June 12, 2012 Security Working Group Conference Call
Contents
Security Working Group Meeting
Attendees
- Arnon Rosenthal
- Braithwaite
- Kathleen Connor
- Mike Davis Security Co-chair
- Erin Fitzsimmons
Agenda
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Proposed Health Care Privacy and Security Classification System BallotPresentation Kathleen Connor
- (15 min) HL7 Security Service Oriented Architecture Domain Analysis Model (SSOA DAM) and approval of HL7 Security SOA Architecture Project Scope Statement Kathleen Connor
- New Conference Call Time - Doodle Poll
- (5 min) Other Business
Meeting Minutes DRAFT
Roll Call, Approve Minutes & Accept Agenda - Mike Davis, presiding cochair, noted that the absence of other cochairs would limit the decision-making during the call. Approval of June 5 minutes was deferred.
Presentation on Healthcare Privacy and Security Classification System Mike Davis explained the genesis of the adapting industry classification schemes such as those used by the postal service and intelligence community to healthcare. He noted that the restructuring of the HL7 Security and Privacy vocabulary, which was prompted by the analysis done for the HL7 Confidentiality Code Refactoring project, resulted in development of guidance on how that vocabulary should be used at various security layers. These layers or "envelopes" are encrypted encapsulation of metadata required by authorized receivers to perform routing and access control of the contents within each envelope. The outer envelopes do not reveal the protected information. Authorized receivers of protected content may have to assert entitlement to the protected information and commit to complying with obligations and policies governing how the protected information is to be used in order to access the decryption key.
Arnon raised a number of questions about the utility of the "envelope" metaphor when senders should ensure that receivers are authorized to access the protected information before sending it. Mike explained the requirement in terms of a healthcare staff person being able to request protected information but not being entitled to access the content, which would only be made available to authorized clinicians by the healthcare enterprise access control system. Mike noted that much of the thinking about the need for a Healthcare Classification System resulted from work in the ONC Data Segmentation for Privacy project. He referenced a recent presentation on this topic to that group, which describes how VA and SAMHSA Data Segmentation Pilot Project plans to implement this.
Kathleen proposed that the guidance being developed for the Healthcare Classification System be balloted for comment in September as the culminating work product from the Confidentiality Code Refactoring Project. Bill seconded this motion. Mike requested that this proposal be sent to the Security list for online voting. If approved, a NIB must be submitted by June 24th for inclusion in the September ballot cycle.
Kathleen also proposed that the Security WG approve a project scope statement for developing a Security Service Oriented Architecture. Mike recommended that this proposal also be sent to the list for online vote.
Erin requested an opportunity to discuss data integrity and authentication issues related to mHealth. That discussion was deferred until Erin has an opportunity to join the call so that we can set aside agenda time for this discussion. Kathleen noted that Security WG should coordinate with the mHealth WG on security related issues, and will follow up with Erin.
(15 min) *Items Agreed upon for Harmonization:
Revised presentation on HL7 Security WG July Harmonization Proposals]
New Conference Call Time - Doodle Poll will be sent out by Trish.
Meeting adjorned at 1:45PM Eastern
Action Items
- Kathleen to sent 2 proposals for online vote to list
