HL7 FHIR Security 2016-4-12
Weekly: Tuesday at 05:00 EST (2 PM PST) Conference Audio: 770-657-9270,' Access: 845692 Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV If you are having difficulty joining, please try: https://global.gotomeeting.com/join/520841173 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
|Member Name||Member Name||Member Name|
|x||John Moehrke Security Co-Chair||x||Kathleen Connor Security Co-Chair||x||Suzanne Gonzales-Webb CBCC Co-Chair|
|x||Gary Dickinson EHR Co-Chair||.||Johnathan ColemanCBCC Co-Chair||.||Mike Davis|
|.||Reed Gelzer RM-ES Lead||x||Glen Marshal||.||Galen Mulrooney|
|.||Dave Silver||x||Rob Horn||.||Judy Fincher|
|x||Diana Proud-Madruga||.||Beth Pumo||.||Oliver Lawless|
- Roll; approval of agenda and the April 5, 2016 minutes and March 29, 2016 minutes
- Review 9812 http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9812
- Review John's interaction diagrams for Provenance and AuditEvent showing how these may be generated by both the user system and the recipient server.
- Review Security PC 9407 Align AuditEvent and Provenance action/activity element definition Continue work on activity definitions in spreadsheet
- Review Oliver's spreadsheet
- Review Provenance/AuditEvent front matter changes.
- Discuss need for attachment on Provenance.entity
- John Chaired. Agenda approved: Kathleen moved, Suzanne seconded 6-0-0. March 29 Minutes approved: Glen moved, Kathleen seconded 6-0-0. April 5 Minutes approved: Suzanne moved, Glen seconded 6-0-0.
- RE: Interaction diagrams: John said his diagrams are not done.
- RE: CP 9407 Activity harmonization: Kathleen said that she's not made any updates, and was working on cleaning up the front matter instead.
- RE: CP 9812 Purpose of Event documentation proposed by Rob was discussed. Kathleen asked that it be differentiated more clearly from Purpose of Use and any Purpose of Use security label that might be associated with the AuditEvent.entity. Group discussed what happens when all 3 are aligned vs. not aligned, and how the resulting access control decisions would be audited. Group seemed to agree that the actual access control decision made based on alignment/disalignment are policy questions, it would be helpful to describe to implementers how these might be used in conjunction - e.g., for ABAC access control schemes; why these element might not be used at all; or not included in access decisions based on policy. Rob and John will revise draft based on. Kathleen is hoping this documentation will clarify and resolve issues listed in the front matter.
- RE: Provenance.entity.provenance: Kathleen recommended adding an optional reference to an input entity's associated Provenance Resources based on two use cases based on the principle that the Provenance Resource author should be able to choose which if any Provenance.entity Provenance Resource it wishes/is considered more trustworthy:
Three Solutions Explored:
 Search on entity version will return all entity Provenance Resources, and the Target Provenance Resource author may choose which if any entity predecessor Provenance Resources to reference.  A bag of entities could include all entity predecessor Provenance Resources and the Recipient can open all entities to decide which Provenance Resource entity to match with any referenced entity.  Each entity has an optional reference to that entity's Provenance Resource deemed trustworthy by the Target Provenance Resource author. Kathleen strongly recommends option 3. John preferred solution . Kathleen will submit CP for option 3 with this documentation to continue the discussion.