Security January 2016 Orlando WGM Minutes
From HL7Wiki
Jump to: navigation, search
Minutes from Security WG
Links
Return to: WGM Minutes2016January Orlando
Contents
[hide]
- 1 Overall Attendees
- 2 Tuesday Q1
- 3 Tuesday Q2
- 4 Tuesday Q3
- 5 Tuesday Q4
- 6 Wednesday Q1
- 7 Wednesday Q2
- 8 Wednesday Q3
- 9 Wednesday Q4
- 10 Thursday Q1
- 11 Thursday Q2
Overall Attendees
- Mike Davis
- John Moehrke
- Alexander Mense
- Princess Trish Williams
- Duane DeCouteau
- Kathleen Connor
- Diana Proud-Madruga
- Dennis Patterson
- Michael Donnelly
- Kevin Riley
- PrareenEkkati
- Hideyuki Miyohara
- Suzanne Gonzales-Webb
- Joshua Mendel childlens.harvard.edu
- Graham Grieve
- Paul Knapp
- Nancy Orvis
- Chris Shawn
- Beth Pumo
- Johnathan Coleman
Tuesday Q1
Attendees:
- Mike Davis
- John Moehrke
- Alexander Mense
- Princess Trish Williams
- Duane DeCouteau
- Kathleen Connor
- Hideyuki Miyohara
- Suzanne Gonzales-Webb
- Chris Shawn
- Beth Pumo
- Johnathan Coleman
Notes: Opening Security WG Meeting Introductions
- Agenda HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG
- John/Trish: 10/0/0
- IHE Report
- Advanced Patient Privacy Consents Profile -- will leverage CDA Consent Directive
- Internet User Assertion (IUA) -- will leverage HEART OAuth profiles
- ISO Report
- ???
- ONC - API taskforce
- HEART
- UMA
- OAuth Scopes
- Consent Receipt
- Healthcare Access Control Catalog
- ballot reconciliation done, just waiting on agreement
- FHIR Consent -- see us in Q3 at CBCC
- Workgroup responsibilities
- Future work items (Trish action item)
Tuesday Q2[edit]
Attendees:
- Mike Davis
- John Moehrke
- Alexander Mense
- Princess Trish Williams
- Duane DeCouteau
- Hideyuki Miyohara
- Chris Shawn
- Beth Pumo
Notes:
- Security/EHR Verb/Provenance/Lifecycle Vocabulary
- Work space Record Lifecycle, Security, Privacy, and Provenance Vocabulary Alignment
- Struggling greatly
- three months have produced 4 terms
- Principle to find a good-enough definition, focus on describing the functionality,
- Note IHE has published a White Paper on "Health Information Management". Written primarily by AHIMA individuals working within IHE.
- Worked on 3 year plan for Security WG
Tuesday Q3[edit]
Attendees:
- Mike Davis
- Princess Trish Williams
- Duane DeCouteau
- Kathleen Connor
- Hideyuki Miyohara
- Chris Shawn
- Diana Proud-Madruga
Security WG Project Meeting - Notes
- SOA Audit
- Diana started PSS. Group worked on formulation of PSS in preparation for joint meeting with SOA Q2 Wed.
- Discussion on Future work items
- Future security tutorials (free or paid) future planning?
- New topic for tutorial would be to cover the security aspects of FHIR. This could cover the different resources:
- Questionnaire, contract and C-CDA composition, security vocabularies supporting the labeling. To be considered for HL7 WGM Sept 2016 or May if possible. This would be a free tutorial. Kathleen will inquire about opportunities to deliver such tutorial close the the FHIR Connectathon.
- Workgroup Health
- Email communication with TSC revealed that the WG is penalized for missing TSC election last year. This penalty applied to the workgroup health for the following 3 meetings.
- Three-Year Plan last updated Sept 2012. To be updated at this meeting.
- Trish updated Three-Year Plan in preparation for approval by WG.
- Mission and Charter last updated May 2015
- SWOT last updated May 2015
- Decision Making Processes last updated Sept 2014
- Post WGM Effectiveness Survey completed by Trish 13/01/2016
- Room bookings for next WGM in May completed by Trish 13/01/2016
- Actions:
- New Facilitator Publishing needs to be selected with the retirement of Mike Davis as Co-Chair. The HL7 Security Leadership page will need to be updated.
- New Three-Year Plan to be circulated and approved by WG.
- Next WGM (May) agenda to be posted to Wiki by 01 April 2016
Tuesday Q4[edit]
Attendees:
- Mike Davis
- Alexander Mense
- Princess Trish Williams
- Duane DeCouteau
- Kathleen Connor
- Hideyuki Miyohara
- Chris Shawn
- Beth Pumo
- Don Jorgenson
Security WG Project Meeting Notes:
- Trust Framework
- Establishing a level that exchange between two or more entities can communicate.
