This wiki has undergone a migration to Confluence found Here
Difference between revisions of "July 28, 2015 Security WG Conference Call"
Jump to navigation
Jump to search
(5 intermediate revisions by one other user not shown) | |||
Line 9: | Line 9: | ||
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark] | ||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark] | ||
|- | |- | ||
− | || | + | |||| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair |
|||||| [mailto:jc@securityrs.com Johnathan Coleman] | |||||| [mailto:jc@securityrs.com Johnathan Coleman] | ||
||||.|| [mailto:aaron.seib@2311.net Aaron Seib] | ||||.|| [mailto:aaron.seib@2311.net Aaron Seib] | ||
Line 15: | Line 15: | ||
||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair | ||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair | ||
||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards] | ||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards] | ||
− | |||||| [mailto:cbrown@socialcare.com Christopher Brown] TX | + | ||||x|| [mailto:cbrown@socialcare.com Christopher Brown] TX |
|- | |- | ||
Line 35: | Line 35: | ||
|| x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga] | || x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga] | ||
|||||| [mailto:grahameg@gmail.com Grahame Grieve] | |||||| [mailto:grahameg@gmail.com Grahame Grieve] | ||
− | |||| | + | ||||x|| [mailto:bkinsley@nextgen.com William Kinsley] |
|- | |- | ||
|| x|| [mailto:rgrow@technatomy.com Rick Grow] | || x|| [mailto:rgrow@technatomy.com Rick Grow] | ||
− | |||||| [mailto:chethan@nextgen.com Chethan Makoahalli] | + | ||||x|| [mailto:chethan@nextgen.com Chethan Makoahalli] |
|||||| [mailto:lloyd@lmckenzie.com Lloyd McKenzie] | |||||| [mailto:lloyd@lmckenzie.com Lloyd McKenzie] | ||
|- | |- | ||
|| x|| [mailto:dsilver@electrosoft-inc.com Dave Silver] | || x|| [mailto:dsilver@electrosoft-inc.com Dave Silver] | ||
− | |||||| [ | + | ||||x|| [mailto: Bill Kleinebecker] |
|||||| [ | |||||| [ | ||
|- | |- | ||
Line 74: | Line 74: | ||
==Meeting Minutes== | ==Meeting Minutes== | ||
+ | '''Meeting Minutes for July 21, 2015''' | ||
+ | |||
+ | * The minutes from the July 21 meeting were unanimously approved | ||
+ | |||
+ | '''PASS Access Control Conceptual Model (SOA)''' Update - Diana | ||
+ | |||
+ | Discussion: | ||
+ | * How obligations will fit into the PASS AC Model; | ||
+ | * How obligations are dealt with in terms of SLS; and | ||
+ | * How to put obligations into the AC model at a higher (conceptual) level | ||
+ | |||
+ | * At the SOA meeting on Monday, Diana had a discussion with Don regarding the placement of the SOA diagram | ||
+ | ** Pointed to process documents that SOA follows when completing functional model documents | ||
+ | ** Based on the template (SOP/development practice), the diagrams of the FM will come after the FM model requirements | ||
+ | |||
+ | * Kathleen would like to know why SLS is more in the weeds than obligations | ||
+ | ** ACS is a conceptual model, whereas SLS is more specific | ||
+ | |||
+ | * There are some drawings in the SLS that have been adapted for standards; with a little modification we can use those diagrams to update the SOA Access Control document. Items will be covered ''conceptually'' | ||
+ | ** Per Kathleen, there are items already in HL7 on obligations and care should be taken to align with those items | ||
+ | ** As an interoperability spec, we need to be able to relay that information | ||
+ | *** What the contract needs to say between the parties (what is being consumed) | ||
+ | *** What labels would be put on the document, including handling instructions which convey some policy. | ||
+ | *** When the obligations are a type of polcy that can be conveyed with security labels, but can also be enforced by custodian | ||
+ | |||
+ | '''ACS Model''' - Dave | ||
+ | |||
+ | * Revised version of functional model and corresponding requirements statements (v3) sent to Diana and Kathleen for distribution to group and comment | ||
+ | ** Biggest change is consolidation/streamlining of the authorization manager | ||
