This wiki has undergone a migration to Confluence found Here

August 29, 2017 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page


x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page


  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes August 15, 2017 and Security WG Call Minutes August 22, 2017
  3. (5 min) San Diego Sept WGM Agenda - Kathleen
  4. (15 min) Working Group Meeting Agenda Items - Mike Davis
  5. (5 min) Security WG Interim Health Metrics - presiding cochair
  6. (5 min) ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
  7. (5 min) FHIR Security call -

News and Review Material

  • Need assisteance with PASS Audit Ballot Comments from Bernd Blobel resolved. E.g., Move Figure 1 to Functional Section because it is too detailed. Make references to "client" as source of audit content and "source" as source of audit content consistent.
  • NSTC National Privacy Research Strategy
  • NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft Comments due Sept. 12. Please add to CBCC and Security WG NIST SP 800-53 Rev 5 Comment Page
  • NIST SP Security and Privacy Controls for Information Systems and Organizations Revision 5 Comments due September 12, 2017 See [CBCC and Security WG Comment Page and Security WG Comment Page for NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft ]]
  • Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
  • Introduction: Digital identities are used in nearly every aspect of our online activities each day. A digital identity is the unique representation of a subject that is engaged in an online transaction. This bulletin outlines updates that NIST recently made in its four-volume Special Publication (SP) 800-63, Digital Identity Guidelines, which provide agencies with technical guidelines regarding the digital authentication of users to federal networked systems. Rather than being a single, monolithic guideline, SP 800-63-3 has been separated in multiple parts – each representing a distinct component of digital identity services. This way, organizations can choose the document that applies to the digital identity services they want to offer. This approach makes applying the guidelines easier for agencies—and also sets the stage for a nimble continuous improvement process. Also, NIST can quickly release key updates, rather than delivering in two or three year cycles.
  • This bulletin will describe the components of digital identity – identity proofing, authentication, and federation – and explain how federal agencies can use them to protect the digital identities of their employees. It also provides an overview of the NIST documents that describe these digital identity components and explains how the information in them is organized.

Understanding Digital

  • Identity proofing is the process used to verify a subject’s association with their real-world

identity, establishing that a subject is who they claim to be.

  • An authenticator is something the subject possesses and controls (typically, a cryptographic

module or password) that is used to authenticate the subject’s identity.

  • Digital authentication is the process of determining the validity of one or more authenticators

used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same that previously accessed the service.

  • Federation is when the relying party (RP) and identity provider (IdP) are not a single entity or

not under common administration. Federation enables an IdP to proof and authenticate an individual and provide identity assertions that RPs can accept and trust. How has SP 800-63-3 evolved? Since the last revision of this document in 2013, NIST SP 800-63-2, digital identity components have evolved substantially. To better align with market-driven business models and innovation, the new revision replaces levels of assurance (LOAs) with ordinals for individual parts of the digital identity flow, providing implementers with more flexibility in their design and operations:

    • Identity Assurance Level (IAL): the identity proofing process and the binding between one or

more authenticators and the records pertaining to a specific subscriber;

  • Authenticator Assurance Level (AAL): the authentication process, including how additional

factors and authentication mechanisms can impact risk mitigation; and

  • Federation Assurance Level (FAL): the assertion used in a federated environment to

communicate authentication and attribute information to a RP.

  • SP 800-63 is a suite of four documents: SP 800-63-3 (the parent document; your starting point for all things digital identity and risk) and three additional documents – SP 800-63A, 800-63B, and 800-63C –which cover the various components of a digital identity system. These documents are described below:
  • SP 800-63-3, Digital Identity Guidelines, provides an overview of general identity frameworks,

guidance regarding use of authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels;


  • Chaired by Kathleen
  • Agenda Approved
  • Approved Security WG Call Minutes August 15, 2017 (Beth, Mike)
  • Approved Security WG Call Minutes August 22, 2017 ( Mike, John)
  • San Diego Sept WGM Agenda - Kathleen
    • Agenda still in progress
      • Working Group Meeting Agenda Items - Mike Davis
    • Pass Audit has comments against it that were adjudicated by the Work Group
    • Mike requested John to help review some of the comments by Burns
    • Comment (1) Mike: Ken Roubin is a proponent of Security topics but is stepping down as co-chair
    • Chris will be the interim co-chair
    • Currently focusing on SOA
    • Comment (2) John: Security topics should become high priority for SOA for health care needs and standards
    • Comment (3) Suzanne: SOA is primarily responsible for reference architecture
    • Next Step: Will take comments and bring up as topic to see what action is needed from Security Working Group
    • Comment (4) Kathleen: Recommends a FHIR Deep Dive by John
    • Mike has been working with NIST for internet of things since resources are internet addressable
    • Looking at how our security solutions work with big data and privacy and security solutions
    • What is the Security and Privacy impact, and Harmonization topic are related to NIST
    • Next Step (Recommendation/Mike): Propose to start a Study group and create a report with the implication of NIST and FHIR's Rule
    • Comment (5) John: Gram is looking for the cross section with FHIR, and maybe interested in the connection of NIST and FHIR
    • Comment (6) Mike: We have a RBAC road map and Rolled Based Access Control examples, and can update it in line with NIST. Some standards such as SMS is not allowed in NIST (80063). Knowledge factors is also disallowed in NIST.
  • Security WG Interim Health Metrics - presiding cochair
    • 91% response comments are complete
  • ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
    • Still in the works
  • FHIR Security call -
    • Will have security call, will walk through ER's, no formal agenda planned
  • Call adjourned