This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 22, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "Back to Security Work Group Main Page ==Attendees== {| class="wikitable" |- !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !! |- ...")
 
 
(9 intermediate revisions by 4 users not shown)
Line 22: Line 22:
 
||  .|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
||  .|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson]
 
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson]
||||.|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
+
||||x|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
 
      
 
      
 
|-
 
|-
|| x|| [mailto:mike.davis@va.gov Mike Davis]
+
||   || [mailto:mike.davis@va.gov Mike Davis]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
  
 
|-
 
|-
||  || [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
+
||  x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
|||||| [mailto:mailto:robert.horn@agfa.com Rob Horn]  
+
||||.|| [mailto:robert.horn@agfa.com Rob Horn]  
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
  
Line 40: Line 40:
  
 
|-
 
|-
||  .|| [mailto:rgrow@technatomy.com Rick Grow]
+
||  x|| [mailto:rgrow@technatomy.com Rick Grow]
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
||||.|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
+
||||x|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
 
|-
 
|-
  
||  .|| [mailto:gfm@securityrs.com Glen Marshall], SRS
+
||  x|| [mailto:gfm@securityrs.com Glen Marshall], SRS
 
||||.|| [mailto:akleinebe@gmail.com Bill Kleinebecker ]
 
||||.|| [mailto:akleinebe@gmail.com Bill Kleinebecker ]
 
||||.|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
 
||||.|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
 
|-
 
|-
 
||  .|| [mailto:oliver@lawless.co Oliver Lawless]
 
||  .|| [mailto:oliver@lawless.co Oliver Lawless]
||||.|| ...
+
||||.|| [mailto
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
|-
 
|-
||  .|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||  x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
Line 69: Line 69:
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=March_15,_2016_Security_Conference_Call Security WG March 15 Minutes]
 
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=March_15,_2016_Security_Conference_Call Security WG March 15 Minutes]
# ''(10 min)'' '''Review '''
+
# ''(10 min)'' '''Review updated P&SbD PSS''' Rick
 +
#* Joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30473 Meeting information and invite]
 
# ''( 5 min)'' '''PASS Access Control Services Conceptual Model''' - Diana
 
# ''( 5 min)'' '''PASS Access Control Services Conceptual Model''' - Diana
 
# ''( 5 min)'' '''Joint Vocabulary Alignment Update''' - Diana
 
# ''( 5 min)'' '''Joint Vocabulary Alignment Update''' - Diana
Line 78: Line 79:
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 +
  
 
= Minutes =
 
= Minutes =
 +
# John chaired. Agenda and Minutes approved
 +
# Rick discussed updated P&SbD PSS, Risk Section, FHIR test scripts based on TestScript Resource<http://hl7-fhir.github.io/testscript.htmlFHIR>
 +
# Review updated P&SbD PSS, Discussion, Rick:
 +
*Reviewed the scope statement
 +
*Added bullet to show impact on FHIR
 +
*Area's that were changed have been highlighted
 +
*FMG has been added as interested party
 +
* Test Scripts were added
 +
===P&SbD PSS Project Risk and Issues:===
 +
*(John & Kathleen) FHIR test scripts not sufficient, need more detail to Privacy and Security
 +
*What requirements are we exercising the test scripts that are approved by FHIR Management Group?
 +
*Possible issue of validating test scripts
 +
*Need to ensure developer and SME resource availability to develop the scripts
 +
*Policy must be declared for test scripts, which will follow from use cases that make sense for Connectathons, but the use case policies are not binding on the spec.
 +
*The threat environment is extremely dynamic, may need to pick unrealistic set of threats as example if that’s what’s being tested.  However, these test scripts are not intended be  bound to any particular “risk assessment”
 +
*Note: HL7 risk is internal (Rick)
 +
*Note: Test scripts are not being balloted, they are being exercised (Kathleen)
 +
===Comments/Question:===
 +
* John needed more clarity on the last portion of Presentation, why test scripts are attached to PSS?
 +
*Answer: Kathleen approached the Standards Governance Board (SGB) they did not want a Guide
 +
*SGB requested the Guide to be exercised by creating FHIR test Scripts.
 +
*CBCC and Security would start creating test script profiles in order to be available for Connectathon use
 +
*Next Step: Obtain Standards Governance Board feedback and CBCC and interest parties
 +
*Motion approved (Kathleen, John, Suzanne) 3/0/0 :
 +
*Motion to approve if there any substantive changes Security WKG would be able to weigh in on decision
 +
Rick invited member to attend joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invites have been sent to the list and available on HL7 conference site.
 +
===PASS, Joint Vocabulary, and FHIR Security Report Outs===
 +
*PASS Access Control Services Conceptual Model – Diana: NTR Waiting to hear back from Alex on Bernd’s comments
 +
*Joint Vocabulary Alignment Update – Diana – NTR:  Vocab Alignment meeting was cancelled
 +
*PASS Audit Conceptual Model – Diana – NTR
 +
*FHIR Security report out – John:  Continued work on signature and harmonization. No issues to report.

