HL7 FHIR Security 2015-12-29

Back to HL7 FHIR security topics

Attendees

Agenda

canceled? No

• Kathleen continue to discuss progress with http://wiki.hl7.org/index.php?title=HL7_FHIR_Provenance_Resource&section=4 with John's help on importing V3 vocabulary mechanism in the FHIR build
• Review Rob's paragraph that guides reader on how to apply Resource Versioning with Provenance so that linkage is maintained, and warn against provenance use when server doesn't support Versioning.
• Review John's addition to the FHIR wiki on the page that tells editors how to create a Resource. a discussion on Provenance and W5. and pass links to group including Gary
• John update on noted descriptions in AuditEvent need yet to be fixed up regarding participant->agent, and object->entity.

Robs paragraph

The Provenance resource depends upon having References to all of the resources, entities, and agents involved in the activity. These References need not be resolvable. The references must provide a unique and ambiguous identification. If a resource, entity, or agent can have different versions that must be identified, then the Reference must have versioning information included.

Versioning and unique identification are not mandated for all systems that provide Resources, entities, and agents. But, inclusion of Provenance requirements may introduction requirements for versioning and unique identification on those systems.

Ready for Vote

Given the likely low turn out for December 29th call. This might be best viewed as a review of a Block Vote to be targeted at the January 5th call.

• 7568 2015May core #859 - How are agent and activity linked? (Kathleen Connor) Not Persuasive
• 8803 Provenance for a subset of a resource (Chris Grenz) Not Persuasive
• 8827 Signature datatype does not include counter-signature type (John Moehrke) Not Persuasive
• 9051 Remove AuditEvent.participant.role binding to http://hl7.org/fhir/ValueSet/dicm-402-roleid. Bind this value set to AuditEvent.particpant.userid (Kathleen Connor) Not Persuasive
• 9037 Security page should recognize HEART (John Moehrke) Persuasive
• 7567 2015May core #858 - Provenance isn't sufficiently aligned with w3c spec (Kathleen Connor) Persuasive with Mod
• 7569 2015May core #860 - Clarify relationship agents and entities used in activity (Kathleen Connor) Persuasive with Mod
• 7570 2015May core #861 - Clarify relationship agents and entities used in activity (Kathleen Connor) Persuasive with Mod
• 8790 Give guidance on AuditEvent that codes don't need DisplayName populated (Paul Knapp) Persuasive with Mod
• 9078 HTTP Caching Warning for FHIR GET REST services (Kathleen Connor) Persuasive with Mod

Ongoing CP Dispositions

• 9176 Security-Labels page for _confidentialiy points at all "Confidentiality" codes, not just _confidentiality. (John Moehrke) None
• 8638 how does Provenance work when deleting records (Grahame Grieve) None
• 9150 Provenance TODO section cleanup (John Moehrke) None
• 9151 AuditEvent has TODO section to be removed (John Moehrke) None
• 9166 Break-Glass method defined doesn't include AuditEvent effect. (John Moehrke) None
• 9167 AuditEvent needs to make more obvious how to record a break-glass event (John Moehrke) None

Low Priority (waiting for other work to complete)

• 9036 Handling of meta values that should force version, such as security_labels (John Moehrke) None
• 9042 Add RBAC as value set for AuditEvent.participant.role (Kathleen Connor) None
• 9043 Add ABAC as alternative value set for AuditEvent.participant.role (Kathleen Connor) None
• 9052 Add SNOMED Stuctural Roles as value set for AuditEvent.participant.role (Kathleen Connor) None
• 3318 Clarify how to use RBAC and ABAC using FHIR (John Moehrke) None
• 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set (Gary Dickinson) None
• 7563 2015May core #854 - Expand on how to use Provenance (Kathleen Connor) None

Minutes

Only Rob and I showed so we didn't hold the meeting.

I will send out a block vote from the items ready for vote.

Action Items