This wiki has undergone a migration to Confluence found Here

September 5, 2017 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page


x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page


  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes August 29, 2017
  3. (15 min) San Diego Sept WGM Agenda - Kathleen
  4. (15 min) Security Labels for HL7v.2 See Links below for background - Kathleen
  5. (5 min) Security WG Interim Health Metrics - presiding cochair
  6. (5 min) ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
  7. (5 min) FHIR Security call - cancelled.

News and Review Material

Understanding Digital

  • Identity proofing is the process used to verify a subject’s association with their real-world

identity, establishing that a subject is who they claim to be.

  • An authenticator is something the subject possesses and controls (typically, a cryptographic

module or password) that is used to authenticate the subject’s identity.

  • Digital authentication is the process of determining the validity of one or more authenticators

used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same that previously accessed the service.

  • Federation is when the relying party (RP) and identity provider (IdP) are not a single entity or

not under common administration. Federation enables an IdP to proof and authenticate an individual and provide identity assertions that RPs can accept and trust. How has SP 800-63-3 evolved? Since the last revision of this document in 2013, NIST SP 800-63-2, digital identity components have evolved substantially. To better align with market-driven business models and innovation, the new revision replaces levels of assurance (LOAs) with ordinals for individual parts of the digital identity flow, providing implementers with more flexibility in their design and operations:

    • Identity Assurance Level (IAL): the identity proofing process and the binding between one or

more authenticators and the records pertaining to a specific subscriber;

  • Authenticator Assurance Level (AAL): the authentication process, including how additional

factors and authentication mechanisms can impact risk mitigation; and

  • Federation Assurance Level (FAL): the assertion used in a federated environment to

communicate authentication and attribute information to a RP.

  • SP 800-63 is a suite of four documents: SP 800-63-3 (the parent document; your starting point for all things digital identity and risk) and three additional documents – SP 800-63A, 800-63B, and 800-63C –which cover the various components of a digital identity system. These documents are described below:
  • SP 800-63-3, Digital Identity Guidelines, provides an overview of general identity frameworks,

guidance regarding use of authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels;

Minutes =

  • Chaired by Alex
  • Agenda approved (Kathleen, John)
  • Deferred to next call Security WG Call Minutes August 29, 2017
  • San Diego Sept WGM Agenda - Kathleen
    • Please review the News posted by Kathleen
    • Agenda was updated by Kathleen and schedule was reviewed
    • CBCC, SOA are included in Agenda
    • Mike Comment (1): Recommends we speak to SOA on Burts comments Pass Audit, t
    • Mike Comment (2): joint meeting with SOA may help with Burts comments
    • Mobile Health is included in joint
    • Comment (3) Diana: We should make participants aware of NISP changes and ballot reconciliation
    • Comment Mike (4): Security will no longer have a SOA Chair
    • Comment Kathleen (5): notified John she will include FHIR perimeters in Agenda, FHIR Ballot is out
      • will give the opportunity to discuss the SMART on FHIR and our role in the future (John)
    • Proposal: Mike proposed to remove Cascading OATH
  • Security Labels for HL7v.2 See Links below for background - Kathleen
    • Highlights and presentation still in progress and will be provided for group
    • Currently working on the following:
    • HIE using two message and connection with Trust Framework
    • HL7 Security Labels
    • Reviewing work of ONC on Security Labels and HIE
    • Privacy risk on HIE use of security labels
    • Links to HIE reports to ONC included under News
    • Can be a topic for joint meeting with CBCC
    • CBCC agenda is not yet updated
    • HL7 21st Cent. Cures act should also be included in Agenda (Mike)
  • Security WG Interim Health Metrics - presiding cochair
    • 100% complete comments
  • ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
    • Reviewed under "Security Labels for HL7v.2 See Links below for background" agenda item
    • Unsure of Jonathan will be attending
  • FHIR Security call - cancelled.
    • Call Adjourned