- The current methods of common contract is inflexible and often technology specific. How this architecture applies to FHIR is (as yet) undetermined.
- The negotiation of the policies can happen at run-time, but these are computer negotiated contract that drives the policy.
- Using Trust Frameworks allows run time flexibility (and technology independent).
- Possible future project for Sec WG. Kathleen to advise on drafted initial material previously presented to assess possible directions.
- It is in the Security Labeling Service (SLS) but is not fully defined.
Wednesday Q1[edit]
Hosted by EHR
Topics Discussed
- Patient Choice Project - Johnathan Coleman
- ONC recently launch this project. Will look at basic choice offered to the individual to prevent their PHI from being available for electronic exchange. Project to run Sept 2015 to March 2020. Refer to presentation.
- Vocabulary Alignment
- 30 terms to align.
- OriginateandReceive working definitions agreed. Verify and validate definitions not yet stable.
- New PSS required as original PSS did not indicate that the work would go to ballot.
- Report on revisions for Harmonize provenance and audit event resource with the W3C in FHIR, from John Moehrke.
- Pain points in workflow project. FHIR W5 Report - Lloyd
Refer to EHR minutes for more detail
Wednesday Q2[edit]
Hosted by SOA
Wednesday Q3
Hosting FHIR
Attendees:
- John Moehrke
- Alexander Mense
- Princess Trish Williams
- Duane DeCouteau
- Joshua Mandel
- Hideyuki Miyohara
- Peter Jordan
- Yunwei Wang
- AmlanDasgupta
- Steve Baumann
- Kathleen Connor
- Chuck Gerlach
- Kevin Shekleton
- Chris Greni
Notes: Comment resolution.
Wednesday Q4
Attendees:
- John Moehrke
- Alexander Mense
- Princess Trish Williams
- Duane DeCouteau
- Hideyuki Miyohara
- Suzanne Gonzales-Webb
Agenda
- Discussion - Privacy Protection for the Internet of Things
- HEART, emerging vocabularies
- Approval of Three-Year Plan. Proposed John Moerhke, Seconded Alex Mense. Approved unanimously.
Notes:
Participants present did not have information on the Agenda items
Duane -- How can we work toward better security testing at FHIR Connectathon
- John - Following the agreement from EHR Q1 today. We focus on helping DAF, SDC, and a new Document Sharing project to integrate security into their testing plans. They already include the security parts, they just don't have testing.
- Request has been sent to Lloyd (SDC), Dragon (DAF), and John (DS)
- Discussed possible phasing, as requiring full implementation in one shot would not be good. So we bring this in in phases so that the community accept and implement it.
- First phase -- AuditEvent recording - Focus on testing that actors in those IGs produce the appropriate AuditEvent. This can be tested at the audit service
- Second phase -- Provenance is recorded - on all items created or updated
- Third phase -- automatic security labeling (e.g. declared policy that causes labeling that causes good spectrium of lables. for example label all observations that have a code with a "d" in the display name as "Restricted". This is not a useful policy except it is computable and produces a testable result. If systems can do this, they likely can do expected realistic policies).
- Fourth phase -- require authentication sent with all requests (contingent on having a model)
- Fifth phase -- support for patient Authorization (Privacy Consent Directive)
- Sixth phase -- privacy protecting services (e.g. redacting based on security labels and consent policy)
- Seventh phase -- attribute based access control (ABAC) across the full lifecycle (IG)
Thursday Q1
Hosting FHIR
Attendees
- MANY people present... Paper sent around, I didn't get it back...
- John Moehrke
- Mike Davis
- Suzanne
- Kathleen
- Alex
- Grahame
- Josh
- ???
Intended agenda
- Given CBCC didn't have a joint with FHIR, Security offered our second joint with FHIR
- Although this was agreed to, there was concern raised
- No decisions were made due to this concern.
- CBCC will request a Joint with FHIR at next WGM
- But CBCC likely will not be present at next WGM due to travel restrictions all co-chairs are under
Notes:
- Discussion recorded in gForge
- Overview of Privacy Consent Directive
- Current IG
- Discussion around the inclusion of the word "Directive".
- This is the word used in the legal space
- This is the word used in the CDA Privacy Consent Directive work
- Keep the title as is.
- Grahame asked that we walk through an example
- Discussion on various parts. No decisions made
- Observed that there is a lack of vocabulary,
- Kathleen points out that there is vocabulary available.
Thursday Q2
All agenda items have been closed, so no meeting held.