March 6, 2012 Security Working Group Conference Call
Security Working Group Meeting
- Bill Braithwaite
- Kathleen Connor
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Trish Williams
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Co-Chair Discussion
- (02 min) Security WG Decision Making Process - Bill Braithwaite
- (15min) Role of HL7 Security and Privacy Ontology in HL7 Artifacts - Kathleen Connor
- (15 min) Mobile Devices Security and Privacy Registration link. ONC coming event(f2f or web) on March 16: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__mobile_devices_roundtable/3815#registration
- (5 min) Other Business
- Mike Davis, presiding Co-Chair
Roll Call, Approve Minutes & Accept Agenda Mike asked for review and approval of the February 28th Minutes. Suzanne moved to approve ; Trish seconded. Bill abstained. Minutes approved 3-1-0
Decision Making Practices (DMP) Security WG_Decision Making Practices (DMP) v3.0 update on Electronic Voting sent out to the Security list serve by Bill on February 7th. Request for document to be reviewed and sent out for approval by electronic vote as the current DMPO for the Security WG.
a) Decisions may be made outside of Work Group meetings by conducting electronic voting.
b) Security WG electronic votes will be announced on the Security WG list server.
c) If the motion to be put to an electronic vote was NOT made, seconded, and discussed during a quorate meeting, then the Work Group will circulate the motion and request a second via the list service. Once seconded there will be a period of not less than 3 days of discussion via the list service prior to the opening of the electronic vote.
d) Security WG electronic votes will be held open for a minimum period of 1 week but may be longer. The voting period will be defined in the announcement of opening the electronic vote.
e) Quorum for electronic voting will be set at 90% of the number of attendees at the last meeting or call at which quorum was achieved. Quorum shall be at a minimum the same as for a Security WG meeting or call as defined in Section 5.
f) If quorum has not been achieved at the end of the announced voting period, the vote will be closed as unsuccessful due to lack of quorum.
g) Electronic votes are decided by simple majority of the affirmatives and negatives.
h) The results (vote tally) of electronic votes will be recorded in the next meeting/call minutes so there is a persistent record.
Co-Chair Discussion Mike led Co-Chair Discussion: Security WG missed the deadline for requesting a fourth Co-Chair. Mike said that the current Co-Chairs decided it would be best to wait until Vancouver WGM. The possibility of announcing interested candidates prior to the Vancouver meeting was discussed. Mike will investigate approaches for nominating or appointing interim Co-Chairs either by having Co-Chairs appoint an interim Co-Chair or wait till the WGM. Trish Williams noted that she is very interested in the fourth Co-Chair position.
Role of HL7 Security and Privacy Ontology in HL7 Artifacts led by Kathleen Connor
PPT: Role of the HL7 Security and Privacy Ontology in HL7 Artifacts Background: the notion of the ontology itself came out a few years ago and SOA also came out with that the ontology would be useful as a further dimension to an information model. Bernd Blobel was instrumental in pulling this together. It would be considered an artifact under SAEAF, it’s an extension of an Information Model, the codes sets define them (the classes) become artifacts in an ontology where the relationships are place in some hierarchal way. Our goal was to meet a demand from industry.
OASIS was investigating whether or not an ontology would be useful in making decisions in access control as they were having problems to instantiation roles in a very complicated way in a rule engine. If you had an ontology as part of the decision process the hierarchy of importance of things would be known i.e. RBAC you can have permission for orders in general, an ontology can help decide whether you can make a decision by guiding it.
The second important part is to move it over to SNOMED CT, no maintaining here in HL7. Creating and balloting it, we want to move away a DSTU approach and go to an normative approach in order to take it over to SNOMED CT, rather than the typical hl7 vocab process. We have some experience with that since the RBAC vocabulary is not tied to the RIM but conformant to ANSI-INCITs standard 359-2009. The most recent thing we went back to the steering division because we are not able to meet the May ballot date, changing the scope statement into an informative ballot in May then to normative ballot after that. The steering division asked if we can go normative or not…Kathleen presentation:
We had an issue in the area of RBAC the NwHIN exchange folk specified roles from SNOMED CT but clearly that is not the intent the items for SNOMED CT to be used for RBAC, it was convenient to do so—had number associated with it, etc. but it was an inappropriate choice. At the time SNOMED CT was not a security standard. The ontology of the roles picked out were for clinical, but not related to security. In an attempt to fix, we went ASTM which has a standard E1986 that had a table for which RBAC roles are oriented and added a mapping to the SNOMED CT codes, added an OID and enumerated for use by groups needed by real world standards. E1986 has healthcare specific roles beyond which where they can find a matching term in SNOMED CT. This will fix the problem long term by creating a sub-ontology which is security and privacy oriented in nature.
If it’s normative under HL7 other SDOs are looking at it for truth, relationship it makes a good basis for argument for making ontologies without a (vocabulary basis?)
Note: Difficulties with live meeting - future discussion?