May 2018 CBCP Working Group Meeting - Cologne, Germany

From HL7Wiki
Jump to navigation Jump to search

Community-Based Care and Privacy (CBCP)

formerly Community Based Collaborative Care (CBCC)

DRAFT 2018 May Working Group Meeting - Cologne, Germany - CBCP WORKING GROUP

Community-Based Care and Privacy (CBCP) WORKING GROUP SESSIONS

Q1 = 9:00 – 10:30 am / Q2 = 11:00 – 12:30 pm / Q3 = 1:45 – 3:00 pm / Q4 = 3:30 – 5:00 pm

Back to CBCP Wiki: Meetings

Agenda and Meeting Minutes

Day Date Qtr Time AGENDA ITEMS Session Leader Room
SUN MAY 13 Q1 9:00-10:30 No Meeting .
Q2 11:00-12:30 No Meeting .
Q3 1:45 -3:00 No Meeting .
Q4 3:30 -5:00 No Meeting .
MON MAY 14 Q1 9:00-10:30 No Meeting .
Q2 11:00-12:30 No Meeting .
Q3 and Q4 1:45 -3:00 /

3:30-5:00

Joint CBCP , Hosting Security
  • Welcome and Introductions
  • Agenda Review
  1. Is Privacy Obsolete PPT - (Kathleen for Mike Davis)
  2. Joint Project report out
  3. US and International Report out
  4. Joint Project review
  • Security and Privacy advancements since last WGM, informal/around the room

NEW discussion items; NEW projects; NEW PSS, etc. - note: 10 min timestamp

CBCP Room TBD
TUE MAY 15 Q1 9:00-10:30 No Meeting . .
Q2 11:00-12:30
  • (tentative) Security and Privacy > GPDR

GDPR, Patient Engagement and CBCP(discussion)

GDPR discussion: We should define:

  • how to request for transfer of data
  • how to request erasure
  • how to respond with a confirmation or rejection of either request .....
    • we should have a GPDR implementation guide
  • Most of the exceptions to erasure apply in healthcare, and there'll rarely be any actual erasure:
    • Organisations can refuse to comply with a request for erasure if:
      • The processing is protected by the right to freedom of expression;
      • Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
      • The data is for health purposes in the public interest;
      • The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
      • The processing is necessary to exercise or defend legal claims.
. -
Q3 1:45-3:00 Joint CBCP, Hosting Security

Proposed Topics: HL7 Project status and updates:

  1. ONC Research Patient Choice (confirm w/Johnathan)
  2. Security and Privacy Outreach for member recruitment (discussion)
CBCP Room TBD
Q4 3:30 - 5:00
  • ONC Patient Choice Pilot(s) - (confirm with Johnathan)
  • Security, CBCP topics discussion if time avaialble
. Room TBD
Q5 5:15-6:15 Birds of a Feather (1): . Room TBD
WED MAY 16 Q1 9:00-10:30 Joint w/EHR Hosting: Security, CBCP, SOA, FHIR

See EHR Agenda for topics Electronic Health Records Hosting

EHR Hosting Room TBD
Q2 11:00-12:30 CBCP
  • Planning, Co-chair administrative
    • next WGM agenda prep, requests for next WGM
CBCP Room TBD
Q3 1:45 -3:00
  • No meeting
Room TBD
Q4 3:30 -5:00 JOINT with Behavioral Health Interest Group
  • Review of Behavioral Health Dam - Ioana or Neelima? (tentative)
CBCP Room TBD
THU MAY 17 Q1 9:00-10:30 Joint Security hosting CBCP, FHIR-I
  • FHIR GDPR and Patient Engagement - David Pyke
@ Security Room TBD
Q2 11:00-12:30
  • CBCP to Security meeting (Security hosting)
@ Security Room TBD
Q3 1:45 - 3:00
. Room TBD
Q4 3:30 - 5:00
Room TBD
FRI MAY 18 Q1 9:00-10:30 No Meeting .
Q2 11:00-12:30 No Meeting .
Q3 1:45 -3:00 No Meeting .
Q4 3:30 -5:00 No Meeting .

Back to CBCP Wiki: Meetings


Back to CBCP Wiki Meetings

Meeting Minutes Draft

Back to CBCP Wiki: Meetings

https://www.hl7.org/permalink/?WikiMinutesTemplate Monday, Q3 (10 Attendees + Chair)

  1. Connectathon Report-out: Using PKI in FHIR presentation from EMR Direct using UDAP Profiles

(Presentation Deck to be appended)

  • Using X.509 certs with FHIR API
    • Mutual TLS client-server auth
    • Auth JWTs for backend services
    • Dynamic client registration backed by trusted certs
    • Client ID won't be sufficient so use PKI instead of shared secrets
  • JWT signature submitted -> Validated to Public Key -> allows forwarding of JWT to Policy Engine
    • has controls (length of validity, etc.) to prevent replay
    • based on pre-registered information (user credentials)
    • governance hard-coded in Policy Engine
  • Cert-based JWT flow/Trust Bundle flow
    • Uses AnT (Authentication Token)
    • AnT included in all TLS submissions to Auth (policy) server
    • Returns an Auth token (organization, user, etc.)
    • The trust bundle flow includes PK Issuer (CA) into signature as well
    • LoA3 requirements for both Patient/Covered Entity and CA Issuer auth request
    • Software statements (software signed, not provider/client signed) can be done dynamically for limited use cases

Monday, Q4

  1. International Report Out
  • In 2020, Japan will have a full patient national ID
  • Canada has begun requiring statistics collection of Privacy breaches, the privacy commissioner will report out nationally
  • Privacy breaches reporting has begun in Australia, 25% were healthcare providers
  • In the US, ransomware is a breach
  • the EU NIS (cybersecurity) directive deadline for national transposition into law was last week. Many countries (Austria) have missed the deadline. There for in Austria only critical infrastructure is applicable
  • AS4 Security has been mandated and IHE is setting up a new Document Sharing set of options based on AS4 requirements
  • Switzerland: Launched a working model for a national HIE based on an upcoming new restricted national ID and IHE profiles. Double opt-in (clinicians and patients may) should be live by 2022. Privacy restrictions will be patient based. Documentation will be sent to the CBCP list
  • ISO: Audit trail discussions (27789 Audit Trail for EHR) Change proposal to keep conformance with ATNA, etc. Some vocabulary, such as purpose of use, is not harmonized among SDOs. ISO will harmonize/constrain/map these vocabularies as part of their process.
  1. New Projects
  • TF4FA is going normative,
  • Bernt's cube is being referenced into ISO3606

Adjourned 4:43PM