HL7 MAY WGM Event BROCHURE Link
TBD Madrid WGM SITE
Minutes: May 2017 Security WGM Minutes Madrid, Spain
Back to Security Meetings
AGENDA
valign="top"
| Day
|
Date
|
Qtr
|
Time
|
Event
|
Session Leader
|
Room
|
| SUN |
MAY 7 |
Q1 |
10:00-11:30 |
International Affiliates/Connectathon Report Out |
International Affiliates/Connectathon |
TBD
|
|
|
Q2 |
12:00-1:30 |
International Affiliates/Connectathon Report Out |
International Affiliates/Connectathon |
TBD
|
|
|
Q3 |
2:45-4:00 |
Cochair FHIR Session |
FHIR MG |
TBD
|
|
|
Q4 |
4:30-6:00 |
Cochair Vocabulary Session |
Vocabulary WG |
TBD
|
| MON |
MAY 8 |
Q1 |
10:00-11:30 |
. |
No Meeting |
.
|
|
|
Q2 |
12:00-1:30 |
. |
No Meeting |
.
|
|
|
Q3 |
2:45-4:00
|
Joint CBCC - Security
|
CBCC hosting Security
|
Alcudia
|
|
|
Q4 |
4:30-6:00
|
Joint with CBCC – New discussion items and projects
|
CBCC hosting Security
|
Alcudia
|
| TUE |
May 9 |
Q1 |
10:00-11:30
|
Opening Security WG Meeting
- Introductions
- Approval of agenda
- International Report outs
- HL7 Policy Advisory Committee update
- Liaison Reports: ISO, IHE, ONC
- HL7 Project status and updates:
- FHIR Security - AuditEvent, Provenance, Security Labels
- Trust Framework - Ballot Report and WGM Reconciliation Plans, Links to FHIR Security
- SLS Revisions - WGM Development Plans, Links to FHIR Security
- SOA Audit - Status, Development Plans, Links to FHIR Security
- FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM
|
Security
|
Chinchon
|
|
|
Q2 |
12:00-1:30
|
Trust Framework Work Session
|
Security
|
Chinchon
|
|
|
Q3 |
2:45-4:00
|
CBCC FHIR-I Joint on FHIR Consent Resource
|
CBCC hosting Security, MH
|
Alcudia
|
|
|
Q4 |
4:30-6:00
|
Security WG Project Meeting
|
Security
|
Chinchon
|
| WED |
MAY 10 |
Q1 |
10:00-11:30
|
Joint w/ EHR, CBCC, FHIR, SOA, Security
- 1st hour: Discussion with AEGIS Team on development of a FHIR Privacy, Security, Provenance, and Digital Ledger Technology Conformance Testing Suite. Expectation is that WGs will bring any test cases [e.g., Cascading OAuth for Patient Right of Access] have been developed or input to test cases.
- Last 30 Minutes: Bernd Blobel will brief us on the imminent need for standards such as the FHIR Security Labeling, and the Provenance and AuditEvent Resources, to meet the EU General Data Protection Regulation requirements in 2018.
|
EHR hosting Security, CBCC, FHIR-I
|
Oxford
|
|
|
Q2 |
12:00-1:30
|
Joint w/ SOA
- Tentative Agenda Items:
- PASS Audit topics (joint w Security, CBCC, SOA)
|
SOA hosting Security
|
La Puebla
|
|
|
Q3 |
2:45-4:00
|
Security WG deep FHIR topics
- Josh assigned FHIR Core team
- SMART on FHIR
- Deep dive on HOW it does this
- Experience from the field
- Are their known stepping-stones
- Work on how FHIR should address SMART vs HEART vs IUA vs TLS vs others
- Various use-cases
- User using browser app
- User using mobile App
- System-to-system (e.g. organization to organization)
- Introduction to CDS Hooks
- Some points that might not be fully clear why I am interested in CDS Hooks. First,
- the security workgroup knows that we are not experts on medical information. We see the general concept of CDS to be a service that fully understands medical information. Thus we callup the general concept to tell us if there are sensitive health topics. This is what we have encapsulated in the SLS. So, wondering how we can leverage CDS Hooks similarly. I think this is what Grahame was referring to with the point about suggesting security tags to the user. It would be best if the user doesn't need to think about security-tags, although they should be able to change them authoritatively with proper authorization. Adding a layer that can transparently assess the data using current CDS knowledge and expertise to apply proper security-tags.
- The other point is that to fully protect healthcare data to the very finegrain level that some envision, we need not only security assessment of the data in create/update, or resting, but also during accessing. Today OAuth scopes are very simplistic (i.e. SMART), but eventually they need to get more detailed and multi-layered. Way beyond what OAuth standards support today. The interpretation of the OAuth security token, relative to the query requested, and the results it uncovers; should be done by some security layer that is aware of FHIR, but is not fundamentally changing the baseline concept that is FHIR. --- So I am looking at what you have done with CDS Hooks to see if there is something similar that can be done to advance the capability toward more fine grain authorization enforcement.
- background materials from Kevin Shekleton CDS Hooks slide deck from the HSPC HIT Developers Conference today. presentation was recorded and when available will share that link in the Speaker Deck description for the presentation.
|
Security hosting FHIR-I
|
Alcudia
|
|
|
Q4 |
4:30-6:00
|
Security WG Project Meeting
|
Security
|
Chinchon
|
| THU |
MAY 11 |
Q1 |
10:00-11:30
|
Security Joint with CBCC,FHIR-I
- Josh assigned FHIR Core team
- FHIR Priorities (email from Lloyd) http://lists.hl7.org/read/archive?id=312425
- Continued: FHIR Connectathon Privacy and Security testing scenarios
- how might GraphDefinition be used with Provenance? How might it be used in an Audit Analysis/Reporting?
- how might a client that get subsetted/redacted data be enabled to do Update/Patch?
- Subsetted by _summary
- Subsetted by some client request (not yet available, is this a FHIR-I work item?)
- Some mechanism that is based on profiles, where client asks data to be subsetted to the constraints in a profile
- Subsetted by redaction rules -- where communicating the redaction result
- So That - when an update happens, the server knows that the client is NOT asking to have the elements missing be removed from the server copy.
- What might be issues?
- Can we use a general subsetting type of a profile to enable more complete de-identification algorithms.
|
Security hosting CBCC, FHIR-I
|
Marsella
|
|
|
Q2 |
12:00-1:30
|
Security WG Project Meeting
- July Harmonization Proposals: Signature Types
- Addition to FHIR Agent value set
- POU additions - HTEST, Research Consent POUs
- Addition to FHIR ProvenanceEvent value set for export, disclose, import, receive, disassemble, decompose, which are in the Lifecycle Event matrix. Needed for Provenance Lifecycle test script.
|
Security
|
Chinchon
|
|
|
Q3 |
2:45-4:00 |
. |
|
.
|
|
|
Q4 |
4:30-6:00 |
. |
|
.
|
| FRI |
MAY 12 |
Q1 |
10:00-11:30 |
. |
|
.
|
|
|
Q2 |
12:00-1:30 |
. |
|
.
|
|
|
Q3 |
2:45-4:00 |
. |
|
.
|
|
|
Q4 |
4:30-6:00 |
. |
|
.
|
Back to Security Wiki Meetings
Session Type:
