October 31, 2017 Security Conference Call

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (3 min) Roll Call, Agenda Approval
2. (5 min) Review and Approval of October 17, 2017 minutes.
3. (5 min) Is Privacy Obsolete? Study Group wiki page has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
4. (20 min) PSAF Project topics: Review of draft revisions to HL7 Privacy and Security Framework PSS 3. Discussed during the earlier PSAF call. See PSAF Wiki for history, links, and references.- Mike Davis and Chris Shawn
5. (20 min) FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke
6. (2 min) FHIR Security Call later? - John Moehrke

Minutes

• Chris Shawn chaired. Agenda approved. John moved, and Mike seconded.
• Approval for Oct. 24th minutes deferred because not linked in the agenda. October 17th minutes were approved except for the need to show that John was not there. Mike moved, Joe seconded. John abstained.
• "Is Privacy Obsolete" work discussed by Mike Davis. He posted his conversation with Ann Cavorkian. Mike needs access to gforge folder so he can post documents on [http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Security IPO? wiki page.
• Mike discussed his review of international privacy policies because the IPO? Study group needs to look at countries beyond the US and EU.
• Mike's reviewed the Australia Privacy Act of 1998, which does not appear very strong, similar to US.
• He's collecting privacy policy attributes, e.g., whether there are privacy laws. Whether the policies are opt-in or opt-out by default. Opt-in by default is stronger than opt-out.
• Mike said that Japan's got a very strong Privacy laws April 1, 2005. Considered more stringent than EU standards and more difficult to apply than US or Canadian.
• Since representatives from these countries are HL7 members so study group should try to get their input. He plans to review of US last because it may be weaker than the other. So far Mike's found that there are privacy laws in countries Mike has visited.
• Mike stated that he's not receiving as much input as at the beginning, and would like us to get more contributions. He will continue a structural review of countries. Could use help with this.
• Diana - a recurring meeting to talk about IPO? Or is this something people are expected to contributed. Maybe this needs to be made clearer that this is asynchronous project.
• Mike - IPO? Is intended to be a crowd source kind of project. This is a study group so need people to actively participate. Maybe the study group could have a meeting once more people have reviewed that posted materials. Wikipedia has a lot on this topic, but Mike is trying to avoid using it. Got a lawyer group that analyzed Japan. AU from government site. This is a study group so need people to actively participate. Perhaps we should reach out to the membership for input. Maybe create a survey.
• Diana suggested creating a survey monkey questionnaire. Maybe send out to OASIS Privacy by Design and PMRM.
• RE PSAF call: Mike reported that the group eviewed the PSAF PSS 3 updates. Changed the deliverable dates. John separated out the FHIR projects since there's already a Security FHIR Project that can link to this indirectly.
• Mike noted that the PSAF project should include updates to the Security and Privacy DAM. No one favored creating a dedicated call for this.
• RE FHIR Accounting of Disclosure [AoD] profile on FHIR AuditEvent: John said he does not intend to create a profile per se, and that he's only working within the scope of a CR that asked for an explanation of how the AoD example works.
• John reminded the WG about the FHIR wide calendar - going to an informative ballot this winter. Then go to a May release 4 ballot, which will include packages FHIR hopes to ballot as normative. Will include normative material and some STU4. Operation Outcome, Bundle, and Patient, which are core FHIR Resources that one needs to set up a FHIR environment. Final publication in late 2018 will include normative and STU4 content.
• Mike stated that he understands that some organizations are staying with STU2 and wait until a more stable version is published at the end of 2018. John agreed and compared it to skipping a version of Windows.
• Mike wondered whether implementers in production with STU2 will not be willing to change to release 4. John stated that this is a concern in the FHIR community. Implementers have been warned about implementing STU and not waiting for normative content. Can't go from STU to normative without some testing. Some are discussing using FHIR versioning numbers when content is a mix of STUs and normative material.
• Mike asked whether the elements in an Accounting of Disclosure profile on AuditEvent would be mandatory. John said that he is only working on a discussion on how AuditEvent can be used for Accounting of Disclosure report. Gave an example where the system knew that an audited event is a disclosure, and include who, what, were, and why. But also need to record other non-system disclosures would need to be reported.
• John clarified that by application is being used broadly, and could be a gateway, an access control system. Mike was thinking that "profile" would include the elements that need to be included. John might consider writing it up as a core structure definition, but that's out of scope of the CR that requested that the one Accounting of Disclosure be explained. Mandatory elements could result in defaulting to values that are not valid just because the system did not collect that information. Or the system would not record the event at all because some of the mandatory element values were not available. Neither is a good result. Can only report on audit information actually know.

Mike: An AoD needs other information not captured in an audit log, e.g., address of the recipient, might need to be found elsewhere. Policy may dictate what elements are required to be reported in an AoD. He noted that the WG has previously had requests to put audit event in patient friendly terms. That work hadn't be undertaken, but some of the issues were noted. E.g., the end user recipient may not be known, but at least need the recipient organization name and address.

• John said that he will put at least put breadcrumb out there to give guidance in response to the CR. Mike stated that there'll be a misperception that an audit event is all you need. John explained that the current AoD example points to a practitioner. The WG can make other examples that report only at the recipient organization. In narrative about use of AuditEvent could say that you should have who, what, where, and why to the best of your ability. The level of detail that you know may not be that rich as the current example.
• Mike: In countries where they have a national system, there is no such thing as a disclosure. John: Access log discussed but not approved in US. But that may be collected TPO exceptions in US law may not be exceptions in other countries.
• John the argument against an access log in the US is that there would be too much information for the patient. DB admins have this information when maintaining a block of patient information, not a targeted patient, then this information would not need to be recorded.

Meeting adjourned at top of the hour.