January 24th, 2012 Security Working Group Conference Call
Security Working Group Meeting
- Kathleen Connor
- Ed Coyne
- Mike Davis Security Co-chair
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair
- Jim Kretz
- Glen Marshall
- John Moehrke Security Co-chair
- Milan Petkovic
- Ken Salyards
- Richard Thoreson CBCC Co-chair
- Tony Weida
- Trish Williams
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) HL7 WGM wrap up and Action Items Mike Davis
- (15 min) Draft Work Plan - Security and Privacy Ontology
- (15 min) HL7 EHRS FM Action--Verb Hierarchy ppt
- (15 min) acquiring ISO Standards
- (5 min) Other Business
Meeting Minutes - DRAFT
Roll Call, Approve Minutes & Accept Agenda
Please follow link:
- The attached HL7 EHR-S FM Action Verb hierarchy should be reviewed by Security and CBCC WGs.
- They do not map to the Security Operations (CRUDE or the data operations code system).
- They do not appear to align with the Security and Privacy Ontology.
- Below are examples of potential issues:
- Why would encrypt/decrypt be under the category of “Store” when those could be required for use and exchange as well.
- The definition of TAG is “To UPDATE data by marking it for special use. For example, a nurse may TAG the previous week’s records for patients that presented with a severe cough and fever.” This might be useful for tagging for sensitivity, but needs to be thought through – why isn’t the data “tagged” when created rather than as an “update”?
- RENDER and EXTRACT may be a “Disclosure” but that’s not differentiated.
- AUDIT (revised) To TRACK system-initiated or user-initiated activities by analyzing logs based on policies or rules. For example, the system may automatically AUDIT the daily log for multiple-failed-logon-attempts. Another example is that an administrator may AUDIT the excessive use of extraordinary (i.e., “break-the-glass”) access to certain patient information in the Emergency Department. John already suggested that there should be a more general Event logging – and that Audit should be a specialization.
Request to publish Security and Privacy DAM DSTU FYI -- This was announced to the co-chairs and affiliate chairs for consideration back in October 2011, and the TSC tabled the motion to approve publication on Nov 7th anticipating a human-readable form of the DAM, another announcement is not needed. The tabled motion has been entered onto the TSC agenda on Monday January 30th. It's being tracked at TSC tracker # 2104. See http://gforge.hl7.org/gf/project/tsc/tracker/?action=TrackerItemEdit&tracker_item_id=2104&start=0 for details.
- (5 min) Other Business