HL7 WGM MAY 2017 - Madrid Spain AGENDA

From HL7Wiki
Jump to navigation Jump to search

HL7 MAY WGM Event BROCHURE Link

TBD Madrid WGM SITE

Minutes: May 2017 Security WGM Minutes Madrid, Spain

Back to Security Meetings

AGENDA

valign="top"
Day Date Qtr Time Event Session Leader Room
SUN MAY 7 Q1 10:00-11:30 International Affiliates/Connectathon Report Out International Affiliates/Connectathon TBD
Q2 12:00-1:30 International Affiliates/Connectathon Report Out International Affiliates/Connectathon TBD
Q3 2:45-4:00 Cochair FHIR Session FHIR MG TBD
Q4 4:30-6:00 Cochair Vocabulary Session Vocabulary WG TBD
MON MAY 8 Q1 10:00-11:30 . No Meeting .
Q2 12:00-1:30 . No Meeting .
Q3 2:45-4:00 Joint CBCC - Security CBCC hosting Security Alcudia
Q4 4:30-6:00 Joint with CBCC – New discussion items and projects CBCC hosting Security Alcudia
TUE May 9 Q1 10:00-11:30 Opening Security WG Meeting
  • Introductions
  • Approval of agenda
  • International Report outs
  • HL7 Policy Advisory Committee update
  • Liaison Reports: ISO, IHE, ONC
  • HL7 Project status and updates:
    • FHIR Security - AuditEvent, Provenance, Security Labels
    • Trust Framework - Ballot Report and WGM Reconciliation Plans, Links to FHIR Security
    • SLS Revisions - WGM Development Plans, Links to FHIR Security
    • SOA Audit - Status, Development Plans, Links to FHIR Security
    • FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM
Security Chinchon
Q2 12:00-1:30 Trust Framework Work Session Security Chinchon
Q3 2:45-4:00 CBCC FHIR-I Joint on FHIR Consent Resource CBCC hosting Security, MH Alcudia
Q4 4:30-6:00 Security WG Project Meeting Security Chinchon
WED MAY 10 Q1 10:00-11:30 Joint w/ EHR, CBCC, FHIR, SOA, Security
  • 1st hour: Discussion with AEGIS Team on development of a FHIR Privacy, Security, Provenance, and Digital Ledger Technology Conformance Testing Suite. Expectation is that WGs will bring any test cases [e.g., Cascading OAuth for Patient Right of Access] have been developed or input to test cases.
  • Last 30 Minutes: Bernd Blobel will brief us on the imminent need for standards such as the FHIR Security Labeling, and the Provenance and AuditEvent Resources, to meet the EU General Data Protection Regulation requirements in 2018.
EHR hosting Security, CBCC, FHIR-I Oxford
Q2 12:00-1:30 Joint w/ SOA
  • Tentative Agenda Items:
    • PASS Audit topics (joint w Security, CBCC, SOA)
SOA hosting Security La Puebla
Q3 2:45-4:00 Security WG deep FHIR topics
  • Josh assigned FHIR Core team
  • SMART on FHIR
    • Deep dive on HOW it does this
    • Experience from the field
    • Are their known stepping-stones
    • Work on how FHIR should address SMART vs HEART vs IUA vs TLS vs others
    • Various use-cases
      • User using browser app
      • User using mobile App
      • System-to-system (e.g. organization to organization)
  • Introduction to CDS Hooks
    • Some points that might not be fully clear why I am interested in CDS Hooks. First,
    • the security workgroup knows that we are not experts on medical information. We see the general concept of CDS to be a service that fully understands medical information. Thus we callup the general concept to tell us if there are sensitive health topics. This is what we have encapsulated in the SLS. So, wondering how we can leverage CDS Hooks similarly. I think this is what Grahame was referring to with the point about suggesting security tags to the user. It would be best if the user doesn't need to think about security-tags, although they should be able to change them authoritatively with proper authorization. Adding a layer that can transparently assess the data using current CDS knowledge and expertise to apply proper security-tags.
    • The other point is that to fully protect healthcare data to the very finegrain level that some envision, we need not only security assessment of the data in create/update, or resting, but also during accessing. Today OAuth scopes are very simplistic (i.e. SMART), but eventually they need to get more detailed and multi-layered. Way beyond what OAuth standards support today. The interpretation of the OAuth security token, relative to the query requested, and the results it uncovers; should be done by some security layer that is aware of FHIR, but is not fundamentally changing the baseline concept that is FHIR. --- So I am looking at what you have done with CDS Hooks to see if there is something similar that can be done to advance the capability toward more fine grain authorization enforcement.
    • background materials from Kevin Shekleton CDS Hooks slide deck from the HSPC HIT Developers Conference today. presentation was recorded and when available will share that link in the Speaker Deck description for the presentation.
Security hosting FHIR-I Alcudia
Q4 4:30-6:00 Security WG Project Meeting Security Chinchon
THU MAY 11 Q1 10:00-11:30 Security Joint with CBCC,FHIR-I
  • Josh assigned FHIR Core team
  • FHIR Priorities (email from Lloyd) http://lists.hl7.org/read/archive?id=312425
  • Continued: FHIR Connectathon Privacy and Security testing scenarios
  • how might GraphDefinition be used with Provenance? How might it be used in an Audit Analysis/Reporting?
  • how might a client that get subsetted/redacted data be enabled to do Update/Patch?
    • Subsetted by _summary
    • Subsetted by some client request (not yet available, is this a FHIR-I work item?)
      • Some mechanism that is based on profiles, where client asks data to be subsetted to the constraints in a profile
    • Subsetted by redaction rules -- where communicating the redaction result
    • So That - when an update happens, the server knows that the client is NOT asking to have the elements missing be removed from the server copy.
    • What might be issues?
  • Can we use a general subsetting type of a profile to enable more complete de-identification algorithms.
Security hosting CBCC, FHIR-I Marsella
Q2 12:00-1:30 Security WG Project Meeting
  • July Harmonization Proposals: Signature Types
    • Addition to FHIR Agent value set
    • POU additions - HTEST, Research Consent POUs
    • Addition to FHIR ProvenanceEvent value set for export, disclose, import, receive, disassemble, decompose, which are in the Lifecycle Event matrix. Needed for Provenance Lifecycle test script.
Security Chinchon
Q3 2:45-4:00 . .
Q4 4:30-6:00 . .
FRI MAY 12 Q1 10:00-11:30 . .
Q2 12:00-1:30 . .
Q3 2:45-4:00 . .
Q4 4:30-6:00 . .

Back to Security Wiki Meetings


Session Type:

Business Meeting
Technical Meeting
Ballot Reconciliation