

Azure Health Data Services FAQ.

Note

FHIR® is a registered trademark of HL7 and is used with the permission of HL7.

DICOM® is the registered trademark of the National Electrical Manufacturers Association for its Standards publications relating to digital communications of medical information.