December 15, 2015 Security Conference Call

Attendees

x	Member Name	x	Member Name	x	Member Name
x	Mike DavisSecurity Co-chair		Duane DeCouteau	.	Chris Clark
x	John MoehrkeSecurity Co-chair		Johnathan Coleman	.	Aaron Seib
x	Alexander Mense Security Co-chair	.	Ken Salyards	.	Christopher D Brown TX
.	Trish WilliamsSecurity Co-chair	.	Gary Dickinson	x	Dave Silver
x	Kathleen Connor	.	Ioana Singureanu		Mohammed Jafari
x	Suzanne Gonzales-Webb	x	Rob Horn	.	Galen Mulrooney
x	Diana Proud-Madruga		Ken Rubin		William Kinsley
x	Rick Grow		Paul Knapp	x	Debbie Bucci
x	Glen Marshall, SRS		Bill Kleinebecker	x	Christopher Shawn
	Oliver Lawless	x	Rob Horn		Serafina Versaggi
.	Beth Pumo		Russell McDonell		Paul Petronelli , Mobile Health
	Christopher Doss	x	Kamalini Vaidya		[mailto: ]

( 5 min) Roll Call, Agenda Approval
( 5 min) Approve December 08 Meeting Minutes
( 5 min) Healthcare Security and Privacy Access Control Catalog Update - Rick, Suzanne
( 5 min) Joint Vocabulary Alignment Update - Diana
( min) FHIR Security report out - John
( 5 min) PASS Access Control Conceptual Model (SOA) ballot reconciliation Update - Diana, Don, Mike, Dave
Remaining meetings for 2015, beginning of 2016 - December 22, 29; January 5
(10 min) Upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG - AGENDA ITEMS
Update Preview of Audit Functional Model - Dave

Motion to Approve December 8 meeting minutes

Objections: none; meeting minutes approved: 12

Healthcare Security and Privacy Access Control Catalog

No update. No comments returned, no votes returned to date.

Joint Vocabulary Alignment update

came to understanding on originate
latest version is available for review on the Vocabulary Alignment wiki
- links added to CBCC and Security to access the wiki
work is progressing, trying to find common ground/common process - we are getting there
tried to build definition off a standard model of fairly simple functional/control systems as an alternative to definitions
struggling on the first basic set of things (last 4-6 weeks), getting comfortable with the representation, artifacts, details of each of the articles--how we want them to be
- input, output, etc. will serve us to tackle the rest of the vocabulary
- would like to present in more detail to the Security group (it is in alignment w/security, provenance) now and going forward to retrieve feedback. Expect good reviews from the Security group

FHIR Security

resolved one CP last week - results are now in the current build (essentially renaming of audit events so they are the same as in provenance...preference for the W3C definition of entity and agency vs ATNA 'participant' and 'object')

PASS Access Control Conceptual Model

comments returned from Alex (Bernd's comment)
is there further ballot reconciliation to be done?
- only what Alex sent out
request to withdraw sent to VA and DoD folks - votes have not been withdrawn
- suggesting to add a capability to our trust framework - along the lines to describe trusted attributes
we believe that the response should be 'for future use' - we are moving in that direction (there is a gap); but at this time it is not
- Alex - maybe leave as an open issue and fix in a future build

ACTION: Alex to approach/confirm with Bernd on this resolution and ask if this resolution is okay.

Diana will confirm that the resolutions are in the spreadsheet and notify Alex/Bernd when they are ready for Bernd to respond

remaining 2015, early 2016 meetings

Proposal: (as above) (Glen/JohnM) - objections: none; abstentions: none; motion passed (meeting only on the 22nd)

Suzanne to update the calendar to be reviewed on the 12/22 meeting

Wednesday Q2 - remove SOA Security, add PSS Audit Services
ADD to Tuesday Q3 (joint); Privacy Protection for the Internet of Things - setting up a call with Helen - briefing on the background of the group; Steve Moeller and Kantara will also join; does the Security WG consider emerging technologies that have not been a topic of our work - HEART, privacy protective (what Helen has proposed) how they all fit together health Internet of Things - ADD
- would indicate whether or not the WGM is a place to host a meeting...presentation with Alex's students
remove: Tuesday Q2 PASS AC Ballot reconciliation

Mapping of 800-53 security controls to the Functional Model

displayed by Dave Silver
we will publish the FM along with the text of the FM (description of the functions)
- The table with the mapping - we have not written up the logic of why they are mapped the way they are. this is our view at this point. the mapping to the 800-53 gives us a way of organizing the functions. some of the 800-53 controls are mappable to one or more of the FM functions. the FM is not canonical in this sense (one and only one); this is something to note.
provide FM in a word document
asking for comments on what we have so far - a precursor to our Audit standard (w/SOA); will be going into more detail at the January WGM.
Mike would like to solicit any other suggestions. The audit model is traceable to other standards that we have (ISO, ASTM...) that are used for the usage of terms and concepts. may not be seen here at this point.
a link will be provided to the items being presented today
each of the functions is described in the word document - they should be familiar
is there a cross walk to NIST SP 800-92 (a functional model for audit logging)? no, this is the only cross walk done at this time
- it's unfortunate that 800-92 did not clearly do that for us.

at the WGM, we may have the requirements ready for presentation; approx. 250 requirements written
- we want to have the requirements traceable to 800-53

ACTION: Two documents forwarded to Security WG listserve (Suzanne)

Meeting adjourned at 1357 AZT --Suzannegw (talk) 16:09, 15 December 2015 (EST)