This wiki has undergone a migration to Confluence found Here
September 28, 2010 Security Conference Call
Jump to navigation
Jump to search
Contents
Security Working Group Meeting
Attendees
- Allen Hobbs
- Ed Coyne
- Mike Davis Security Co-chair
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair
- Michelle Johnston
- Vannak Kann
- Milan Petjovic
- Scott Robertson
- David Staggs
- Cliff Thompson
- Richard Thoreson CBCC Co-chair
- Serafina Versaggi scribe
- Tony Weida
- Craig Winter
Agenda
- (05 min) Roll Call, Call for additional agenda items & Accept Agenda
- (20 min) Monday Q3/Q4 Face to Face Agenda Items
- (35 min) Tony Weida: Ontology update
ADMINISTRATIVE NOTE: A new livemeeting link will be sent out after the HL7 Plenary and Working Group meeting Please be on the look out for it, thank you. ~Suzanne
Minutes
1. Action Items
- Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences
- Mike will reach out to the SOA Health Care Services Ontology project to see if they can attend the Security and Privacy Ontology report out portion of the joint session
2. Resolutions - none
3. Updates/Discussion
Boston WGM Joint Security/CBCC Agenda Discussion – Monday, Q3/Q4
- Tentative Agenda is as follows:
- Report Outs
- Security and Privacy Ontology Project – where we are and where we plan to go. #*Includes a brief demonstration of the tool (Protégé) used to develop the ontology – Tony Weida (30 minutes)
- Status update on the Composite Security and Privacy Domain Analysis Model DSTU R1 post May 2010 ballot reconciliation – Ioana Singureanu (15 minutes)
- NHIN Direct – John Moehrke (10 minutes)
- Federal Identity, Credential, and Access Management (FICAM) – Mike Davis (10 minutes)
- National Strategy for Trusted Identities in Cyberspace – Mike Davis (10 minutes)
- US and International Realm Report Out on efforts related to building trusted relationships between patients and service providers – Richard Thoreson and International HL7 members (50 minutes)
- Richard would like to hear from the different realms (nations) with respect to how they are approaching Privacy and the issue of TRUST: establishing the ability to share health care information with other providers. It is proposed to have a round table discussion involving participants from Australia (Heather Grain), Canada, England, France (Manuel), Japan (Hideyuki ‘Hidei’ Miyohara)
- The goal is to start identifying information services that work as building blocks for community-based trust networks and safety net services.
- Privacy Policy Reference Catalog Project Status – Pat Pyette (10 minutes)
- External Standards Update
- ISO Draft for Purpose of Use (POU) – Mike Davis (10 minutes)
- OASIS TC: Language Extensions to XACML - David Staggs (10 minutes)
- New OASIS Technical Committee – Privacy Management Reference Model (PMRM) – Suzanne Gonzales-Webb (10 minutes)
- Logical Record Architecture (U.K. project) – Stan Huff TBD (Allen Hobbs to reach out to Stan for availability) (10 minutes)
Security and Privacy Ontology Project Update
- A formal peer review for the Security and Privacy Ontology has been proposed. The Boston WGM meeting is not the proper forum to conduct the peer review so it will take place in subsequent regular Tuesday conference calls.
- The criteria for review is being developed along with a peer review form which will be distributed via the Security, CBBC and SOA lists announcing the review and inviting participation. Input to the peer review will be used by Tony to help shape the ontology represented in OWL.
- Tony presented the latest update to the ontology and discussed various specifics of OWL and the Protégé interface
- OntoClean methodology – OntoClean.org. The OntoClean methodology provides a framework for analyzing ontologies based on formal, domain-independent properties of classes (meta-properties). Ideally one would want to automate the analysis of the ontology but the current version of Protégé that we’re using has not been updated to include those features.
- The intent for the ontology is to become a standard to support interoperability. Two major goals:
- To make it easier for a patient to express consent
- To make it easier to express rules for privacy inside engines
- Tony presented a spreadsheet describing the VA Permission Catalog which generated some discussion. Permissions (rows) Functional Roles (columns)
- Mike opposes any attempt to map permissions to a particular role. This table presented was created during the development of the permission catalog to drive out the permissions. But it was not intended to assign those to specific functional roles. It was only to discover the roles to include in the catalog.
- The assignment of functional roles is not consistent from one organization to the next. Including this as an example is fine, but it should not be incorporated into the ontology itself
- For interoperability purposes, you can’t pass the name of a functional role and expect to know what that means.
- Tony: So the relationship between a Functional Role and a collection of permissions will be made at the local level and therefore it is appropriate to represent that in the DemoLocal ontology. Tony will migrate those to the demo namespace.
- Mike: Using other Standards (ANSI INCITS), you can mutually agree on an arbitrary set of permissions and assign a common role name to them for interoperability purposes. But we’re not trying to make on a national or international basis, trying to make those assignments.
- Structural Roles are different. They exist at a higher level in the hierarchy and provide only access to high level workflows.
- A Structural Role is a precursor role. It is the role that you have to have to enter a generalized workflow. Functional roles describe the detailed things that you can do within a workflow.
- This is an important point to capture – we need to make this clear in the ontology. We clarified this point in the Permissions Catalog and we need to make this point clear in the ontology. So this table is not in any sense normative.
- Mike opposes any attempt to map permissions to a particular role. This table presented was created during the development of the permission catalog to drive out the permissions. But it was not intended to assign those to specific functional roles. It was only to discover the roles to include in the catalog.
- Tony: The fact that were able to divide the ontology into sub ontologies, helps to distinguish what is part of the HL7 standard, versus what’s part of the VA standard or anything else.
- The final topic under discussion today related to using SWRL (Semantic Web Rule Language)
- A way to demonstrate access control decision making
- OWL doesn’t have the power to do pattern matching in a convenient way. But this rule language was designed to work hand-in-hand with OWL
- SWRL Rules can be used to illustrate how people might use elements of the ontology to make access control decisions
- People are requested to think about whether SWRL is appropriate to use in relation to developing the ontology using the Protégé tool.
The meeting was adjourned at 3 PM EDT
No significant decisions or motions were made