Potential New Projects

• Platform Consent-Decision service
  • ask is for this to support FHIR, may support other.
  • Would need to consider International mechanisms
    • Might need to have alternatives: OAuth/UMA vs SAML/XACML
  • Should be driven in Security WG, under SOA PASS Access Control
  • Note IHE - Secure Document Retrieve supplement is similar, using SAML/ACML but bound to XDS
• Disclosure Event Recording
  • Profile of SecurityEvent for recording specifically a Disclosure
  • Based on PASS Audit
  • Could also include Disclosure Reporting
  • Could have Questionnaire
• Update Security Risk Assessment cookbook to include Privacy-By-Design -- Integrating carefully Privacy Impact Assessments with Security Risk Assessment.
  • Need set of Privacy and Security Terms
  • Need to make more useful for HL7 WG to use when building HL7 products
    • Useful: We need to make this light weight, but effective.
    • Need one procedure, that procedure should have a library of existing work (e.g. Genomics Security from ISO)
  • Should we bring in a Functional specification (e.g. NIST 800-53 v4 which has security controls)? -- ISO-27799, Common Criteria,
  • Note NIST also has Security Considerations, and another new one on Privacy Considerations
  • Should we create an army of P&S Facilitators that know how to use the handbook and can aid workgroups on 'useful use'
  • Should we approach Safety to integrate safety risk too?

Security (Privacy?) Tutorials/Webinars

• Executing Privacy and Security Risk Assessment
  • Target: Facilitators, Co-Chairs
  • Focus on using our 'handbook' -- "Usefully" and be compliant to HL7 process
  • Potentially a Sunday Afternoon, or
  • Could we do 1 hour Q0?
• Policy Summit
  • Privacy Protected Patient Health Ecosystem
  • David
• Webinars
  • Lower impact, and easier to target audience
  • November -- Three
• Find what is needed
  • Send survey to whole HL7 community asking what they would like to see in tutorials/webinars