December 5, 2017 Security Conference Call

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (2 min) Roll Call, Agenda Approval
2. (3 min) Review and Approval of November 21, 2017 minutes, Note Nov 28th call was cancelled.
3. (10 min) Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient. - Draft storyboard and flows - Kathleen and Mohammad
4. (10 min) PSAF call report out on HL7 Security and Privacy Domain Model - Mike Davis and Chris
5. (10 min) Is Privacy Obsolete? Study Group wiki page has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
6. (10 min) FHIR Security update Call later? - John Moehrke
7. (2 min) Next week - Using Biometrics for Patient Matching - Healthcare Privacy and Security Consierations. Discussion with Privacy Attorney Expert, Devon Connor-Green.
8. (2 min) Check out the ONC 2017 Annual Conference videos at links in Meeting Materials below.

Minutes

• Chris Shawn chaired.
• Agenda informally approved.
• Minutes from November 21st were reviewed. Kathleen moved; Mike seconded. John and Mohammad abstained because they did not attend. Approved 8-2-0.
• Kathleen and Mohammad presented on the draft Consumer Centered Data Exchange (CCDE) Connectathon scenario. Kathleen explained that this scenario is building on previous Connectathons, HIMSS demonstrations, and ONC pilots. Mohammad presented a sequence diagram for the scenario. Jan 2018 FHIR Connectathon CCDE Sequence Diagram and Walk-through
• Mike asked Mohammad how the scenario Cascading Authorization sequence diagram differed from previous demonstations. Mohammad explained that while the HIMSS 2017 discussed Right of Access [RoA], it did not include the capture of a RoA consent directive. Mohammad stated that there are differences in how app identities are verified than how a generic, enterprise client is identified, e.g., App claims are certified by an App store. There is also a need for the App to discover the Resource Servers that hold Alice's information, but this is a precondition and not part of the sequence flow. John suggested looking at the IHE Mobile Care Service Discovery (mCSD), which addresses this use case, and is the basis for the Sequoia participant directory.
• John discussed the need for privacy protective scopes that SMART on FHIR does not support and has deferred to next generation. John suggested that the Connectathon might be good place to have a discussion about using HEART confidentiality and sensitivity scopes as well as others.
• RE PSAF - Mike reported out on the PSAF call held earlier. He discussed where the group is going with ballot reconciliation for TF4FA. Going forward in May to ballot Volume 1 and Volume 2 as normative. Anticipate significant changes to Volume 1, which is referring to the PASS ACS. TF4FA comic book models to formal models as in PASS ACS. We'll move the current models to reference or Volume 3. Preparing to ballot a revised DAM. Have a list of changes, but haven't begun the actual changes. New Chapter, which is of least priority - Authentication, Audit, Provenance, Smart Contracts. But it may be too much to get done by May.
• RE Is Privacy Obsolete? Mike stated that he's beginning a report outline international in scope. Looking at what laws have been added or changed recently and impact on vendors. What are the significant breaches and fines. What are significant areas that breaches are uncovering. Also, legal issue discussed in many papers. Collected over 70 recent breaches OPM breach impact. Union took OPM to court. Court dismissed the case. The case is being appealed. Main purpose of breaches is financial. Second purpose is for espionage. Third category is for "fun", e.g., to embarrass someone. Will post the spreadsheet. Majority are from 2017.
• Meeting adjourned.

Meeting Materials

• ONC 2017 Annual Meeting videos
• ONC Annual Meeting FINAL with confirmed speakers.pdf Full Agenda

Back to Security Main Page