Latest revision as of 19:12, 29 March 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
x John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
. Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson x Dave Silver
Mike Davis . Ioana Singureanu . Mohammed Jafari
x Suzanne Gonzales-Webb . Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker . Christopher Shawn
. Oliver Lawless . [mailto . Serafina Versaggi
x Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss . Kamalini Vaidya . [mailto: TBD ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve Security WG March 15 Minutes
  3. (10 min) Review updated P&SbD PSS Rick
  4. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  5. ( 5 min) Joint Vocabulary Alignment Update - Diana
  6. ( 5 min) PASS Audit Conceptual Model – Diana
  7. ( 5 min) FHIR Security report out - John
    • Any changes expecting to be tested at the next FHIR Connectathon need to be submitted into the build by March 27th.

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda


Minutes

  1. John chaired. Agenda and Minutes approved
  2. Rick discussed updated P&SbD PSS, Risk Section, FHIR test scripts based on TestScript Resource<http://hl7-fhir.github.io/testscript.htmlFHIR>
  3. Review updated P&SbD PSS, Discussion, Rick:
  • Reviewed the scope statement
  • Added bullet to show impact on FHIR
  • Area's that were changed have been highlighted
  • FMG has been added as interested party
  • Test Scripts were added

P&SbD PSS Project Risk and Issues:

  • (John & Kathleen) FHIR test scripts not sufficient, need more detail to Privacy and Security
  • What requirements are we exercising the test scripts that are approved by FHIR Management Group?
  • Possible issue of validating test scripts
  • Need to ensure developer and SME resource availability to develop the scripts
  • Policy must be declared for test scripts, which will follow from use cases that make sense for Connectathons, but the use case policies are not binding on the spec.
  • The threat environment is extremely dynamic, may need to pick unrealistic set of threats as example if that’s what’s being tested. However, these test scripts are not intended be bound to any particular “risk assessment”
  • Note: HL7 risk is internal (Rick)
  • Note: Test scripts are not being balloted, they are being exercised (Kathleen)

Comments/Question:

  • John needed more clarity on the last portion of Presentation, why test scripts are attached to PSS?
  • Answer: Kathleen approached the Standards Governance Board (SGB) they did not want a Guide
  • SGB requested the Guide to be exercised by creating FHIR test Scripts.
  • CBCC and Security would start creating test script profiles in order to be available for Connectathon use
  • Next Step: Obtain Standards Governance Board feedback and CBCC and interest parties
  • Motion approved (Kathleen, John, Suzanne) 3/0/0 :
  • Motion to approve if there any substantive changes Security WKG would be able to weigh in on decision

Rick invited member to attend joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invites have been sent to the list and available on HL7 conference site.

PASS, Joint Vocabulary, and FHIR Security Report Outs

  • PASS Access Control Services Conceptual Model – Diana: NTR Waiting to hear back from Alex on Bernd’s comments
  • Joint Vocabulary Alignment Update – Diana – NTR: Vocab Alignment meeting was cancelled
  • PASS Audit Conceptual Model – Diana – NTR
  • FHIR Security report out – John: Continued work on signature and harmonization. No issues to report.