July 14, 2015 Security WG Conference Call
|x||Member Name||x||Member Name||x||Member Name|
|x||Mike DavisSecurity Co-chair||.||Duane DeCouteau||.||Chris Clark|
|x||John MoehrkeSecurity Co-chair||Johnathan Coleman||.||Aaron Seib|
|x||Alexander Mense Security Co-chair||.||Ken Salyards||x||Christopher Brown TX|
|.||Trish WilliamsSecurity Co-chair||.||Gary Dickinson||.||Tim McKay|
|x||Kathleen Connor||.||Ioana Singureanu||.||Mohammed Jafari|
|.||Suzanne Gonzales-Webb||.||Darrell Woelk||.||Galen Mulrooney|
|x||Diana Proud-Madruga||Grahame Grieve||.||William Kinsley|
|x||Rick Grow||Chethan Makoahalli||Lloyd McKenzie|
- ( 5 min) Roll Call, Agenda Approval
- ( 5 min) Approve July 7, Meeting Minutes,
- ( 5 min) PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson
- (10 min) ACS model - Mike *deferred due to full agenda*
- ( 5 min) Joint Vocabulary Alignment Update - Diana
- ( 5 min) PSAF Update - Kathleen
- ( 5 min) Status of Provenance and AuditEvent subcommittee -- Kathleen/John
- ( 25 min) FHIR Security Discussion Items ready for a Discussion
- 7752 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Persuasive
- ( 5 min) FHIR -- Items asking for Policy statements, where recommend that no specific Policy statement be given.
- 7572 2015May core #863 - Explain business-specific details of update (Ioana Singureanu) None
- 7683 2015May core #974 - Add security guidance for 'read' (Ioana Singureanu) None
- 7685 2015May core #976 - Add authorization qualifier to 'vread' (Ioana Singureanu) None
- 7686 2015May core #977 - Add authorization qualifier to 'update' (Ioana Singureanu) None
- 7687 2015May core #978 - Add authorization qualifier to 'history' (Ioana Singureanu) None
- 7688 2015May core #979 - Add authorization qualifier to 'delete' (Ioana Singureanu) None
- 8165 2015May core #975b - Add authorization qualifier to 'read' (Ioana Singureanu) None
- ( 5 min) October 2015 HL7 WGM - Atlanta, Georgia USA - agenda items
- Please send any agenda items to Suzanne
Approval of July 7 Meeting Minutes
- The WG unanimously approved the minutes from the July 7 meeting.
PASS Access Control Conceptual Model (SOA) Update
- The administrative portion of this project is complete as the NIB was submitted.
- At the most recent meeting on Friday, project participants discussed FHIR resources for access control, but determined that, because there are multiple groups already working on that aspect and it's out of scope for this project, they would not incorporate these FHIR resources in the SOA-PASS ACS.
- Diana and Mike will set up meetings to work together on the writing of the document.
- A Doodle poll was taken to establish a new meeting date/time. Project meetings will now take place on Wednesdays at 1 p.m. Eastern / 10 a.m. Pacific.
Joint Vocabulary Alignment Update
- Diana met with Reed and Gary to discuss how to create satisfactory EHR definitions. They are focusing on updating the definitions in the ISO/TC 215 21089 Trusted End-to-End Information Flows document to ensure they are good, correct and non-circular.
- Once updated, these definitions will then be used in the HL7 EHR-S Functional Model and Record Lifecycle Event vocabulary so that the project team can complete its alignment work.
Status of Provenance and AuditEvent subcommittee
- Kathleen - I think it's critical that FHIR Provenance includes an element for Action or Activity, and that it be bound to a value set for Provenance Event. That value set would include the Lifecycle Event verbs as defined by this group in addition to the ones that are already there.
- Diana - What I would really love is if it would be possible for either Kathleen or John, or both, to be present at next Tuesday's Vocabulary Alignment meeting.
- Mike - The Tuesday meeting is a good time to discuss this, but Gary hasn't been attending the Tuesday meeting.
- Diana will reach out to Gary asking him to attend the Tuesday calls.
- Kathleen showed us a rough outline of the structural set of processes that are meant to support getting trust and provenance into the framework.
- Different kinds of provenance: exchange policies, types of provenance metadata, payment provenance, research provenance, clinical provenance, etc.
- These processes should be mapping to the functional model work that Dave Silver has been completing.
- Kathleen - We need to come up with guidance on how to create the information files in any of these domains and how to specialize them. There are standards around that.
- Kathleen - All of this is work we're doing on the FHIM call (Tuesdays at 5 p.m. Eastern). Asked John to join the call and talk about the Provenance Activity.
- Mike showed the ACS model to the group. The purpose of creating this was to help inform the activities of the PASS Access Control normative version.
- There was a known gap of obligations. They also wanted to add information on trust frameworks and external authorization services (OAuth and UMA).
FHIR Security Discussion Items
- Between now and next week's call, John would like the WG to review these items and be ready for discussion.
Meeting adjourned at 1300 PDT