HL7 WGM Sept 2017 - San Diego US MINUTES

Back to Security Meetings

MINUTES WGM San Diego 11th-14th September 2017

Monday Q3

Joint CBCC - Security

See CBCC Minutes

Monday Q4

Joint CBCC - Security

See CBCC Minutes

Tuesday Q1

Opening Security WG Meeting

Attendees:

• John Moehrke John.Moehrke@gmail.com
• Alexander Mense alexander.mense@hl7.at
• Kathleen Connor Kathleen.connor@comcast.net
• Mike Davis mike.davis@va.gov
• Chris Shawn christopher.shawn@va.gov
• David Pyke david.pyke@readycomputing.com
• Andreas Schuler andreas.schuler@fh-hagenberg.at
• Harri Honko harri.honk@w2e.fi
• Kevin Shekleton kshekleton@cerner.com
• Elysa Jones elysa@honeycombIQ.com
• Suzanne Webb suzanne.webb@bookzurman.com

Chaired by John

• Introductions
• Approval of agenda
• International Report outs
  • Updates on European legislation regarding security and privacy.

   European commission: Digital Single Market. [1]
   Directive on Network and Information Security: European Parliament and European Council: Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union. 2016, [2]
   GDPR: European Parliament and European Council: Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). In: Official Journal of the European Union, L 119/1, [3]
   ePrivacy: European Commission: Proposal for a Regulation on Privacy and Electronic Communications. 2017, [4]
   
   Rene's article about GDRP [5]

• • Discussion on European cross border health data exchange and trust frameworks
  • Finnland

   Report on Finnish PHR activities (PHR project, PHR profile)
   The W2E project (private initiative): https://w2e.fi 

• • US

   OASIS activities on tracking emnergency patients and the relation to HL7
   Discussion about making data available in case of emergency/disaster situations

• Liaison Reports: ISO, IHE, ONC

   Discussion ONC Truste Exchange, HL7 answer

• HL7 Project status and updates:

       Trust Framework - Ballot Reconciliation Plans
       SOA Audit – Ballot Reconciliation Plans
       FHIR Security - AuditEvent, Provenance, Security Labels
       FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM

Tuesday Q2

Continuation of Q1 topics

Attendees:

• Q1 attendes
• Hideyuki Miyohara
• Grahame Grieve

Chaired by John

• HL7 Project status and updates:

       NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
           NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft
           Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
       Impact of NIST SP 800-53-5 on Privacy and Security Study Group Proposal - Mike Davis
       NIST SP 800-63 rev 3 - Chris Shawn
       Study Group for Minimum Necessary, Purpose of Use , and Healthcare Workflows
   [https://www.freeconferencecall.com/wall/recorded_audio?audioRecordingUrl=https%3A%2F%2Frs0000.freeconferencecall.com%2Fstorage%2FsgetFCC2%2FasJ8A%2FILf85&subscriptionId=8257383 Webmeeting recording of CBCC/Security JT on FHIR Consumer Centered Data Exchange Connectathon Track report out and demonstration - Kathleen Connor, Debi Willis, Bo Dagnall DCX (Plus Demo)
       Trust Framework - Ballot Reconciliation Plans
       SOA Audit – Ballot Reconciliation Plans
       FHIR Security - AuditEvent, Provenance, Security Labels
       FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM

• ISO report

  Discussion about topics for upcoming ISO meeting in UK
  Harmonization of Audit Trail ISO 27789 / DICOM

• FHIR Discussion with Grahame about Security artifacts to go normative

  maybe Security Labels, but not enough implementations 
  Security WG to provide IG to support further implementations

Tuesday Q3

Joint CBCC, Hosting Security, Mobile Health

See CBCC for minutes

• Proposed Topics: HL7 Project status and udates:

   MyData Architecture Framework - Reacting to GDPR with Privacy as a Service Infrastructure’ Harry Honko, Finland
   NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
       NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
       NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft
       Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
   Study Group for Secondary use of HIoT data
   Study Group for Minimum Necessary, Purpose of Use , and Healthcare Workflows

Tuesday Q4

Trust Framework Work Session

Attendees:

Chaired by xxxx

• Review May TF4FA Ballot Comments and proposed dispositions

   TF4FA Ballot Material

Wednesday Q1

Joint w/ EHR, CBCC, FHIR, SOA, Security

See EHR Wiki for Minutes

• Agenda included indepth discussion about:

   NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
     NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
     NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft
     Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
   Study Group for Secondary use of HIoT data
   Study Group for Minimum Necessary, Purpose of Use, and Healthcare Workflows

Wednesday Q2

Joint with SOA

Refer to SOA Wiki for minutes

• Agenda Items - Report out on:

   PASS Audit Ballot Spreadsheet
   PASS Audit Ballot January 2017
   Future PASS standards moving to Security

Wednesday Q3

Security WG deep FHIR topics

Attendees:

• Pascal Pfiffner
• Kevin Shekleton
• Yunwei Wang
• Michael Donelly
• Hideyuki Miyohara
• Jim Kretz
• Brett Markquard
• Kathleen Connor
• Reinhard Egelkraut
• Andreas Schuler
• Beth Pumo
• Pat van Dyke
• Richard Ettema
• Corey Spears
• Avinash Shanbhey
• Josh Mandel
• Isaac Vetter
• Keith Bone
• Matt Blachmon
• Joe Lamy
• Mike Davis
• Mags Tarriet

Chaired by John

Josh from FHIR Core team

• Discussion on Security endorsement of CORS??? what conditions? What considerations? What alternatives (See Keith Boone)

       https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=13827 GF#13827
  Keith' report on implementation experience
  It's not only CORS - need to provide an implementzation guide or at least an informative documentation
  Descission for a smal task force to investigate and make a proposal. Group reports back to Security/FHIR. Use Wiki for living document. Looking for people interested to participate in the task force. John leads. Need support from the implementers. Maybe set up a cooperation woth FHIR Foundation.

• SMART on FHIR Ballot Recon

  discussion about scope and extension scopes. Several proposals including John Moehrke’s Blog FHIR OAuth scope proposal using FHIR query parameters. Go on we current scopes and investigate further options for next version.
  
  Disposition of negative comments for group "design & extension" based on Josh's document https://docs.google.com/spreadsheets/d/1LgfmqZLcEiprCDXrHCG9NyT4rG0wulN0gnwtd4wK1u8/edit#gid=0
  Motion by Kathleen, Keith second, 24-0-0

Wednesday Q4

Security WG Project Meeting

Attendees:

• Kevin Shekleton
• Michael Donelly
• Alexander Mense
• Hideyuki Miyohara
• Isaac Vetter

Chaired by Alex

• Introduction to PSS on Context Synchronization (Isaac Vetter) here: https://drive.google.com/open?id=165BU5ZmUyuwxz4kg2dtjRWkNM7o4u2PrdcIKSxP94Ts

  Request to Security WG to be "interested party" or "co-sponsor"
  Discussion and decision postponed to Thu Q1 

• Presentation and discussion of CDS-hooks security model

Thursday Q1

Security hosting CBCC, FHIR-I Joint on FHIR App Verification and FHIR Consent Resource

Attendees:

• Kathleen Connor VA kathleen.connor@comcast.net
• Neelima Chennemeja SAMHSA needlimaj70@gmail.com
• Mark Scrimshire mark@ckinemark.com
• David Pyke Ready Computing David Pyke@readycomputing.com
• John Moehrke John Moehrke@gmail.com
• Alexander Mense HL7 Austria alexandre.mense@hl7.at
• Andreas Schriler Andreas.Schriler@fh.ha…. (?)
• Reinhard Egelkraut reinhard.egelkraut@cgm.com
• Suzanne Gonzales-Webb VA suzanne.webb@bookzurman.com
• Trish Williams HL7 Australia/Flinders University patricia.williams@flinders.edu.au
• Anthony Chiarelli Achiarelli@r1solutions.com
• Chris Shawn VA Christopher.Shawn2@va.gov
• Michael Clifton mclifton@epic.com
• Isaac Vetter isaac@epic.com
• Dennis Patterson dennis.patterson@cerner.com
• Michael.Donnelly Michael.Donnelly@epic.com
• Hideyuki Miyohara HL7 Japan Miyohara.Hideyuki@ap.MitsubishiElectric.co
• Reuben Daniels reuben@saludex.com
• Tessa van Stijh NICTIZ stijh@nictiz.nl
• Martin Entwistle Ares Health Systems ment@areshs.com
• Mike Davis Mike.Davis@va.gov
• Joe Lamy Aegis/SSA joe.lamy@aegis.net
• Corey Spears Infer Corey.spears@info.com (?)
• Sean McIvenna Lantana sean@lantanagroup.com

