April 8, 2014 Security WG Conference Call
|Member Name||Present||Member Name||Present||Member Name||Present|
|Mike Davis Security Co-chair||x||John Moehrke Security Co-chair||Trish Williams Security Co-chair|
|Bernd Blobel, Security Co-chair||.||Johnathan Coleman||.||Kathleen Connor||x|
|Duane DeCouteau||Reed Gelzer||.||Suzanne Gonzales-Webb CBCC Co-chair||x|
|Rick Grow||x||David Henkel||x||Mohammed Jafari||x|
|Don Jorgenson||.||Diana Proud-Madruga||x||Harry Rhodes||.|
|Ioana Singureanu||.||Richard Thoreson CBCC Co-chair||.||Ross Freeman||.|
|Amanda Nash||Walter Suarez||.||Tony Weida||x|
|Chris Clark||.||Paul Petronelli||.||.|
- (05 min) Roll Call, Approve April 1, 2014 Security WG Conference Call Minutes & Accept Agenda
- (15 min) Way with Verbs-State of the mindmap. Strategy for HL7 EHR. Use of Thesaurus (synonym and antonym lists)
- (15 min) Scope statement for patient friendly consent directive
- (15 min) SOA/FHIR Discovery Day
- (15 min) Scope statement for Provenance
Meeting Minutes DRAFT
- The WG voted to unanimously approve the April 1, 2014 meeting minutes
- Mike encouraged the group to create a process diagram for harmonizing the vocabularies of HL7 operations, security and privacy ontology, and EHR as part of the Way With Words project
- Mike said that he needs two draft project scope statements to be ready for the May HL7 Working Group meeting: one for Patient Friendly Consent Directive and the other for Data Provenance
- He also announced that ONC has asked HL7 to create a Provenance IG, which will be balloted in September
- Ken Rubin has asked for a proposal for the FHIR tutorial to be presented at the May Working Group meeting that includes project name, presenters, description, relationship to SOA, challenges and so forth. The deadline to submit the proposal is Friday, April 11
- Mike said that we are going to need to put the DTSU on the ballot either as DTSU or a normative standard, because it expires in December (balloting it as normative would be fine)
Item 1 - Roll Call, Approve April 1, 2014 Security WG Conference Call Minutes & Accept Agenda
Mike - Are there any objections to unanimous approval of the minutes? Hearing none, they are approved.
Item 2 - Way with Verbs - State of the mind map Strategy for HL7 EHR. Use of Thesaurus (synonym and antonym lists)
Discussion on Way With Verbs. We’ve been unsuccessful, so far, in having discussions on iEHR. Kathleen did give some indication that Steve Huffnagel was still interested in this area.
Kathleen - We discussed this on the CBCC call today, and I’m preparing an email to go out.
- Steve had been asking them to start thinking about putting the vocabulary in computer science terms.
- Kathleen pulled together a PowerPoint with the current HL7 vocabulary. I know you aren’t thrilled with the work done so far, but I think Reed is interested in getting folks together to hammer this thing out, because the July harmonization is right around the corner.
Mike - shared thesaurus.com webpage.
- The words that go with “create,” “read,” “update,” “delete,” are reasonably orthogonal with each other, meaning that the associated sentences are rather pure. So, all these words are presumably at the same level (synonyms). In searching for a way to get a handle on some of these argumentative words, why can’t we just accept a Thesaurus, and map the terms into buckets. And eliminate some of the discussion that we’ve been having. I did notice that there were some interesting distinctions between “update” and “append.”
Kathleen - A lot of that work has already been done in HL7. You might want to look at that before going too deep into the weeds. There is a long-established vocabulary. It is not a Thesaurus.
Mike - I’m talking about the synonyms.
- We can distinguish between words that mean the same kind of thing. We should use the definitions.
- The definitions in HL7 are useful to us, but sometimes organizations see words differently. Nevertheless, this Thesaurus approach gives us a way to word things for thinking and argument purposes. Define the terms wherever possible in a common way so that we get out of the vocabulary business. I’ll turn it over to Tony for some of knowledge on this.
Tony - One of the first things to do regarding EHR is to get one set of terms that are sufficient for pressing privacy policies and consent directives, capturing distinctions between what different EHR systems do.
Mike - Well, they have a vocabulary and we have a vocabulary. We don’t have to worry about extending the vocabulary. I want it to be sufficient to cover whatever we have already done.
Kathleen - Tony and Diana’s buckets are bigger in terms of the vocabulary we already have assigned. That’s something to be aware of. Their vocabulary seems to be more expansive than what the Security WG has defined. It includes terms of security that are not regarded as operations.
Mike - We start with vocabularies that we already have and have defined as standards and get a process down that tells us how to deal with these. A Thesaurus might play a role in that process. We don’t need to extend the vocabularies at this point. I don’t know why we want to make the problem harder than it is. We haven’t discussed this much with EHR, yet, anyway.
Kathleen - Actually, there were 3 years of interim meetings on this topic.
Tony - What we have in the ontology includes the data operations in the RBAC permissions catalog and the ones in the HL7 vocabulary. Security has a single list of operations. We didn’t agree on a hierarchy, but we have that list. We need to line up our list with EHR’s list and triage which ones are only in our list, which ones are only in their list, and which ones are common.
- Some approach this discussion as a theoretical exercise. It should be viewed as an action exercise.
- The action is to get out of the ontology business by moving our vocabulary into the EHR.
Diana - What I’m doing right now is taking the EHR vocabulary and cross-referencing it with the security and privacy ontology vocabulary, seeing where there are agreements and disagreements. If we can come up with some agreement where there is disagreement, we can move forward from there.
