This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

October 17, 2017 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair x Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
. Mike Davis x Suzanne Gonzales-Webb x David Staggs x Christopher Shawn
. Mohammed Jafari x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi . Joe Lamy . Galen Mulrooney
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards x [1] . Gary Dickinson . Dave Silver
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (3 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of October 3, 2017 Minutesand October 10, 2017 minutes.
  3. (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
  4. (5 min) Update on Security WG Bulk Data Transfer Comments submission - John Moehrke
  5. (30 min) Review and draft Security WG comments on PAC comment guidelines and highlighted ISA items related to Security and CBCP Scope
  6. (15 min) FHIR Security call - John is at IHE so no call this afternoon. Kathleen to review draft CR 14028 for Accounting of Disclosure using FHIR AuditEvent.

Meeting Materials

FHIR Security CR 14028

  • Accounting of Disclousres
  • Specific example of a Privacy report that is HIPAA specific, but the concept is applicable in similar forms
  • There is some POLICY that drives a subset of all Access/Use/Disclosures to be explained to the patient.
  • Who, What, Where, When, Reason, Purpose
  • Produces some form of report to be delivered to the patient to explain all the disclosures
  • Unlikely to be a structured report, but the structured report could be CSV (or AuditEvent)
  • Other regulatory examples: Access Log (all accesses regardless of if they qualified under TPO)
  • Would capture all potential disclosures in the AuditEvent audit log, and filter to select the reportable disclosures
  • Leverage AuditEvent database. Other audit log data may additionally be added but are outside the scope of FHIR.
  • Focus only on Accounting of Disclosures where the disclosure is detected and recorded using an electronic reporting sytem (Not including disclosues undetected or unknown)
  • Would include paper/fax/mail disclosures provided there is some supervisory system that detects the export
  • Would not include paper/fax/mail disclosures that happen outside of a workflow managed or detected by technology
  • HOW
  • Given that AuditEvent includes comprehensive evidence of all access/use/disclosure, then:
  • Filtering of the whole AuditEvent may be complex, and would change as regulations change and as workflow patterns change.
  • Filter on all AuditEvents where the Patient of interest is the subject/patient element (See patient compartment)
  • Workflows may operate on patient data indirectly and thus would not be detected as having touched the patient
  • Some resources don't contain a patient/subject element, but are linked to the patient/subject through another object (need explicit example?)
  • Some:
  • Of all the events returned from a subject search
  • Filter out those events that don't need to be included in the Accounting of Disclosures
  • Condense multiple events on the same Disclosure event (many audit log entries will happen that are all related to one session)
  • Summarize each Disclosure detected
  • Who --
  • When --
  • Why -- (OAuth purposeOfUse?)
  • What ??? Can we leverage the <any> Resource.text element to explain 'what' data was disclosed?
  • AuditEvent.text -- This field may be useful on some types of audit event recording
  • De-Duplicate similar events into some description of a number of Disclosures over a period of time
  • a PDF can be created with the details from this analysis or possibly a structured/coded form
  • REFERENCES
  • http://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html From <http://www.hhs.gov/hipaa/for-professionals/faq/right-to-an-accounting-of-disclosures>
  • HITECH AoD From <http://www.hipaasurvivalguide.com/hitech-act-13405.php>

Minutes

Agenda: no additions/changes ‘’’Minutes: October 3, and 10th , 2017’’’

  • 10th – Kathleen/Suzanne Motion to approve
    • Objections: none; Abstentions: none; approve 8
  • 3rd – not yet complete

‘’’Privacy Study Group’’’ Is Privacy Obsolete?

  • Comments are being received on the list—comments are being cataloged
  • WG4 (ISO) is planning for a project would be P&S for the internet of things.
    • Mike is part of the US TAG
    • Ann Kevorkian – Privacy by Design created in OASIS
  • Conversation on ‘privacy is dead’ – which Ann did not agree
  • Cited GDPR; and suggested that privacy is not dead, but seriously challenged
    • Within NIST privacy

Privacy is about your choice—no concept where we see security services as enforcing privacy; there is no concept of privacy enforcement relying on security services… or that privacy is managed by security—where security fails, privacy also suffers.

  • Mike is surprised by ISO on this now being a security issue.
  • We need to look at the situations in US, CAN, EU and non-EU as well and take the opinions, viewpoints from each of these areas—belief is country specific is defined by law and will change from country to country—wherein we cannot develop sweeping …
    • David—they were saying there was no such thing as privacy; suggested to changing verbiage to ‘’data protection by design’’ (instead of privacy by design)
  • Mike; there’re kind of like in HITSP days wondering why they were in the same room as privacy; HL7 is remarkably mature—expecting the rest of the world to also gone with though us; there is a view point (rest of world) where they have been uninformed in our work; joint information model, etc. it’s not part of their thinking and an obstacle in dialogue. (16:00)
    • conversation will be added to the HL7 listserv thread

Kathleen In a FHIR audit event, there is a place to add text inhuman readable terms to read what the resource is about: FHIR Security CR 14028

  • Accounting of disclosure; it wouldn’t be structured in the text but other parts of Accounting of Disclosure on audit event would e

Per Mike: regarding fields:

  • WHO ‘organization or person—in US, we may ask for both
  • Determine if mandatory or optional fields (recommend making everything optional and make law require…
  • Patient readable format—cite patient friendly format document in hl7
  • Kathleen; will take into consideration and update as this is the first draft.

For the 2017 we had extensive comments

  • There was good acceptance of the points that were made (table)
  • <<Add table link>>
  1. Addition of ADT; security labels should be included
    • Security labeling has been added to several other sections (33:12)
    • Section called vocabulary—move the HCS to that section and not keep in the reference section—point out that this is the vocabulary to be used in security labeling
  • Also to terminology add SAMHSA vocabulary in ‘VSAC’ (confirm)
    • No other comments, additions
    • Move to add comments as described to submit as a draft tomorrow to ___
    • Comments as is (Kathleen/Suzanne)
      • Objections: 0, abstentions: none; approve: 9
  • October 31, Kathleen and Suzanne will be out-of-office
  • No other discussion items

Motion to adjourn: Kathleen/Suzanne at 12:49 Pacific time