This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

HL7 FHIR Security 2015-12-08

From HL7Wiki
Jump to navigation Jump to search

Back to HL7 FHIR security topics


Member Name Member Name Member Name
x John Moehrke Security Co-Chair x Kathleen Connor x Suzanne Gonzales-Webb CBCC Co-Chair
x Gary Dickinson EHR Co-Chair Johnathan ColemanCBCC Co-Chair x Judy Fincher
x Reed Gelzer RM-ES Lead x Glen Marshal Galen Mulrooney
Dave Silver [1] [2]



  • Review ProvenanceEvent value set
  • 9051 Remove AuditEvent.participant.role binding to Bind this value set to AuditEvent.particpant.userid (Kathleen Connor) None
  • 9042 Add RBAC as value set for AuditEvent.participant.role (Kathleen Connor) None
  • 9043 Add ABAC as alternative value set for AuditEvent.participant.role (Kathleen Connor) None
  • 9052 Add SNOMED Stuctural Roles as value set for AuditEvent.participant.role (Kathleen Connor) None

Related to RBAC

  • 3318 Clarify how to use RBAC and ABAC using FHIR (John Moehrke) Considered for Future Use

To Discuss

  • 9056 Provenance for multiple activities (John Moehrke) None
  • 7598 2015May core #889 - Can Provenance apply to a resource or just a data element (Ioana Singureanu) Considered for Future Use
  • 9078 HTTP Caching Warning for FHIR GET REST services (Kathleen Connor) None
  • 8638 how does Provenance work when deleting records (Grahame Grieve) None
  • 7597 2015May core #888 - This resource is missing any reference to the "action" performed on the entity. Is there a default "create" action or is it an omission? (Ioana Singureanu) Considered for Future Use

Other Open

  • 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set (Gary Dickinson) Considered for Future Use
  • 7563 2015May core #854 - Expand on how to use Provenance (Kathleen Connor) Considered for Future Use
  • 7567 2015May core #858 - Provenance isn't sufficiently aligned with w3c spec (Kathleen Connor) Considered for Future Use
  • 7568 2015May core #859 - How are agent and activity linked? (Kathleen Connor) Considered for Future Use
  • 7569 2015May core #860 - Clarify relationship agents and entities used in activity (Kathleen Connor) Considered for Future Use
  • 7570 2015May core #861 - Clarify relationship agents and entities used in activity (Kathleen Connor) Considered for Future Use
  • 8731 Canonicalization for signatures (Lloyd McKenzie) None
  • 8738 Unapplied QA changes around security and services (Michelle Miller) None
  • 8790 Give guidance on AuditEvent that codes don't need DisplayName populated (Paul Knapp) None
  • 8803 Provenance for a subset of a resource (Chris Grenz) None
  • 8827 Signature datatype does not include counter-signature type (John Moehrke) None
  • 9035 AuditEvent harmonizing with Provenance (John Moehrke) None
  • 9036 Handling of meta values that should force version, such as security_labels (John Moehrke) None
  • 9037 Security page should recognize HEART (John Moehrke) None
  • 7752 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Related


The role of participant role id

Kathleen proposed that the AuditEvent.object.type valueset, which is incorrect for object.type [3], be bound instead to a new participant.type element beneath participant node as a means for indicating whether a participant role was provisioned to a person, org, or system. Rob gave use case that a prescriber role might be provisioned to both a person and a system.

Kathleen proposed that the role.type be linked to each role participant at 0..*, and that the binding of role be to a subsetted value set that included the DICOM dicm-402-roleid for system actors as well as the structural, RBAC [CP 9042], ABAC codes [CP 9043], and Structural [CP 9052] that she'd made CPs to have bound to the role element.

Rob and John did not favor adding this element, Rob making the argument that both a person and a system might be a prescriber, and that RBAC constrains the audit action. Kathleen's position is that the operation/object pairs in RBAC codes is definitional and doesn't constrain the particular action being audited necessarily, although if the permitted operations of a participant do not include the audited action, that could be considered an audit event worth investigating. Decision was to table any structural changes until the group had an opportunity to review potential value sets.

CP 9035 - Align AuditEvent and Provenance Element Names etc.

John presented his proposal to further align FHIR AuditEvent with FHIR Provenance by renaming the AuditEvent.participant element to AuditEvent.agent, and to rename the AuditEvent.object to AuditEvent.entity. This echoes similar concepts in FHIR Provenance, which are derived from W3C PROV, but does not necessarily mean that the value sets bound to Provenance.agent/Provenance.entity and AuditEvent.agent/AuditEvent.entity are coextensive, although there is likely to be some overlap.

Kathleen moved to approve this proposal, and Suzanne seconded. Proposal passed unanimously 7-0-0.

John will prioritize remaining CPs for next week's agenda.

Action Items