March 19, 2013 Security Working Group Conference Call
Security Working Group Meeting
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) May 2013 WGM Ballot Update
- (15 min) Security and Privacy Ontology Work (IRIs, conformance, level of assurance, operations) - Tony
- (15 min) Item3
- (05 min) Other Business
Roll Call, Approve Minutes & Accept Agenda
Security and Privacy Ontology Work Update – Tony Tony reviewed the OperationOntology.owl sub-ontology table with the group. He focused on the highlighted items in the table that included: Recent additions, highlighted in yellow, were derived mostly from the HL7 ActCode code system (for data operations) and the HL7 ActDataUse concept domain (for privacy operations). See email that Tony sent out to the group on March 14.
WGM Ballot Update – Mike and Kathleen The Security Working Group wants to ballot the healthcare classification system—with the categories and definition of the classification and sensitivity, integrity and compartments, and the handling instructions as normative. (Sections of the document such as the clearance of the user are not intended to be normative).
In addition to the categories that will be define through the open XML version of the Security Policy, there is intent to include vocabularies from the HL7 standard vocabularies for this standard. There are three things that need to be defined, the clearances of the users (not normative), specification for the resource that includes the classification structure that includes the classifications for the categories and then the classification of that that includes the XML format (normative), the security policy that has the definitions of the classification labels (normative). These three areas must be defined.
The final portion of the document is the security policy information file (SPIF). The SPIF not really a policy but a file representation of the policy and has the definition of the security labels and how to check them against a policy. The HCS ballot/document goat is to specify the structure of the labels—there is plenty of guidance to specify policy. there is one set of confidentiality labels for categories that represent what needs to be done and we need to describe those in terms of the standard so that we are compliant with the general representations.
Also exploring the NIST PUB 188, but there are ISO standards for practically everything that we’re doing for this standard.
Healthcare Classification System Components of the Clearance: The confidentially codes are inherent. It also refers to comparing the clearance to the label. The Class list and the Security Category is the component that has the restrictive and permissive security categories. In the restrictive scheme you must have the clearance for the access and only that clearance will get you into the object. The rules for clearance are listed in the document. When this work on the guide is completed, this will be the specification as to how to represent the Healthcare Classification Scheme. XML walkthrough of Security Policy completed by Kathleen.
Meeting adjourned at 1502 PST