March 12, 2013 Security Working Group Conference Call
Security Working Group Meeting
- Bill Braithwaite
- Kathleen Connor
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Adrianne James
- Diana Proud-Madruga
- Richard Thoreson CBCC Co-chair
- Tony Weida
- Reed Gelzer
- Pat Pyette
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Security and Privacy Ontology Work (IRIs, conformance, level of assurance, operations) - Tony
- (15 min) May 2013 WGM Ballot Materials / HCS IG review (pre-ballot review)
- (15 min) Item3
- (05 min) Other Business
Roll Call, Approve Minutes & Accept Agenda Rolle taken, Mike Davis, Chair
Meeting minutes from February 26, 2013 were approved (vote: 7 affirmative / 0 negative / 1 abstention (Reed Gelzer)
Meetings Minutes for Febary 27, 2013 Approved: 7/0/one abstentions (Reed Gelzer)
Security and Privacy Ontology Work (IRIs, conformance, level of assurance, operations) - Tony Weida ACTION ITEM: Conformance Statement Document to be circulated to listserve
Conformance Statements (received by Tony via e-mail):
Expectations of a conformant application of the HL7 Security and Privacy Ontology:
- A conformant security labeling service SHALL assign privacy and security metadata in accordance with policy by invoking HL7 Security and Privacy Ontology terminology services.
- A conformant clinical data repository SHALL persist, manage, and retrieve privacy and security metadata in accordance with policy by invoking HL7 Security and Privacy Ontology terminology services.
- A conformant access control system SHALL rely on the HL7 Security and Privacy Ontology for the definitions and relationships of the terms and concepts that are necessary for making access control decisions. (Note that the HL7 RBAC Healthcare Permission Catalog is authoritative for definitions of terms and concepts specified therein; the HL7 Security and Privacy Ontology reproduces those definitions verbatim, defines additional terms and concepts, and adds relationships, especially hierarchical relationships among concepts.) This conformance criterion MAY encompass all access control system components, including the following:
- A conformant access control system policy administration point SHALL invoke HL7 Security and Privacy Ontology terminology services to support encoding and retrieval of applicable policies for a conformant access control system policy administration point.
- A conformant access control system policy information point SHALL invoke HL7 Security and Privacy Ontology terminology services to support retrieval of applicable initiator, resource, context, and request access control decision information required to generate an access control decision.
- A conformant access control system policy decision point SHALL invoke HL7 Security and Privacy Ontology terminology services to support access control decisions.
- A conformant access control system policy enforcement point SHALL invoke HL7 Security and Privacy Ontology terminology services to support access control enforcement within the custodian enterprise, in transit and in intermediary systems, and in end user clients.
- HL7 Security and Privacy Ontology terminology services SHOULD be invoked by means of HL7 Common Terminology Services 2 (CTS2) (11), or another suitable service implementation for accessing the ontology content, such as a service supporting the OWL API (http://owlapi.sourceforge.net/).
- HL7 Security and Privacy Ontology terminology services SHALL be invoked directly at run time, e.g., while making access control decisions, or at build time, e.g., to suitably populate whatever data store the access control system or other application prefers to use internally.
Noted website: http://www.hl7.org/ontologies/SecurityAndPrivacyOntology.owl
- Conformance Statement required as part of balloting procedures.
- 6 major Conformance statements in document
Discussion: Is there a way to mask digital information without encryption?
- Encryption is a mechanism which is different than a thing (as masking), encryption is a method for doing masking. What is comprable to masking is to make it unavailable---so, unless you have permission to see it (data), you can’t see it---you don’t have to encrypt something (i.e. data) to not see it, this can be accomplished through access control methods. (This is a security view per Mike’s claim)
Tony is looking for a definition for deduplicate currently has a temporary definition listed ( remove redundant copies of data) in a sense similiar to meaning how you can anonymize or deanonymize--as an inverse of practically anything. Anonymize and deanonyize are both intentional .
- According to world dictionary: deduplicate means to remove duplicated materials.
- Defintion: (sources needed)
Status of Ontology Ballot Ballot needs to be submitted on Sunday
Ballot Status: Tony is cranking away—will contact Don Lloyd (HL7) about having more time if necessary. Tony will be using the same format as before--word or pdf document with a zip file for actual OWL ontology.
ACTION ITEM: Tony to discuss to Don for extension if necessary; otherwise Tony submit what he has completed and beg for an update to what has been submitted.
ACTION ITEM: Tony must notify co-chairs of his decision
Question: How much additional work is needed? Will it be ready Friday/Saturday?
- Tony will make use of all time available until public review…on March 25, unless Don sets shorter time
- Add time for ontology discussion for next week security agenda
- Other questions, issue? (none at moment per Tony)
Healthcare Privacy and Security Classification Syatem - Kathleen
- Completed the draft as QA, ballot cleanup in progress. (Bulk of the work)
- Section on using security labels with roles and users
- All pieces should be ready for submission on Sunday (on-time)
- A request for extension should not be required.
- Final version will/should be ready by Friday.
ACTION ITEM: Security group to review HCS IG for major things (show-stoppers) for input; otherwise comment should be reserved for ballot time.
Note: In the guide, some informative examples on how a document might look once the HCS has been applied to it—i.e. some developer input. That final part of it may still need to be completed.
ACTION ITEM: Guide will be posted to the listserve for the HCS draft guide
HIMSS Meeting Information on Data Segmentation for Privacy (DS4P) can be found via link: (see calendar on right side of webpage) http://wiki.siframework.org/Data+Segmentation+for+Privacy+Charter+and+Members
No other business.