+ | ** Consolidated version to be cleaner | ||
+ | |||
+ | * Capabilities list | ||
+ | ** These are listed within the functional model diagram and have been reworked into requirements statements | ||
+ | ** In most cases, it's background or clarification (including sub-requirements) | ||
+ | ** Recommended items should read as ''shall'' | ||
+ | ** Additional recommendations noted | ||
+ | ** Note that guidance is heavily "copy and paste" | ||
+ | |||
+ | * What is the timeline for folks to provide comments? | ||
+ | ** Not specified yet | ||
+ | ** Items will be posted on GForge and a link will be sent to Security WG | ||
+ | |||
+ | '''Joint Vocabulary Alignment''' | ||
+ | |||
+ | * Diana has created a preliminary guide for creating dicitionary definitions | ||
+ | * Basic process outlined in the guide; in using the process, the group has come up with definitions from the viewpoint of EHR which will allow the group to see where the definitions align with Security and Provenance | ||
+ | * Two definitions were processed (not quickly) at the last meeting; several distinctions were relayed at the last meeting making the process not quick and not repeatable. Having a process is better than where we were, but the fine-grained distinctions may not relay to other languages. | ||
+ | * The extended definitions (i.e., in the W3C mold, there is a core, one-sentence, well-crafted definition (following the rules)) cover much more detail and generally cover where the definition is trying to get to | ||
+ | * Definite progress made, but there is concern on how long it will be before the definitions will be completed | ||
+ | * Rules were determined from several places including Wiktionary (dictionary version of Wikipedia) | ||
+ | |||
+ | * Diana presented the proposed process for creating dictionary definitions for EHR Lifecycle terms. | ||
+ | ** Two dictionary terms were attempted and agreed upon at this meeting using the proposed process. | ||
+ | |||
+ | '''PSAF Update''' - Kathleen | ||
+ | |||
+ | * Sketching out policy information models that were previously worked on in the HCS | ||
+ | |||
+ | In Harmonization: | ||
+ | * an e-mail thread | ||
+ | * technical confidentiality changes | ||
+ | * presentation by Graham/Lloyd and approved by John Moehrke | ||
+ | |||
+ | ''Meeting adjourned at 1300 PDT'' |
Latest revision as of 15:52, 4 August 2015
Attendees
x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|
x | Mike DavisSecurity Co-chair | . | Duane DeCouteau | . | Chris Clark | |||
John MoehrkeSecurity Co-chair | Johnathan Coleman | . | Aaron Seib | |||||
x | Alexander Mense Security Co-chair | . | Ken Salyards | x | Christopher Brown TX | |||
. | Trish WilliamsSecurity Co-chair | . | Gary Dickinson | . | Tim McKay | |||
x | Kathleen Connor | . | Ioana Singureanu | . | Mohammed Jafari | |||
x | Suzanne Gonzales-Webb | . | Darrell Woelk | . | Galen Mulrooney | |||
x | Diana Proud-Madruga | Grahame Grieve | x | William Kinsley | ||||
x | Rick Grow | x | Chethan Makoahalli | Lloyd McKenzie | ||||
x | Dave Silver | x | [mailto: Bill Kleinebecker] | [ |
Agenda DRAFT
- ( 5 min) Roll Call, Agenda Approval, Approve July 21 Meeting Minutes
- ( 5 min) PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson
- (10 min) ACS model - Mike/Dave Silver
- ( 5 min) Joint Vocabulary Alignment Update - Diana
- ( 5 min) PSAF Update - Kathleen
- ( 5 min) Status of Provenance and AuditEvent subcommittee - Kathleen/John
- ( 5 min) FHIR Security Discussion Block Vote for approval August 4
- ( 5 min) October 2015 HL7 WGM - Atlanta, Georgia USA - agenda items
- Please send any agenda items to Suzanne
FHIR AuditEvent Block Vote
- 7432 2015May core #720 - AuditEvent requestor (Helen Broberg) Not Persuasive
- 7565 2015May core #856 - Fix link (Kathleen Connor) Not Persuasive with Mod
- 8123 AuditEvent constraints are too tight (Lloyd McKenzie) Persuasive
- 6233 AuditEvent confusion on 'idenfier' elements that are actually strings. Affects understanding as well as search (which should not be token) (John Moehrke) Persuasive with Mod
