April 1, 2014 Security WG Conference Call
|Member Name||Present||Member Name||Present||Member Name||Present|
|Mike Davis Security Co-chair||John Moehrke Security Co-chair||Trish Williams Security Co-chair|
|Bernd Blobel, Security Co-chair||.||Johnathan Coleman||x||Kathleen Connor||x|
|Duane DeCouteau||Reed Gelzer||.||Suzanne Gonzales-Webb CBCC Co-chair||x|
|Rick Grow||x||David Henkel||x||Mohammed Jafari|
|Don Jorgenson||.||Diana Proud-Madruga||x||Harry Rhodes||.|
|Ioana Singureanu||.||Richard Thoreson CBCC Co-chair||.||Ross Freeman||.|
|Amanda Nash||Walter Suarez||.||Tony Weida||x|
|Chris Clark||.||[Paul Petronelli||x||.|
- (05 min) Roll Call, Approve 25, 2014 Security WG Conference Call Minutes & Accept Agenda
- (50 min) HL7 Meaningful Use 2015 NPRM Comments Deadline for comments is April 2nd (tomorrow). Significant questions and issues to be addressed sent in list email.
PossibleHL7 Privacy and Security Comment Areas:
- Options for EHR Module Privacy and Security certification criteria See Certification Policy for EHR Modules and Privacy and Security Certification Criteria and HITSC MU EHR P&S Certification Criteria Recommendations
- Authentication of Patients and Authorized Representatives for View, Download, Transmit
- Patients’ ability to control authorized representatives’ access to portions of their records
- Selection of two edge protocols that HISPS and Edge Systems should support and two they may support along with their applicable Transport Security and Authentication requirements – do the conformance statements make sense? Are there interoperability issues that could result with optionality? Are some protocols more secure than others?
- Secure Messaging and Integrity Criteria – any comments?
- Mandatory notification standards – do they add value?
- (05 min) Agenda: May 2014 Working Group Meeting Agenda Items
Meeting Minutes DRAFT
- WG voted to unanimously approve the March 18, 2014 meeting minutes
- WG voted unanimously to approve the March 25, 2014 minutes, with the proviso that Suzanne add the link to John’s slides
- Mike announced items that should be added to the WG meeting in Phoenix in May (read the last section in the minutes below)
Relevant links are:
- NPRM in Federal Register: Voluntary 2015 Edition Electronic Health Record (EHR) Certification Criteria; Interoperability Updates and Regulatory Improvements
- Certification Policy for EHR Modules and Privacy and Security Certification Criteria
- HITSC MU EHR P&S Certification Criteria Recommendations
- HL7 PAC 2015 Edition NPRM Response Notes
- ONC Implementation Guide for Direct Edge Protocols
These comments need to get in to the HL7 Policy Committee tomorrow. Some of the items Kathleen thought could use input from our group. Kathleen does have a lot of background on.
Kathleen - I will say that I’m not totally up to speed on everything. I just sent out a lengthy email regarding the NPRM. I guess what I’d like to do is work through John’s response to what I emailed. The brief thing I wanted to show was John’s response to my email from earlier. They are proposing that EHRs be able to filter on various metadata. I don’t know if they’ll want facility codes. If it were facility codes, you can indicate in the header of a CDA if a mental health or substance abuse facility. It would be helpful in understanding if a particular patient health record contains substance abuse information. John seems to agree with me, got the gist of what I was saying.
Mike - I think I understand John’s 2nd comment better than the 1st comment. This requirement is for CQM. I guess my only hesitation here is that these measures are for CQM purposes, and the fact that somebody else could use them for other purposes is nice, but it’s sufficient that the comments be directed toward the suitability for CQM and not for other special uses. It’s a bit gratuitous to me. We don’t know that these really provide us with sufficient information to really support a robust access control system.
Kathleen - I would agree. I can take care of the next comment. This is the standards committee letter where they are seeking recommendations for the next EHR certification.
Mike - I recall this being discussed within the committee. I remember a bulleted list of services that were being discussed. So, what are we doing with it? I guess, since I’m on this committee, I’d recommend option 3. This is the world we live in. It’s a world of challenges. If we didn’t have challenges, we couldn’t go forward.
Kathleen - Anything else other than me commenting positively on option 3? The challenges are not really clear. They are proposing that the ONC guide for delivery notifications be expired.
Mike - Regarding the integrity comment. Something’s wrong with this one. I think this is wrong. I think NIST has said that shell one will not be accepted after December of this year. You have to go to shell 256. They’re specifying an obsolete thing. I don’t care about exceptions. We should say that we do not concur, that NIST has already established that shell one should not be used. There is an official publication on the NIST site. The NIST reference for using shell one (NIST 131A).
Diana - NIST 131A is “Recommendations for Transitioning the Use of Cryptographic Algorithms and Key Lengths.”
Mike - 1 Ballot Reconciliation for 2 ballots:
a. the Privacy Consent Directive Implementation Guide, and
I’m planning to have Duane dial in again for the Joint session to update us where we are with the Data Segmentation for Privacy and FHIR;
2. DS4P (Duane in FHIR)
3. Tony Weida - creating an interface that will allow the creation of security policies based on the Ontology;
4. work with SOA - PASS Security Architecture (an exitisn project; just necssary to dust if off and get it going again)
5. Conversation with EHR, Steve Hufnagel
6. Security and Privacy DAM
7. Mind Map - Diana, Tony - presentation / subject for discussion
8. Joint Security Conversation for Data Provenance - Johnathan); future use of provenance
9. Ask John Moehrke about educational sessions - are we moving this out of our main agenda?
10. Security c0-chair; Bernd's position ends in May 2014; unsure who will be running for his position
11. CBCC Co-Chair replacement for Richard
12. Patient Naturual Language Project