May 26th 2009 Security Conference Call
Security Working Group Meeting
- Steven Connolly
- Kathleen Connor
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Rob Horn
- Don Jorgenson
- Glen Marshall Security Co-chair
- Rob McClure
- John Moehrke
- Pat Pyette
- David Sperzel
- Richard Thoreson CBCC Co-chair
- Ioana Singureanu
- Tony Weida
- Craig Winter
Agenda and Meeting Minutes DRAFT
WORK IN PROGRESS - not ready for acceptance
- (05 min) Roll Call
- (05 min) Approve Minutes & Accept Agenda
- (05 min) PASS Update, SAEF Project Update - Don Jorgenson
- Process continues. Ioana has prepared some materials that are being worked into the charter.
- Another week or two needed to create draft to circulate to group.
- Building a concens and buy in for the charter is the most important task right now.
- Note: Name change may be occuring. currently is SAEF….now: are looking for alternatives—looking at a greater scope (outside of services aware).
- Name change will not affect the PASS project outcome.
- (15 min) White Paper - RBAC Permission Catalog Update Steve Connolly
In column E these are the functions from the EHR functional model, here we are mapping to the current permission catalog. 1.1.4 Produce a summary record of care is related to 2 things: discharge summary and transfer summary report. Those in blue are from the permission catalog; those in black are from the functional model.
The spreadsheet provides some value in giving us a standard by which we can tag the objects within the object vocabulary. That’s one requirement that it fulfills, it does not peg the object vocabulary to a clinical record vocabulary or process that say, SNOMED CT does. One the decision that I would like the workgroup to do is---if the adoption of the functional model does provide sufficient value, we can tie the object vocabulary to it- it indicates certain indications. Kathleen - there are different flavors of the EHR functional model—pediatric, etc…inpatient outpatient, etc… keep in mind that the EHR functional model you are using to do this mapping is very generic. If you tie the vocabulary mapping closely to this one model, there will be different workflows that are predominant in other workflows. The other functional models can be found conformance; this one (the current one you are mapping to) is the superset, if you look in the methodology, there are different flavors that are out there (care setting specific profiles, that is where these artifacts are there)
Rob – the need is to clarify those nuances we can go to those Kathleen – it makes sense to apply to the superset, but wanted to let everyone know of the other flavors There is a PHR functional model, separate from this one, also constraints-care setting profiles that are specific to specific care settings that might be implemented. Mike 0 what I’m gathering….neither LOINC or SNOMED CT have worked out. They are partial; essentially we’re saying that we’re not going to use them. Kathleen – is there a way to approach Mike – we’ve mapped these things to the functional model before, and we’ve found good conformance. We’re mapping arbitrary functions to another HL7 balloted model. We can find vocabularies for objects directly or indirectly. This is the minimum standard set. Glen – it’s also possible if we find the vocabulary insufficient, it’s able to amend the vocabulary in HL7 harmonization. If it’s not perfect, it should not be a barrier if the formula is in fact correct. Mike – we’re not trying to force a vocabulary into our set here. We have something to work on; it’s a finite exercise, Rob – you bring in a source that’s been vetted externally to the security specific use case, that’s why this set is greater value, in that these different requirements and use case provide a common way of describing things, and publish it for others to go look Mike – we don’t have standard definitions for these words, we’ve been putting definitions that come from all kinds of sources and that’s what adopted (little adhoc) Rob – as long as it follows a vetted approach, that’s a good, away as anyone else’s way. Steve – patient allergies in blue…there is not 100% conformance is that a priority importance Mike – that’s just editing. We started this exercise to get the terminologist to get us standardized vocabulary after several months we’ve found that this isn’t’ the case. We’re back to creating our own vocabulary… Rob – the needs that this group has, describes these kinds of objects that others haven’t had a need to do, without question there is an alignment that is really important to flush out, particularly around consent directives and privacy. At its core, it’s true. SNOMED CT or LOINC will not be able to provide a vocabulary for this kind of use. It makes sense that we do the work because we are the experts that understands it. Mike – create a vocabulary that we can ballot very soon. At the rate we’re going we’re not going to make it. It’s a version 2 where we have improved operations, improved operation vocabulary, the analysis that we have here and we have the privacy side is comfortable (actions, and operations) and if we have a requirements to also do financial as well (Kathleen can/give us assistance), we need to bring the financial vocabulary onto these calls. With respect to the XSPA calls we’re removed SNOMED CT from the documentation. Richard The ballot does not say how you will connect to these different kinds of codes i.e. SNOMED CT Mike – correct we cannot do that because it’s a mess. Richard – how will they do this then? Mike – I’m not planning to do that mapping, we’ll provided a numerated vocabulary that will allow people will use it, and how they use is not up to me. Rob – this is something we’ll have to discuss, simply stated the context of these elements did not line up well. (Context of use) there are some things that patients will use that will line up with these functions and systems that these create, it does not talk about HIV, but because of the context of use, they do not align. What we’ve determined the things that we needed for security to align, a combined security /privacy…these are two different of use. The alignment has Richard – context…security access control…the other privacy
- (15 min) Extending the Permission Catalog Extending the Permission Catalog Ioana Singureanu
Ioana – a user group contains several structural role, does not have a functional user code (i.e. direct care team as a role) Rob – role would have a code that is structural or functional Kathleen – that goes against the idea of constraining certain functional or structural roles to an idea Ioana – functional role is nurse, structural is Kathleen – types of nurses, per the policy could have permission to perform acts, when they put on the functional role of ER provider, author or different (functional role denote an act…responder, author…) the nurse would have a set of those per the organization policy. Mike – the structural role that someone has represent at a high level position, the name for the role is humanly understandable, something a patient would understand the concept of what they are talking about. The functional role is a collection of permission which is operations on objects those are collected into functional roles, there is not explicit relation between the structural and functional role except the structural role is a precursor of capabilities. Ioana Kathleen – if an organization has 3 structural roles, they are default assigning functional roles to them. Mike – that’s where the structural role is there to operate the workflow. The structural role is sufficient enough to form some function. Kathleen – if you tie a structural Ioana – as far as policies Glen – the implication was that as security administrator assigned a function role they should be aware of the implications of any of those assignments….what permissions are they giving, etc…they need a specialty security admin to filter though that Mike – I don’t’ think a patient will be able to relate to weave through the permissions.
- (15 min) Item3
- (5 min) Other Business