First step is to make a comparison between the HL7 operations vocabulary, the security and privacy vocabulary and the EHR vocabulary, and determine the agreements/disagreements. I can get that done this week. We need to engage EHR in discussion by having Tony and I attend EHR meetings or getting EHR folks to attend this meeting.
Mike - A plan of action needs to have a beginning, a timeline, responsibility, and a desired goal. That’s still not a process. What are we going to do with that?
Tony - I think enough time has passed to go back and ask EHR if they’re ready to engage in that conversation.
Mike - So, I guess I’m still not thinking what I thought what would be a useful thing, like a process. We have a couple of different processes, but we should be able to define a definitive process to define terms as we go and place them into an ontology.
- It’s like:
- Identify a term,
- write its definition – those can be for EHR and security
- harmonize conflicts,
- place into the ontology with appropriate attributes,
- establish parent-child relationships with other terms, then
- move on to the next term.
Some mechanism for determining how to place the ornaments on the Christmas tree, and then getting it done. Am I the only one who thinks in this way?
Well, I’m looking for the process here. If things are done, then we can say “they’re done.” I can’t implement it like what you guys are saying because you’re not giving me an operational thing of steps that we can do and propose to EHR that we’ll do this work. Can we get to a technical process? How we’re going to do this work in a repeatable way.
Diana - So, a process flow diagram is what you need?
Mike - Yes.
Item 3 - Scope statement for patient friendly consent directive
Scope Statement for Patient Friendly language for Security and Privacy Consent Directive Draft brought up in CBCC, not finalized.
Scope statement for Provenance
- I think you all are aware that ONC has announced a new S&I Initiative for Provenance.
- The first meeting will be on April 10 at 12 p.m. Eastern. Provenance also has applicability to HL7 and our FHIR resources. ONC has now asked HL7 to create a Provenance IG, like the one we did for DS4P.
- The goal is to have it balloted by September. I think ONC plans to have this in CBCC with Security as the co-sponsoring working group. And then, plans to bring in some resources to help us through his process.
The reason they want to do this is because they expect, if they’re going to have the ability to change the next generation of Meaningful Use, they want to have a standard in place and reference this IG. We’re hoping that Johnathan might be able to give us more information on it. We need to have a scope statement for this Provenance area and get it approved by the appropriate steering divisions. CBCC is leading it as the steering committee, Suzanne, right?
ACTION: Suzanne to work with Johnathan to get project scope statement started.
Item 4 - SOA/FHIR Discovery Day
Mike - I’m hoping that we could put together a draft and get the WGs to have these scope statements done, so that we can hit the ground running at the WG meeting, and not spend the whole meeting talking about a scope statement. I think we’ll be participating in that in one way or another and trying to see how much it fits within the FHIR activities as well. This is just to get this on the agenda. I’ll send Johnathan an email regarding this and ask him to participate on our next call. He’s the leader for the scope statement. It’s his responsibility to do it.
Item 5 - SOA FHIR This was brought up by SOA as something they thought would show the relationships between activities of SOA and activities of FHIR. It was an idea of Ken Rubin’s. You probably saw him on your co-chair’s list, Suzanne. They’re looking for nominations for what would be proposals for this discovery data for FHIR and SOA. We have a relationship there because of our January 2014 ballot of SLS. We’ve done a couple of demos on how security labeling could be implemented by FHIR resources. My thinking was that we’d ask Duane to make a proposal for presentation where he would connect the dots between FHIR and the SOA SLS. Security has meetings on Tuesday. I’m not expecting to adjourn Security, but we can have representatives participate to that extent, unless someone else has other ideas.
Back to Diana and Tony. Do you guys want to demonstrate any other work you’ve been doing in the last week or so?
Diana - I could show the Security and Privacy Ontology mind map.
Suzanne - Mike, who would be the representative for this FHIR demo?
Mike - As far as I’m suggesting, Ken Rubin is asking that we submit a proposal for this by this Friday (April 11). Project name, presenters, description, relationship to SOA, challenges and so forth. He’s going to take the proposals and order them, and determine if we have enough time to cover them all during that day. Any of us can submit proposals, I guess, but this is the one that struck me as being related to work we already did with FHIR and SOA. Duane’s not here. I haven’t talked to him about this. He’s going to be a dial-in. He would be attending the actual meeting in September, hopefully. For this one, it would be a virtual thing. Otherwise, I don’t think there’s any particular advantage in trying to show what he’s doing, because it’s operational code that would appeal to FHIR developers.
The other aspect of this would be to introduce this Provenance stuff since there is a Provenance resource already in FHIR, and we’re going to have this joint Provenance project. We’re going to be doing the Service PASS Architecture. We’re going to need to put the DTSU on the ballot either as DTSU or a normative standard, because it expires in December. Going normative would be fine.
Then, we have this Architecture item, which could include new services for Provenance. We now have a new project where Walgreens and other pharmacies give immunizations to people, many of whom are also patients of the VA. We want to collect their data. It could be a Provenance table, which is a table of Provenance attributes. Every entry would have a foreign key that would link to the Provenance table, so you can go back and see all the required Provenance fields. This would be nice because it’d be almost like a service, outside of the current EHR. We could discuss something like this; maybe do a presentation on our ideas for a Provenance service that would be part of an SOA architecture.
So, this is very premature work on our part. We might be going with SOA in terms of this overall SOA architecture, but it would be worthwhile to put it out on the table, and bat it around a little bit. Okay, enough on that. Any other topics?
Diana - What I have here is a note that talks about what the different colors are, places where there are problems. …
Mike - So, I have a question for you and Tony. I think of this stuff in terms of a machine. Your word “de-identify” is kind of a made-up word. It’s really where it’s some kind of a process where you undo the actions of identifying someone. So, in other words, it’s like flipping it. One way of looking at “de-identify” is not as a real world, but as the result of a process that acted on identification. So, I’m asking if this makes any tautological sense.