April 28th 2009 Security Conference Call
Security Working Group Meeting
==Attendees== (expected)
- Steven Connolly
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Bob Horn
- Milan Petkovik
- David Sperzel
- Ioana Singureanu
- Tony Weida
Agenda and Meeting Minutes
- (05 min) Roll Call, Approve Minutes, Accept Agenda
- (15 min) Security Use Cases Ioana Singureanu/Steve Connolly
Part of security DAM which is going to TSC now. We are soliciting use cases from both the Security WG and the CBCC WG.
- As of today's meeting, have 5 use cases
- IN1.2 Authenticate users and systems
- IN1.3 Authorize users and systems
- IN1.4 Enforce privacy policy and consent directives (access control)
- IN1.5 "Non-repudiation" Enforce authenticity of legal healthcare documents
- IN1.6 "Security data exchange" Enforce security exchange of personal health records
04/29/09 - Note: Errors noted during meeting have been corrected. Corrections were made to 1.3 Authorize users and systems as well as 1.4 Enforce privacy policy and consent directives (access control)
There are possibly other functional models in HL7 that have similar infrastructures to the HL7 EHR functional model reference
We are stating what the security requirements are that are relevant to Healthcare that we can use as a basis for enforcement. (We do not want to create a new security standard)
If we have not captured security specification in the use case we will need to elaborate. These are the parameters that we want to work under. The organizational policy will
Additional Security Use cases as well as more detailed use cases are welcome
We want to maintain full traceability (back to a requirement) this way we are always in sync with users/stakeholders needs. (http://wiki.hl7.org/index.php?title=Security_Use_Cases Security Use Cases)
[Exercise to narrow down the scope] Requirement that we are talking about are most concerned about are RBAC and, authorization has a broader scope, goal is to update RBAC catalog and bring in patient consent. We don't want to bring in the whole breath of authorization. EHR talks about authorization what we're talking about here is specific in relation to roles--at least in this analysis. This is a top down approach, its advantage is a useful way to meet a known and approved function...i.e. IN1.2"
- Note: Enforce privacy policy and consent directives needs to be corrected, should be IN.1.3 (not 1.1)
- 1.4 has been omitted, but will be re-added again as a separate use case.
There is an end date to this analysis, an e-mail will be sent to CBCC and Security as a reminder. Analysis of submitted use cases will take place and prioritized. End of May is a reasonable end date for submitting additional use cases. Repositories for use cases would also be helpful.
Mike: recommends AHIC use cases (same as the HITSP use case, have created analysis documents but do not create the use cases, may not have specific security use cases may have mapped security requirements into the existing healthcare use case.) If you go to the ONC website you will find a wide variety of use cases use, including general healthcare use cases. Use cases themselves will be high level. (Ioana will follow up)
Ioana: We may want to just record the analysis that has already been done
Mike: How do you envision constraints. The privacy side does not seem to have an end to requirements. If it can be stated they want to put a constraint on it. What HL7 is doing appears to be beyond any existing law worldwide. I do not believe there are use cases for these.
Ioana: if we are able to say that consumers have control of this kind of information. This will be something even SAMSHA is interested in (substance abuse) we want to be able to link the business friendly with the technical side. The use cases may appear trivial but they will be driven by Privacy policy.
Mike: The assumption is that we do not know the policy. The use cases are based on a policy wherein we cannot write a use case for EVERY policy.
If the scope of our analysis is access control then we can finish this exercise sooner. We can elaborate what access control is for healthcare. This way we can constrain the standards for industry.
The Security DAM is being prepared for the January 2010 Ballot
- (15 min) Item2
- (15 min) Item3
- (5 min) Other Business