February 7, 2017 Security Conference Call

Back to Security Work Group Main Page

Attendees

Back to Security Main Page

Agenda

1. (2 min) Roll Call, Agenda Approval
2. (2 min) Security WG Call Minutes January 31, 2017
3. (20 min) TF4FA Ballot Reconciliation Spreadsheet Disposition Review- Mike and Kathleen
4. (10 min) WGM Minutes Review and Approval - Kathleen
5. (5 min) [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diane
6. (5 min) Security Labeling Service Revision Update - Diana
7. (5 min) 21st Century Cures Act Trusted Exchange Framework Discussion for HL7 Policy Advisory Committee- Kathleen
8. (2 min) FHIR AuditEvent and Provenance ballot comments & FHIR Security Call

Minutes

• Chaired by Alex
• Agenda Approved (Kathleen, Ioana)
• Security WG Call Minutes January 31, 2017 (Approved)
• TF4FA Ballot Reconciliation Spreadsheet Disposition Review- Mike and Kathleen
  • Spreadsheet reviewed
  • Mike Davis clarified Trust framework definition -Marked as persuasive with Modification in spreadsheet
  • Motion approved comments as persuasive 1-25 (Beth, Alex)
  • Reviewed of line 26-Protective Health Information comments- Beth
    • Comment: Replace Health Protected information with Protective Information, based on PASS Access Control (Beth)
  • Footnote page states Protective Information in the U.S Realm includes Protective Health Information as a subset
    • Trust Framework is specific to healthcare (Mike Davis)
    • Sensitive information shared by security labels, Protective Health is inclusive of sensitive information
    • Protective Information can encompass Protective Health Information
    • It is not persuasive to change to Protected Information, and should be more specific as Protective Health Information (Mike Davis)
    • This is based on Security and Privacy information model for health care (Mike Davis)
    • Pass Access Control entries on protective Health Information and Protected Information should be changed to remain consistent
  • Reviewed Comment: Footnoting Federated Authorization Domain:(Beth)
    • Suggested it should be defined in a footnote or explained
    • Mike David concurs on defining in footnote
  • Next Step:
  • Look to either to remove Protected information in the Documents needs to changed to Protective Health Information, or create a Definition for Protected Information and revisit next call
  • Update the information Model, to draft a information Model

• gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diane
  • Reviewing Johns Comments that are considered non-persuasive:
  • Note: John was not present at call
  • The following comments by John were reviewed:
  • Figure shows audit trail export mediating recording and analysis
    • Response comment (Diana, David): Audit Trail does not mediate anything, it is a pass through
    • Johns comment on Audit Trail Export is deemed non-persuasive
  • Next comment on Footnote: Figure for Alarm reporting is derived from ISO but does not explain how it deviates.
  • Response Comment (Diana, and Mike): Alarm reporting happens within Audit Analysis. Should we put in how our Model deviates from ISO?
  • Mike provided an explanation on difference between Alarm Reporting and ISO reporting:
    • Alarm reporting is event reporting (As the event occurs with Analysis and is reported in real time)
    • The Audit Analysis are sent after a period of time (based on requirement of reporting after analysis is done over a period of time)
  • Comment (John) on Abstract Model republishes the Framework ISO 10181-7 and reinvent HL7 standard
    • Response (Diana): It is taken from 10181-7 but also input from security working group
    • Motion to accept John's Comments 20-35 approved (Mike, Diana)

• • • Call Adjourned