This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 1, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
m
 
(7 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 
|-
 
|-
||  X|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
+
||  x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
 
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
Line 22: Line 22:
 
||  .|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
||  .|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson]
 
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson]
||||x|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
+
||||.|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
 
      
 
      
 
|-
 
|-
Line 31: Line 31:
 
|-
 
|-
 
||  x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||  x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
||||.|| [mailto:mailto:robert.horn@agfa.com Rob Horn]  
+
||||x|| [mailto:mailto:robert.horn@agfa.com Rob Horn]  
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
  
Line 42: Line 42:
 
||  x|| [mailto:rgrow@technatomy.com Rick Grow]
 
||  x|| [mailto:rgrow@technatomy.com Rick Grow]
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
||||.|| [mailto:Debbie.Bucci@hhs.gov Debbie Bucci]
+
||||x|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
 
|-
 
|-
  
Line 53: Line 53:
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
|-
 
|-
||  .|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||  X|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
 
|-
 
|-
 
||  .|| [mailto:cdoss@ncat.edu Christopher Doss]
 
||  .|| [mailto:cdoss@ncat.edu Christopher Doss]
||||.|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
+
||||X|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
 
||||.|| [mailto: Stephanie Dyke ]
 
||||.|| [mailto: Stephanie Dyke ]
 
|-
 
|-
Line 69: Line 69:
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=February_23,_2016_Security_Conference_Call February 23, 2016 Security WG Conference Call Minutes]
 
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=February_23,_2016_Security_Conference_Call February 23, 2016 Security WG Conference Call Minutes]
# ''( 30 min)'' '''TBD'''
+
# ''( 5 min)'' '''PASS Access Control Services Conceptual Model''' - Diana
# ''( 5 min)'' ''' Privacy and Security by Design PSS discussion'''
 
 
# ''( 5 min)'' '''Joint Vocabulary Alignment Update''' - Diana
 
# ''( 5 min)'' '''Joint Vocabulary Alignment Update''' - Diana
 +
# ''( 5 min)'' '''PASS Audit Conceptual Model – Diana
 
# ''( 5 min)'' '''FHIR Security '''report out  - John  
 
# ''( 5 min)'' '''FHIR Security '''report out  - John  
# ''( 5 min)'' '''PASS Audit Conceptual Model – Diana
 
  
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
Line 79: Line 78:
  
 
= Minutes =
 
= Minutes =
#Consensus approval of Feb 23 minutes  
+
*Alex chaired.
#EHR Lifecycle Discussion:
+
*Consensus approval of the agenda and Feb 23 minutes  
#
+
*Joint Vocabulary Alignment Discussion update:  Diana reported that work continues to refine approach to model
 +
*PASS Access Control - Diana is still working on disposition of Bernd's comments
 +
*PASS Audit Conceptual Model Discussion: Diana reported that work is still underway.
 +
*John reported on FHIR Security - discussed the CPs in the block vote for the FHIR Security call later in the day. 
 +
*Mike Davis and Oliver Lawless discussed Oliver's email comments about current FHIR AuditEvent and Provenance CPs and related vocabulary proposals that Security submitted for Harmonization.  Main focus was on whether and how AuditEvent and Provenance Resources, their elements, and vocabulary bindings are related.  Mike cited W3C PROV as foundational for FHIR Provenance, and statement from Satya Sahoo, one of the PROV authors, that the standard considers audit to be a specialization of provenance.  Mike referred the group to the [http://www.csl.sri.com/users/gehani/papers/MW-2012.SPADE.pdf SPADE: Support for Provenance Auditing in Distributed Environment] paper Section 3.1, which discusses how audit is used to provide provenance information. 
 +
*Oliver argued that HL7 value sets should be defined by structuring the document for the implementer, and should be mapped to existing standards.  He stated that many codes seemed to be missing.  Kathleen stated that those codes are included in the sub-value sets being proposed for ProvenanceEvent.  Mike discussed the need for these codes to support the business requirements, and that implementer's need to understand the vocabulary from that perspective.
 +
*Several stated that there should be specific activity value sets for AuditEvent and Provenance.  Kathleen pointed out that AuditEvent has additional audit specific activity value set bindings to AuditEvent.type and AuditEvent.subtype, and that the CRUDE value currently bound to AuditEvent.activity and via are in the DataOperations sub-value set.
 +
*The differences between the set of elements capturing various perspectives on the "action" recorded by audit [i.e., AuditEvent.type, AuditEvent.subtype, and AuditEvent.activity] and AuditEvent.lifecycle [defined as "Identifier for the data life-cycle stage for the object"] were discussed in light of CP 9417.  Due to time limitations, this discussion was tabled until the FHIR Security call.
 +
*Rob McClure joined the call to discuss issue referred to Security by Vocabulary WG:  FHIR Terminology Servers will be providing access to SNOMED, which is an IP bound code system. The current HL7 approach for dealing with this IP issues are insufficient for this use case.  Rob asked whether Security WG knows of any standard or technology that could be promoted to FHIR, which support the need for users to validate that they have a proper SNOMED license.  E.g., could a licensed requestor/receiver have a token issued that verifies that the user is licensed to access/use SNOMED?
 +
*Kathleen noted that while FHIR recommends OAuth 2.0 for authentication, there is no FHIR profile on OAuth to support, e.g., use of ABAC claims assertions, and that SNOMED Licensees could be considered a Compartment if included as part of a clearance.  Rob will consider drafting a project scope statement proposing that an approach such as this be considered for development.

