This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "April 5, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "Back to Security Work Group Main Page ==Attendees== {| class="wikitable" |- !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !! |- ...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 11: Line 11:
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
|-
 
|-
||  x|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
+
||  .|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
Line 25: Line 25:
 
      
 
      
 
|-
 
|-
||   || [mailto:mike.davis@va.gov Mike Davis]
+
|| x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
Line 53: Line 53:
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
|-
 
|-
||  x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||  .|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
Line 68: Line 68:
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=March_29,_2016_Security_Conference_Call Security WG March 29, 2016 Minutes]
 
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=March_29,_2016_Security_Conference_Call Security WG March 29, 2016 Minutes]
 +
# ''(10 min)'' '''PSS Proposal for a Privacy Impact and Security Risk Assessment IG''' to support the P&SbD IG.
 
# ''(10 min)'' '''Privacy & Security by Design - update''' - Rick
 
# ''(10 min)'' '''Privacy & Security by Design - update''' - Rick
 
#* Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30475 Meeting information and invite]
 
#* Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30475 Meeting information and invite]
Line 77: Line 78:
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 +
 +
 +
==Minutes==
 +
 +
* Chaired by Kathleen
 +
* Approved March 29, 2016 Minutes
 +
* PSS Proposal for a Privacy Impact and Security Risk Assessment IG''' to support the P&SbD IG. (Mike Davis)
 +
- Received request from another WG to provide some material on the impact on Privacy
 +
- Privacy and Security is a requirement of HIPPA within the VA
 +
- Privacy and Security are interdependent
 +
- The PSS provides the ability for project to do Privacy by Design ("cookbook" Process)
 +
- The Privacy Impact assessment is similar to a Risk Assessment and focused on a set of criteria
 +
- Comment (Glen):  We have the potential create a process between Privacy impact assessment and Security Impact Assessment.
 +
- Comment (Mike):  Privacy Impact Assessment is similar to a Risk Assessment.  OASIS Privacy by Design is moving into towards a standards, and we should incorporate within uses within healthcare.
 +
-Comment (Glen): There will be interactions between Privacy Risk Assessment (looking on the impact of Privacy), and the Security impact, and to look at the total impact. The Risk to Privacy impacts the Risk to Security, except in the overlap space.
 +
- Comment Mike:  The mechanism of addressing Privacy belongs in security. Add a product Privacy Risk assessment as a compliment to Risk assessment. The project proposal at the moment focuses more on Privacy by design.
 +
-Comment (Kathleen): We should Keep Privacy and Security separate to keep them manageable by having a separate project scope statement, although they are interrelated.
 +
Comment (Mike): Privacy impact statement is the same as a risk assessment, it is not a design for a system You design a system to mitigate the risk. The Privacy by design project should be at a higher level oriented to meeting the privacy requirements not the risk. The Risk assessment is separate to see if we met the requirements.
 +
Question (Kathleen): Do we put this in Privacy by Design or create a separate project?
 +
 +
Comment (Rick): I think we should invite the architecture board for next vote?
 +
Mike: Disagrees inviting Architecture board. OASIS Privacy by Design is on a 6 month break, and would like to put this discussion on hold. Mike will speak to Ann form OASIS. 
 +
- Comment (Glen): HL7 did not approve the Risk Assessment/Security.
 +
Comment( Mike): Does not see the value to proceed with Privacy side if the Risk/Security Assessment has not been accepted.
 +
 +
Next Step (Kathleen): Topic to be deferred
 +
 +
* Privacy & Security by Design - update''' - Rick
 +
-Scheduling meeting with ARB , CBCC, and Security co-chairs to come to a mutual understanding to see from the result of the project
 +
-From the discussion during the CBCC cal we will look to modify to look at the procedural flow Privacy and Security high level concepts
 +
- Example: "Map the relationship between consent (type of permission/policy/ and policy is specified in the contract), and Policy (a policy is specified in a contract)
 +
-Question: Is the CBCC aware of our (Security WG) Privacy and Security Domain Analysis model? (Glen)
 +
-Answer Rick: my next step will be to introduce them to the Security Domain Analysis Model, and then move forward with Privacy by Design
 +
* Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30475 Meeting information and invite]
 +
 +
* PASS Access Control Services Conceptual Model''' - Diana
 +
-Received a response from John D. and will forward information to Mike and Alex to complete the last of the comments
 +
-This is the last outstanding item and may lead to the withdrawal of negative vote
 +
-PASS we voted on PSS Audit Key, made minor edits
 +
(A) Shared Scope Statement, and after comments will present to the entire group, and once everyone agrees will share with steering division. Shared with CBCC group, they will vote on it next week. (This is a new PSS)
 +
 +
Comments on Scope statement from group:
 +
-No comments on Scope
 +
-Concurrence: (Glen & Mike) The Original Scope was for Security Surveillance purposes and we were not at the time covering Provenance, and Transaction Log to be Separate. To take out the Word Audit trail, and Changes to Clinical Information followed by Brackets () Transaction Log. Propose to follow the Model of Access Control.
 +
-Next Step: To add pass like to follow the form of past Access Control
 +
 +
- Comments on Out of Scope:
 +
- (Diane) Capture of Persistence of Audit Trail in changes to clinical information
 +
*Joint Vocabulary Alignment Update''' - Diana
 +
-  NTR from meeting
 +
- Invited Gary to shed light on Past Cycle events
 +
 +
*PASS Audit Conceptual Model – Diana
 +
 +
- NTR
 +
-
 +
* FHIR Security '''report out  - John
 +
- NTR

