This wiki has undergone a migration to Confluence found Here
HL7 FHIR Security 2016-8-30
Jump to navigation
Jump to search
Contents
Call Logistics
Weekly: Tuesday at 05:00 EST (2 PM PST)
Conference Audio: 770-657-9270,' Access: 845692 Join online meeting: https://global.gotomeeting.com/join/520841173 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
| Member Name | Member Name | Member Name | ||||||
|---|---|---|---|---|---|---|---|---|
| x | John Moehrke Security Co-Chair | . | Kathleen Connor Security Co-Chair | x | Suzanne Gonzales-Webb CBCC Co-Chair | |||
| . | Gary Dickinson EHR Co-Chair | . | Johnathan ColemanCBCC Co-Chair | . | Mike Davis | |||
| . | Reed Gelzer RM-ES Lead | x | Glen Marshal | . | Galen Mulrooney | |||
| . | Dave Silver | . | Rob Horn | . | Judy Fincher | |||
| . | Diana Proud-Madruga | x | Beth Pumo | . | Oliver Lawless | |||
| . | Bob Dieterle | . | Mario Hyland | . | Joe Lamy | |||
| . | Rick Grow | . | [mailto: Richard Etterma] | . | [mailto: Wayne Kubic] |
Agenda
- Roll;
- approval of agenda
- approval of the August 9, 2016 minutes
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- New Security and Privacy "Module" page http://hl7-fhir.github.io/secpriv-module.html
- FHIR timeline to ballot http://wiki.hl7.org/index.php?title=FHIR_Ballot_Prep
- Update on action items
- 9564 -- assigned to John -- following the discussion in the CP
- 9564 Should FHIR AuditEvent resource include DICOM extension of ATNA Audit log message ? ()
- 9167 -- assigned to John, only creating an example AuditEvent -- following the discussion in the CP
- 9167 AuditEvent needs to make more obvious how to record a break-glass event ()
- 9042, 9043, 9052 -- assigned to Kathleen, she has the XML almost ready to go
- 9996 -- assigned to Glen -- following the discussion in the CP
- 9996 Using Provenance resource to annotate content derived from non-FHIR sources ()
- https://chat.fhir.org/#narrow/stream/implementers/topic/Provenance.20resource.20for.20Middleware
- FMM evaluation vs desire - We picked 4 last week -- We might want to re-evaluate to level 3. As level 4 means we would need to work hard to get "complete" testing tools and procedures at 100% of functionality. I think we should only target getting some testing ready.
- Discussion with Mario on getting prepared for next connectathon
- What use-case should we focus on? (Lab vs Financial vs Patient)
- Discussion around Record Lifecycle events (6303)? Are we going to support this? Are the vocabulary done yet? (Gary will join)
- 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set (Gary Dickinson) None
- How should 'test-data' be identified? Is this a legitimate use of security-tags?
- It is clear that security-tags already support de-identified methods. The question is specifically about completely fabricated data.
- See FHIR chat thread https://chat.fhir.org/#narrow/stream/implementers/topic/Distinguishing.20test.20patients
- De-Identification topics
- SMART chat thread https://chat.fhir.org/#narrow/stream/smart
- FHIR Chat on "masked extension" https://chat.fhir.org/#narrow/stream/implementers/topic/Masked.20Extension.20for.20privacy.20restricted.20record
Minutes
- John chaired
- Agenda review - Glen/Beth: 3-0-0
- approval of the August 9, 2016 minutes - Beth/Glen: 3-0-0
- Reminder that the FHIR ballot is out
- New Security and Privacy "Module" page http://hl7-fhir.github.io/secpriv-module.html
- Please take a constructive view of this page during ballot. It is not intended to replace the other security.html page; it is to be a different perspective. Take a look at the other "Module" pages for the intended perspective. Then provide constructive text for improvement. This page is given to us in this structure, it is up to us to make it communicate to the intended audience.
- How should 'test-data' be identified? Is this a legitimate use of security-tags?
- It is clear that security-tags already support de-identified methods. The question is specifically about completely fabricated data.
- See FHIR chat thread https://chat.fhir.org/#narrow/stream/implementers/topic/Distinguishing.20test.20patients
- ACTION: Create a CP. Discussion indicates that we should add an 'informative' section that indicates 'some methodods' that are invisioned, and some of the concerns with each. Likely just a paragrah and a few bullets. Isolated test data system. Integrated test data system with tagged data. Integrated test data without tagging.
- De-Identification topics
- mobile health workgroup http://lists.hl7.org/read/messages?id=297060
- FHIR chat https://chat.fhir.org/#narrow/stream/implementers/topic/De-identification.20mechanisms.20in.20FHIR
- ACTION: Create a CP. Discussion indicates that we should say something about de-identification, but not much. Mostly pointing at good external standards such as ISO, NIST, and the IHE De-Identification Handbook. Important to point out that De-Identification is a PROCESS, not an endpoint.
- SMART chat thread https://chat.fhir.org/#narrow/stream/smart
- FYI. This thread will have some discussions on AuthN/AuthZ
- Lately it is on CCOW
- FHIR Chat on "masked extension" https://chat.fhir.org/#narrow/stream/implementers/topic/Masked.20Extension.20for.20privacy.20restricted.20record
- Note that there has been a note added to the null flavor tag for masked, to warn that tagging masked data leaks information that there was sensitive information, thus the masked tag should not be used unless specifically needed.
- Adjourned 55 minutes