Latest revision as of 17:35, 7 March 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
x John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
. Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson . Dave Silver
x Mike Davis . Ioana Singureanu . Mohammed Jafari
x Suzanne Gonzales-Webb x Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker x Christopher Shawn
. Oliver Lawless . ... . Serafina Versaggi
X Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss X Kamalini Vaidya . [mailto: Stephanie Dyke ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve February 23, 2016 Security WG Conference Call Minutes
  3. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  4. ( 5 min) Joint Vocabulary Alignment Update - Diana
  5. ( 5 min) PASS Audit Conceptual Model – Diana
  6. ( 5 min) FHIR Security report out - John

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda

Minutes

  • Alex chaired.
  • Consensus approval of the agenda and Feb 23 minutes
  • Joint Vocabulary Alignment Discussion update: Diana reported that work continues to refine approach to model
  • PASS Access Control - Diana is still working on disposition of Bernd's comments
  • PASS Audit Conceptual Model Discussion: Diana reported that work is still underway.
  • John reported on FHIR Security - discussed the CPs in the block vote for the FHIR Security call later in the day.
  • Mike Davis and Oliver Lawless discussed Oliver's email comments about current FHIR AuditEvent and Provenance CPs and related vocabulary proposals that Security submitted for Harmonization. Main focus was on whether and how AuditEvent and Provenance Resources, their elements, and vocabulary bindings are related. Mike cited W3C PROV as foundational for FHIR Provenance, and statement from Satya Sahoo, one of the PROV authors, that the standard considers audit to be a specialization of provenance. Mike referred the group to the SPADE: Support for Provenance Auditing in Distributed Environment paper Section 3.1, which discusses how audit is used to provide provenance information.
  • Oliver argued that HL7 value sets should be defined by structuring the document for the implementer, and should be mapped to existing standards. He stated that many codes seemed to be missing. Kathleen stated that those codes are included in the sub-value sets being proposed for ProvenanceEvent. Mike discussed the need for these codes to support the business requirements, and that implementer's need to understand the vocabulary from that perspective.
  • Several stated that there should be specific activity value sets for AuditEvent and Provenance. Kathleen pointed out that AuditEvent has additional audit specific activity value set bindings to AuditEvent.type and AuditEvent.subtype, and that the CRUDE value currently bound to AuditEvent.activity and via are in the DataOperations sub-value set.
  • The differences between the set of elements capturing various perspectives on the "action" recorded by audit [i.e., AuditEvent.type, AuditEvent.subtype, and AuditEvent.activity] and AuditEvent.lifecycle [defined as "Identifier for the data life-cycle stage for the object"] were discussed in light of CP 9417. Due to time limitations, this discussion was tabled until the FHIR Security call.
*Rob McClure joined the call to discuss issue referred to Security by Vocabulary WG:  FHIR Terminology Servers will be providing access to SNOMED, which is an IP bound code system. The current HL7 approach for dealing with this IP issues are insufficient for this use case.  Rob asked whether Security WG knows of any standard or technology that could be promoted to FHIR, which support the need for users to validate that they have a proper SNOMED license.  E.g., could a licensed requestor/receiver have a token issued that verifies that the user is licensed to access/use SNOMED?
  • Kathleen noted that while FHIR recommends OAuth 2.0 for authentication, there is no FHIR profile on OAuth to support, e.g., use of ABAC claims assertions, and that SNOMED Licensees could be considered a Compartment if included as part of a clearance. Rob will consider drafting a project scope statement proposing that an approach such as this be considered for development.