HL7 FHIR Security 2016-4-26

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692

Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV

If you are having difficulty joining, please try:

https://global.gotomeeting.com/join/520841173

Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes

Back to HL7 FHIR security topics

Attendees

Agenda

• Roll; approval of agenda and the April 19, 2016 minutes

• • Review John's interaction diagrams for Provenance and AuditEvent showing how these may be generated by both the user system and the recipient server.
• Review CPs
  • CP 9176 Security-Labels page for _confidentialiy points at all "Confidentiality" codes Details: the HCS defines confidentiality as just the _confidentiality codes. Yet this page points a a valueset with them all. Should be just a valueset with just _confidentialiity codes. Others have used this confidentiality value-set so would also need to fixup them. KC - not sure what this one is about – and where was it triaged to? [per CP status]
  • [2015May core #859 - How are agent and activity linked?]
  • 9036 Handling of meta values that should force version, such as security_labels KC – not showing up in search on Security CPs – still unresolved
  • CP 3318 Clarify how to use RBAC and ABAC using FHIR
  • CP 7568 2015May core #859 - How are agent and activity linked?
  • CP 9042 Add RBAC as value set for AuditEvent.participant.role
  • CP 9043 Add ABAC as alternative value set for AuditEvent.participant.role
  • Security PC 9407 Align AuditEvent and Provenance action/activity element definition
• Continue work on activity definitions in spreadsheet
• Review Provenance/AuditEvent front matter changes.

Minutes

• Kathleen Chaired. Agenda approved by consensus. Minutes approved 3-0-0 [Glen moved; Suzanne seconded]

RE CP 9176 Security-Labels page for _confidentialiy points at all "Confidentiality" codes, submitted by John Moehrke: "the HCS defines confidentiality as just the _confidentiality codes. Yet this page points a a valueset with them all. Should be just a valueset with just _confidentialiity codes. Others have used this confidentiality value-set so would also need to fixup them." We agree with John that there is an issue. We checked Core Security Labels, which references confidentiality codes (system = http://hl7.org/fhir/v3/Confidentiality.

• This is code system includes deprecated sensitivity codes, and was revised when the HL7 Privacy and Security Healthcare Classification System [HCS] vocabulary was adopted. The deprecated codes [business, clinician, individual, substance abuse related,HIV related, psychiatry related, sexual and domestic violence related, celebrity, sensitive, taboo], which meet HCS definition of Sensitivty, were moved to a Sensitivity code system.
• The correct reference to the Confidentiality code system should be to Security Label
  • We agreed that the CP should be updated with this information and request that the deprecated codes be removed so that both the Core Security Label description of Confidentiality codes, and the reference on the Security Label , which includes the correct codes but references to it land readers at the correct Confidentiality code system.
• ACTION: KC to update the CP with these observations/recommendation.

RE: potential Agent and other S&P actor role value sets

Call participants agreed that the several CPs related to adding examples of organizational/jurisdictional Agent/Actor Role Types should include an implementer option to create intra/inter Actor value sets based on SNOMED Role Codes or RBAC/ABAC Functional Role [aka Permissions = Object* Action * Structural Role (RBAC) and Security Label/Relationshp Attributes,for ABAC] appropved combining aligned responses to related CPs into a new CP FHIR several CPs

• CP 3318 Clarify how to use RBAC and ABAC using FHIR
• CP 9042 Add RBAC as value set for AuditEvent.participant.role
• CP 9043 Add ABAC as alternative value set for AuditEvent.participant.role