Chaired by John

• Mark Scrimshire presented on POET.
  • POET Presentationof a FHIR App Verification - Mark Scrimshire Audio
  • JSON poet-ri sample
  • transparentHealth.org
  • Pre-OAuth Entity Trust APT (POET)
  • https://github.com/TransparentHealth/poet
  • POET Reference Implementation (POET-R)
  • https://github.com/TransparentHealth/python-poetri

Contacts: Mark Scrimshire – mark@ekivemark.com and Alan Viars – avirs@videntity.com

• • Note: If you move outside the US, the thesis is applicable. The recent ONC challenge regarding aggregating data—now they have to register with everyone at an endpoint. Is this making it easier for the endpoints in delivering/giving out the gap.

• Motion: Mike/Kathleen; Security to be an interested party for the PSS: vote on PSS on Context Synchronization (Isaac Vetter) here: https://drive.google.com/open?id=165BU5ZmUyuwxz4kg2dtjRWkNM7o4u2PrdcIKSxP94Ts

VOTE: 27 for – 0 against – 0 abstain

• Fhir.org/consent.html
• vote on PSS on Context Synchronization (Isaac Vetter) here: https://drive.google.com/open?id=165BU5ZmUyuwxz4kg2dtjRWkNM7o4u2PrdcIKSxP94Ts

• • Query for consents for patients in the organization.
    • Negative or positive provision… is thee a positive consent from the this patient for this organization ; zero results found no… n/results means yes—wherein you can short circuit your systems
    • Policy rule and category are well understood and that really was not a modeling problem—but the examples stopped filling out category
  • People were trying to use policy rule..and goodnight the decision type; making the policy just …?
  • It should be a name of the type of form;
  • Category – need to have a tightly defined value set (privacy consent vs research consent, etc)

• • Timeline for release 4 - ?
  • Develop prep wiki:
    • For pubic comment ballot (December time frame) will be the whole build at the time;
    • in the May 2018 time-frame there will be a set of ballots / three ballots of normative parts of ballot (the rest in STU ballot) delivered as four ballot packages and will be front door/manifest into the same document similar to how we currently do V2;
    • The hope is that the four potential normative ballots will produce a final publication (release 4) in the nove/dec 2018; containint clearly marked normative areas. The rest of the areas will be STU

• • Resolution: vote Non Persuasive CR # 13811 (David Pyke/Trish Williams)
    • vote: 0-abstentions; 0 objections; 23 approve

• • Resolution: vote Persuasive CR # 13805 (Ewout Kramer / Suzanne Webb)
    • vote: 0-abstentions; 0 objections; 21 approve

Thursday Q2

General Meeting: SecWG Project Health and Administration

Attendees:

• John Moehrke John.Moehrke@gmail.com
• Alexander Mense alexander.mense@hl7.at
• Trish Williams patricia.williams@flinders.edu.au
• Hideyuki Miyohara Miyohara.Hideyuki@ap.MitsubishiElectric.co

Chaired by Trish

WG Health

• Two items listed as over 120 days:
  • Motion to extend the 1209 PSS with the FHIR rel 4 milestones with a new deadline of Dec 2018 subject to FHIR deadlines. Extend project end date Jan2019, next milestone is Jan 2018. Proposed by JM, Second AM, 3/0/0. We agreed this week that some tasks groups look at security configuration guidance, rather than turn-on-cause – and this would be in the project scope, Task group on application registration (from Q1) would also be under the same project 1209
  • DAM milestone – need to ask Kathleen

• Updated to 3 yr plan – addition co-sponsor to Smart-On-FHIR Project Insight 1341; added SLS Version 2; and removed completed projects. Motion to accept the new 3 yr plan Proposed John, Seconded Alex 3/0/0
• Uploaded DMP and updated 3-year plan to SecWG Homepage on HL7.org site

• Security Labelling Service – another type of service called The Legitimate Relationship Service was tried in the UK. ADT feed but was hindered by workflow incompatibility. As a workgroup we could socialise this as a potential service for privacy consent problems.