This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

HL7 FHIR Security 2017-02-14

From HL7Wiki
Jump to navigation Jump to search

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692
Join online meeting:  
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics


Member Name Member Name Member Name
x John Moehrke Security Co-Chair x Kathleen Connor Security Co-Chair x Alexander Mense Security Co-chair
x Suzanne Gonzales-Webb CBCC Co-Chair . Johnathan ColemanCBCC Co-Chair x Mike Davis
. Reed Gelzer RM-ES Lead x Glen Marshal . Galen Mulrooney
. Dave Silver . Rob Horn . Judy Fincher
. Diana Proud-Madruga . Beth Pumo . Oliver Lawless
. Bob Dieterle . Mario Hyland . Joe Lamy
. Rick Grow . [mailto: Richard Etterma] . [mailto: Wayne Kubic]


Deferred items for future discussion

  • 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke) Considered for Future Use
  • 10343 Three+additional+Signature.type+codes (Kathleen Connor) Considered for Future Use
  • 10579 New+Security+and+Privacy+%22Module%22+page+needs+content (John Moehrke) Considered for Future Use
  • 10580 How+should+test+data+be+identified%3F (John Moehrke) Considered for Future Use
  • 10581 something+should+be+said+about+de-identification (John Moehrke) Considered for Future Use
  • 12462 Security%2FPrivacy+Module+page+should+explain+W5+realty+that+provenance+elements+in+other+resources+vs+use+of+Provenance+as+a+resource (John Moehrke) Considered for Future Use
  • 12463 explain+relationship+between+Provenance+and+AuditEvent.+ (John Moehrke) Considered for Future Use
  • 12501 Provenance.reason+and+Provenance.activity+should+be+CodeableConcept (Grahame Grieve) None
  • 12502 Provenance.agent.relatedAgentType+is+nonsensical (Grahame Grieve) None
  • 12660 HCS+use+clarification (John Moehrke) None
  • 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor) Not Persuasive

FHIR Security block vote

Outline for Security & Privacy Module

Use this CR or create a set of new CR as needed.

    • 10579 New Security and Privacy "Module" page needs content ()

Use of Security Labels

From email discussion between Kathleen and John -- Summary by John

The FHIR community is unclear on how how to use the security-labels. When is it appropriate to use each type. Where is it appropriate to use each type? Specifically what are the risks they need to consider.

I agree with this.. This is hardly understood by the core people in the security wg... I am however concerned at declaring any specific policy -- such as the sensitivity codes shall never be used.

Seems we could create a few scenarios that outline proper use, and include description of the security considerations that went into that use.

1) Use of HCS tags within a highly-trusted environment (All inside my security boundary, within my own trust environment. my own trust framework). -- This is minimally use between the Access Control services and the REST server, including use of an SLS to enable access control decisions. I could see this highly-trusted environment being bigger than this, but think that most people need to understand that exposing the full HCS security-labels does present a risk.

2) Exposure of Resources to a Moderate-Trusted environment (They are outside my security boundary, but we have a trust framework that assures me they can protect sensitive information and follow obligations) -- the HIE environment. As you say, where _confidentiality and obligations. This is where we can talk to Bundle being a high-water, of only the _confidentiality codes; and where obligations would go.

2.1 ) The placement of obligations seems important enough that we should have a specific scenario just for that, so as to highlight it.

3 ) Having a USA specific example using 42 would be useful too. This is a rollup of all the things we want to say. I think it is okay to be USA centric, but when we do this we should explain the situation in terms that are not overly USA centric.

4) Use of HCS tags when in a low-trusted environment (I trust they will not expose what I give them, but they have limited ability to protect highly sensitive information or to enforce obligations) -- Where you are going to block access to anything sensitive. Showing that blocking access might be silent, or might be explicit (we have outlined this in the http error codes for security). Both are useful policy choices.

4.1 ) do we include your concern around returning obligations only when you KNOW that the recipient will enforce them? It needs to be said somewhere. Here might be good place.

5) Always good to remind people that they are not to expose information when the trust is not there.

Not sure if it is proper to use highly-trusted, moderate-trusted, and low-trusted -- I think the trust framework is key

is this what you are proposing? Did I miss a concept? I think this would be a good discussion today.

Access Control

  • Outline for a FAQ improvement on the module page
  • Access Control
    • Access Control diagram from Mike (Inputs – Decision – Enforcement – Outputs)
    • Using OAuth
      • Identity
        • Leverage OpenID Connect
        • Federate (cross-reference, mapping) to local identity descritions
          • Informally, or Formally
      • Roles
        • Using Standard roles from HL7
        • Using local codes
        • Clearance
      • Scopes
        • Using SMART scopes
          • Basic starter set
          • Supports Organizational use-cases with simple consent
          • Doesn’t support fine-grain
          • Doesn’t support complex consent
        • Using HEART – UMA
      • Using Cascading Authorization Servers
        • Bridging SMART and UMA and organizational requirements
    • Using Security labels
      • HCS conformance
        • MUST have a _confidentiality value (1..1)
        • Use of persistence label
        • Bundle use of security_tags – high-water
        • Comprehensive security_tags on each resource communicated to a trusted peer
        • Using security lables from a consent directive (privacy policy) on goverened resources
        • Using Clearance with security labels
    • Bring in stuff from the Privacy Consent Implementation Guide (Consent IG)
      • TODO
    • Should we create a new page, parellel with security.html -- privacy.html
      • Privacy Principles
      • Consent as a way to control Collection/Use/Disclosure
      • ISO four models (In, Out, In with exceptions, Out with exceptions)
    • Trust Framework
      • impact on the Conformance resource published by partners.
      • Establishing trust Contracts between trading partners


  • John chair
  • Roll;
  • approval of agenda -- Glen/Alex: 5-0-0
  • approval of the HL7 FHIR Security 2017-01-31 Minutes -- Glen/Suzanne: 5-0-0
  • All security open
  • Discussion - Problems with roles --
    • Security use of actor.role is as defined by security standards. It includes Structural and Functional role
    • Provenance and AuditEvet have element to record the actual role that authorized the activity. This is distinct from all the roles that user holds
    • Security roles are managed as PIP. This might be coordinated with FHIR Practitioner, but might be only managed in OAuth or other IAM
    • The role in other FHIR resources might be related, but seems like it is more associated with a workflow 'action'. This workflow action would have been authorized by access control, but might be a more fine descriptive detail.
    • John and Kathleen to keep the security wg informed
  • All but two vocabulary items have been applied. The two vocabulary ones are being worked on now.
    • Role vocabulary -- Ewout is helping
    • Lifecycle vocabulary -- John is building
    • Activity vocabulary -- Kathleen has provided start, John needs to integrate into build
    • entity object type to include FHIR Resource list -- Grahame helping
  • New Business
    • NIB proposal by Kathleen --
      • Motion to approve NIB: Kathleen/Mike: 5-0-0
      • Mike notes that this vote needs to be pointed out on the main Security WG minutes.
  • Set FMM values
    • Propose 3 for both Provenance and AuditEvent
    • Evaluation of 2 is appropriate. John to evaluate FMM3 quality checklist.
    • Motion: Approve FMM 2 for Provenance and AuditEvent; with potential FMM 3 if the quality checks are successful - Glen/Kathleen: 5-0-0
      • John to do research, and run an email vote if FMM 3 can be obtained
  • Work on quality issues?
  • New business?
  • No meeting next week due to HIMSS