- 6269 AuditEvent needs a Participant userId type code to explain how to understand the value in userId (e.g. Patient ID in CX form) (John Moehrke) Persuasive with Mod
- 7431 2015May core #719 - AuditEvent source identifier (Helen Broberg) Persuasive with Mod
- 7564 2015May core #855 - AuditEvent.event value set is a mess (Kathleen Connor) Persuasive with Mod
Meeting Minutes
Meeting Minutes for July 21, 2015
- The minutes from the July 21 meeting were unanimously approved
PASS Access Control Conceptual Model (SOA) Update - Diana
Discussion:
- How obligations will fit into the PASS AC Model;
- How obligations are dealt with in terms of SLS; and
- How to put obligations into the AC model at a higher (conceptual) level
- At the SOA meeting on Monday, Diana had a discussion with Don regarding the placement of the SOA diagram
- Pointed to process documents that SOA follows when completing functional model documents
- Based on the template (SOP/development practice), the diagrams of the FM will come after the FM model requirements
- Kathleen would like to know why SLS is more in the weeds than obligations
- ACS is a conceptual model, whereas SLS is more specific
- There are some drawings in the SLS that have been adapted for standards; with a little modification we can use those diagrams to update the SOA Access Control document. Items will be covered conceptually
- Per Kathleen, there are items already in HL7 on obligations and care should be taken to align with those items
- As an interoperability spec, we need to be able to relay that information
- What the contract needs to say between the parties (what is being consumed)
- What labels would be put on the document, including handling instructions which convey some policy.
- When the obligations are a type of polcy that can be conveyed with security labels, but can also be enforced by custodian
ACS Model - Dave
- Revised version of functional model and corresponding requirements statements (v3) sent to Diana and Kathleen for distribution to group and comment
- Biggest change is consolidation/streamlining of the authorization manager
- Consolidated version to be cleaner
- Capabilities list
- These are listed within the functional model diagram and have been reworked into requirements statements
- In most cases, it's background or clarification (including sub-requirements)
- Recommended items should read as shall
- Additional recommendations noted
- Note that guidance is heavily "copy and paste"
- What is the timeline for folks to provide comments?
- Not specified yet
- Items will be posted on GForge and a link will be sent to Security WG
Joint Vocabulary Alignment
- Diana has created a preliminary guide for creating dicitionary definitions
- Basic process outlined in the guide; in using the process, the group has come up with definitions from the viewpoint of EHR which will allow the group to see where the definitions align with Security and Provenance
- Two definitions were processed (not quickly) at the last meeting; several distinctions were relayed at the last meeting making the process not quick and not repeatable. Having a process is better than where we were, but the fine-grained distinctions may not relay to other languages.
- The extended definitions (i.e., in the W3C mold, there is a core, one-sentence, well-crafted definition (following the rules)) cover much more detail and generally cover where the definition is trying to get to
- Definite progress made, but there is concern on how long it will be before the definitions will be completed
- Rules were determined from several places including Wiktionary (dictionary version of Wikipedia)
- Diana presented the proposed process for creating dictionary definitions for EHR Lifecycle terms.
- Two dictionary terms were attempted and agreed upon at this meeting using the proposed process.
PSAF Update - Kathleen
- Sketching out policy information models that were previously worked on in the HCS
In Harmonization:
- an e-mail thread
- technical confidentiality changes
- presentation by Graham/Lloyd and approved by John Moehrke
Meeting adjourned at 1300 PDT