Back to Security Work Group Main Page

Attendees

Back to Security Main Page

Agenda DRAFT

1. ( 5 min) Roll Call, Agenda Approval
2. ( 5 min) Approve Security WG March 15 Minutes
3. (10 min) Review updated P&SbD PSS Rick
   • Joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invite
4. ( 5 min) PASS Access Control Services Conceptual Model - Diana
5. ( 5 min) Joint Vocabulary Alignment Update - Diana
6. ( 5 min) PASS Audit Conceptual Model – Diana
7. ( 5 min) FHIR Security report out - John
   • Any changes expecting to be tested at the next FHIR Connectathon need to be submitted into the build by March 27th.

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda

Minutes

1. John chaired. Agenda and Minutes approved
2. Rick discussed updated P&SbD PSS, Risk Section, FHIR test scripts based on TestScript Resource<http://hl7-fhir.github.io/testscript.htmlFHIR>
3. Review updated P&SbD PSS, Discussion, Rick:

• Reviewed the scope statement
• Added bullet to show impact on FHIR
• Area's that were changed have been highlighted
• FMG has been added as interested party
• Test Scripts were added

P&SbD PSS Project Risk and Issues:

• (John & Kathleen) FHIR test scripts not sufficient, need more detail to Privacy and Security
• What requirements are we exercising the test scripts that are approved by FHIR Management Group?
• Possible issue of validating test scripts
• Need to ensure developer and SME resource availability to develop the scripts
• Policy must be declared for test scripts, which will follow from use cases that make sense for Connectathons, but the use case policies are not binding on the spec.
• The threat environment is extremely dynamic, may need to pick unrealistic set of threats as example if that’s what’s being tested. However, these test scripts are not intended be bound to any particular “risk assessment”
• Note: HL7 risk is internal (Rick)
• Note: Test scripts are not being balloted, they are being exercised (Kathleen)

Comments/Question:

• John needed more clarity on the last portion of Presentation, why test scripts are attached to PSS?
• Answer: Kathleen approached the Standards Governance Board (SGB) they did not want a Guide
• SGB requested the Guide to be exercised by creating FHIR test Scripts.
• CBCC and Security would start creating test script profiles in order to be available for Connectathon use
• Next Step: Obtain Standards Governance Board feedback and CBCC and interest parties
• Motion approved (Kathleen, John, Suzanne) 3/0/0 :
• Motion to approve if there any substantive changes Security WKG would be able to weigh in on decision

Rick invited member to attend joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invites have been sent to the list and available on HL7 conference site.

PASS, Joint Vocabulary, and FHIR Security Report Outs

• PASS Access Control Services Conceptual Model – Diana: NTR Waiting to hear back from Alex on Bernd’s comments
• Joint Vocabulary Alignment Update – Diana – NTR: Vocab Alignment meeting was cancelled
• PASS Audit Conceptual Model – Diana – NTR
• FHIR Security report out – John: Continued work on signature and harmonization. No issues to report.