This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

November 20, 2012 Security Working Group Conference Call

From HL7Wiki
Jump to navigation Jump to search

Security Working Group Meeting

Meeting Information

Back to Security Main Page

Security Working Group Meeting

Meeting Information Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

  1. (05 min) Roll Call, Approve November 13th, 2012 Security Working Group Conference Call Minutes & Accept Agenda
  2. (20 min) S&P Ontology Update – Tony Weida
  3. (30 min) HCS Ballot – Mike Davis
  4. (05 min) Other Business, Agenda for Next call, Action Items, and Wrap Up

Minutes

Approval of Minutes and Agenda – Presiding Cochair, Mike Davis…, called for motion to approve meeting minutes and agenda. XXX moved; YYY seconded. Minutes and agenda approved (0-0-8)


S&P Ontology Update - Tony Weida

  • appporximately 90 comments received of which a quarter have been worked through
  • comments received from: John Moehrke, Suzanne Gonzales-webb, Linzy Hoggle (Academy of Nutrition) and Ed Coyne
    • Nelson Hsing contacted to confirm submitted name on Ed Coyne (Ed did not submit comments for this ballot)
  • of the comments submitted,
    • several comments point to the way the document is organized (i.e. requesting informative indices)
    • clarification needed in the document that the document is not intended to select a particular softwarae tool for HL7, but the document is the tool
    • verification of document results
    • Comments on scope; proactively remove some classes that were added on the theory that we will wait and see if we need them.

ACTION ITEM: Request for the spreadsheet as-is with disposition proposals to be distributed to Security members for next week's meeting. All available materials are asked to be distributed.


HCS Ballot - Available for viewing (links to be added) HL7 Healthcare Privacy and Security Healthcare Classification System ballot

Updates made from last version:

  • Extracted out the vocabulary pieces; helpful to understand the category of labels / these have been taken out and now is more clearly a classification system (you bring your own vocabulary)
  • A conformance statement added at the end; conformance in bringing in your own vocabulary) and this system can show you how that works
  • The table previously (containing column that had representative vocabulary---has been taken out) the current Table 1 is the description of the security label fields and their definitions—and are all standards based; from the previous time—the vocabularies are updated and are now also updated in HL7 (per work done by Kathleen)
  • Note section; talks about what kind of field that it is; this table is what would be considered the normative part of the standards and the next section that follows this;
  • None of the intro has changed
  • HCS field description – field definitions removed (they were redundant in the table); removed redundancies—all information is in the table otherwise these sections are unchanged.

Key Target Access Control Information

  • Originally document did not have a lead in, now contains “Access Control decision Information as a header
  • Diagram, text in this section was already there but lead in has been added and not documents flows appropriately
  • More informative part—where the security labels fit into an overall environment of access control information
    • Security controls in the right bottom right) of quadrant
    • Security label is one of multiple possible types of access control, etc.


HCS Conformance

  • Security WGGroup to review
    • The labeling system is to be used with a user –designated vocabulary (realm vocabulary) to populate meaning of the labels. We have the HL7 vocabulary as the example (Note: example is long)
    • The example has been extracted and placed into separate informative ballot--- similiar to supporting data

 Informative example of HL7 Healthcare Privacy and Security Classification System Release 1 suing HL7 Security Observation Vocabulary – January 2013 o Supporting material is not normative. (two documents)  DISCUSSION about ; how it’s used in security observation;  Discussion: can use some or all of it;  What mock-up what it might look like for a CDA (summary care C32) … • Ability to put observation fields …label; on the entry for encounter o Security observation template…?  4 fields that would comprise the label • Comprise an identifier? You talked about the consent directive but its separate and apart from the payload • If you did revise the CDA, ---it translate into a security label; the example used in the VA example, the CDA is used to aquatically update the patient preference and the security systems policy information point. That provides the patient preferences about the data and then in the system we have a labeling component that looks at the patient information and what is being requested and the data being constructed to return a response. Using the patient information/business law, organization rules, etc. to tag the document. Once the document is tagged; there are additional things that come into play. Document may be masked or redacted prior to transmission • Is the ideal to state the privacy preference policy in conjunction with the ...we can state those as secutit lables…? (On the data?) • We use tagging rules that allows us to tag the information accordingly

Going back to the ballot version of the HCS Review the document; there were a couple of edits that Kathleen brought up • The codes themselves are not hierarchical… none are more sensitive than another one… high/medium/low HIV… it’s just HIV • * • Sensitivity guidelines; since codes are not hierarchical…are you meaning that you can’t have a list of sensitivity codes (since we used them in demonstrations, ISO…and other talk about category codes as a set of codes… the codes are not * this talks about how you treat a SINGLE codes. It doesn’t say you can’t have multiple codes

Sensitivity Guideline 2: apply sensitive classifications codes at the lowest levels for which a single code • HIV and Substance abuse • How do I get different code when there

If the second sentence is removed… you can’ always get to the lowest level of the object… to one code, you always need a list. This paragraph is not talking about a list. We need to figure out a fix.

Paragraph changed to: • These codes are not hierarchical and therefore there is no concept of high watermark

These two documents are what we plan to submit: By Monday 3PM (November 26th); the final date is next Sunday the 25th…Monday;

Motion made to submit documents on Sunday: Bill: motion made / second: Richard / objection: none / 1 abstention (Moehrke)

Meeting adjourned at 15

Security will be on the CBCC call next week.


  • RE: Other Business, Agenda for Next call, Action Items, and Wrap Up

Meeting adjourned at 2:00 PM Eastern

Action Items

  • RE:
  • RE:

Reference Material from Call

Back to Security Main Page

Action Items

  • RE:
  • RE:

Reference Material from Call

Back to Security Main Page