October 13, 2015 Security Conference Call

Attendees

Back to Security Main Page

Agenda DRAFT

1. ( 5 min) Roll Call, Agenda Approval
2. ( 5 min) Approve September 29 Meeting Minutes
3. ( 5 min) Comments on ONC Draft Interoperability Standards Advisory - Kathleen
4. ( 5 min) PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson, Mike, Dave
5. ( 5 min) Joint Vocabulary Alignment Update - Diana
6. ( 35 min) FHIR Security report out - John
7. PSS Security and Privacy Access Control and NIB
   • FHIR PSS for Security http://gforge.hl7.org/gf/project/security/docman/Security%20FHIR/
   • Value Set improvements - Kathleen

Meeting Minutes DRAFT

Approve September 29 Meeting Minutes

The meeting minutes from September 29 were unanimously approved.

Comments on ONC Draft Interoperability Standards Advisory

Kathleen - Email from HL7 Policy Advisory Committee asking that HL7 Co-Chairs and their WGs provide comments on the descriptions of the maturity/adoption/etc. of three types of standards:

1. Vocabulary
2. Content (semantics and syntax)
3. Services that are needed to support interoperability

• There is a slot in each one of the above standards types for discussing the applicable security patterns.
• Need to return comments to the Policy Advisory Committee so that it can get them before the board before the end of October.
• Kathleen started an overview pulling out the areas of concern to Security where they had put in some security and privacy standards where they added some descriptions of maturity. I added questions addressing gaps (for example, there's no mention of the HCS and the vocabulary even though they have DS4P in there). I'm in the process of sending an email that gives you the link and basic background. Later today, I hope to send out some draft comments on areas of focus for you.

PASS Access Control Conceptual Model (SOA) - Update

• First 50 lines of ballot reconciliation were completed at the WGM last week.
• Motion made (Glen/Diana) and APPROVED to accept one line of comments completed (line 51).

Joint Vocabulary Alignment Update - Diana

• This morning's call brought everyone up to speed. There's nothing new to report right now.

FHIR Security report out - John

• John sent out the PSS before this meeting. We've been working on AuditEvent and Provenance. CBCC and EHR are considered Interested Parties on those.
• The PSS is intended to be a broad PSS to cover the idea that we're doing work on FHIR. It's not intended to contain any specific deliverables.
• Kathleen provided excellent improvements including a project name change from "FHIR infrastructure" to "FHIR security" and made additions to the Interested Parties.

• Issues of realm
  • John did not want to bring in the issues on realm (these items are off the table)
  • Not everyone in the FHIR community is comfortable with these issues
  • There are risks which may affect our future work
  • This is a long-term work project
• Regarding the realm items – we are expected to be the SMEs and incorporate whatever is necessary and John does not believe that we are expected to include all possibilities because it’s a long-term project (vs. a short-term)
• If the perceived risk affects work that we’ve done and those issues are up for discussion, this could be a heads-up for which our work group needs to monitor and respond. There is pressure being placed on other domains and we should respond - this could be a short-term issue
  • Specifically: discussion on an architectural approach to having a resource called protocol or workflow that can be used in any situation for which there's a perception of an interaction between parties
  • Anything we do that is a request (i.e., audit log, consent) impacts the resources and profiles that we have developed (more analysis is needed)
  • There are other things that happen in the FHIR spec that we need to be aware of and this should not be an exhaustive list

• Motion to approve (Glen/Kathleen)

0 abstentions / 0 objections / MOTION PASSES

PSS Security and Privacy Access Control and NIB

Mike - During our WGM, we discussed creation of a new PSS for Security to include secure delegated services (possibly RBAC) in the current RBAC vocabularies. We want to have a standard that would be a catalog of all these similar vocabularies around access control. That motion was made and seconded (at the WGM).

Mike (cont.) - I just want to have, for the record, an approval to submit the NIB for January 2016 at this time. That's the motion:

"To move forward with the Security WG's Healthcare Access Control Catalog NIB" (Mike/Alex)

MOTION PASSES

PSAF - Kathleen

• Questions around the provenance signer type because there is some ambiguity and Kathleen is working on the wording
• Clarification needed on Glen’s comment on audit - what Mike heard is once the sender sends something out and it's in transit, the metadata gets changed and it's different from what the recipient receives.
  • What’s the audit system that records any changes in that space?
    • Glen does not have an answer (he is pondering some of these things...it may be something we disallow because of the nature that it can't be audited)...maybe we pushback and point out that an app that affects the security and privacy of the data is not, by itself, auditable and should be prohibited architecturally.
    • Kathleen - You can audit the V1 metadata...
    • Mike - How do you audit a change?
    • Glen - The issue being raised is that we need to assure ourselves that we can establish accountability for events that we are being held accountable for.
    • John - If the system is supporting versioning, the change in metadata changes the version.
    • Kathleen - That's what I would think. But according to Paul and Lorraine, the way they changed it will result in the versioning being the same (even though you've changed it).

Motion to adjourn (Glen/Diana)