Latest revision as of 17:45, 12 April 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
. John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
. Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson x Dave Silver
x Mike Davis . Ioana Singureanu . Mohammed Jafari
x Suzanne Gonzales-Webb . Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker . Christopher Shawn
. Oliver Lawless . [mailto . Serafina Versaggi
. Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss . Kamalini Vaidya . [mailto: TBD ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve Security WG March 29, 2016 Minutes
  3. (10 min) PSS Proposal for a Privacy Impact and Security Risk Assessment IG to support the P&SbD IG.
  4. (10 min) Privacy & Security by Design - update - Rick
  5. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  6. ( 5 min) Joint Vocabulary Alignment Update - Diana
  7. ( 5 min) PASS Audit Conceptual Model – Diana
  8. ( 5 min) FHIR Security report out - John

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda


Minutes

  • Chaired by Kathleen
  • Approved March 29, 2016 Minutes
  • PSS Proposal for a Privacy Impact and Security Risk Assessment IG to support the P&SbD IG. (Mike Davis)

- Received request from another WG to provide some material on the impact on Privacy - Privacy and Security is a requirement of HIPPA within the VA - Privacy and Security are interdependent - The PSS provides the ability for project to do Privacy by Design ("cookbook" Process) - The Privacy Impact assessment is similar to a Risk Assessment and focused on a set of criteria - Comment (Glen): We have the potential create a process between Privacy impact assessment and Security Impact Assessment. - Comment (Mike): Privacy Impact Assessment is similar to a Risk Assessment. OASIS Privacy by Design is moving into towards a standards, and we should incorporate within uses within healthcare. -Comment (Glen): There will be interactions between Privacy Risk Assessment (looking on the impact of Privacy), and the Security impact, and to look at the total impact. The Risk to Privacy impacts the Risk to Security, except in the overlap space. - Comment Mike: The mechanism of addressing Privacy belongs in security. Add a product Privacy Risk assessment as a compliment to Risk assessment. The project proposal at the moment focuses more on Privacy by design. -Comment (Kathleen): We should Keep Privacy and Security separate to keep them manageable by having a separate project scope statement, although they are interrelated. Comment (Mike): Privacy impact statement is the same as a risk assessment, it is not a design for a system You design a system to mitigate the risk. The Privacy by design project should be at a higher level oriented to meeting the privacy requirements not the risk. The Risk assessment is separate to see if we met the requirements. Question (Kathleen): Do we put this in Privacy by Design or create a separate project?

Comment (Rick): I think we should invite the architecture board for next vote? Mike: Disagrees inviting Architecture board. OASIS Privacy by Design is on a 6 month break, and would like to put this discussion on hold. Mike will speak to Ann form OASIS. - Comment (Glen): HL7 did not approve the Risk Assessment/Security. Comment( Mike): Does not see the value to proceed with Privacy side if the Risk/Security Assessment has not been accepted.

Next Step (Kathleen): Topic to be deferred

  • Privacy & Security by Design - update - Rick

-Scheduling meeting with ARB , CBCC, and Security co-chairs to come to a mutual understanding to see from the result of the project -From the discussion during the CBCC cal we will look to modify to look at the procedural flow Privacy and Security high level concepts - Example: "Map the relationship between consent (type of permission/policy/ and policy is specified in the contract), and Policy (a policy is specified in a contract) -Question: Is the CBCC aware of our (Security WG) Privacy and Security Domain Analysis model? (Glen) -Answer Rick: my next step will be to introduce them to the Security Domain Analysis Model, and then move forward with Privacy by Design

  • PASS Access Control Services Conceptual Model - Diana

-Received a response from John D. and will forward information to Mike and Alex to complete the last of the comments -This is the last outstanding item and may lead to the withdrawal of negative vote -PASS we voted on PSS Audit Key, made minor edits (A) Shared Scope Statement, and after comments will present to the entire group, and once everyone agrees will share with steering division. Shared with CBCC group, they will vote on it next week. (This is a new PSS)

Comments on Scope statement from group: -No comments on Scope -Concurrence: (Glen & Mike) The Original Scope was for Security Surveillance purposes and we were not at the time covering Provenance, and Transaction Log to be Separate. To take out the Word Audit trail, and Changes to Clinical Information followed by Brackets () Transaction Log. Propose to follow the Model of Access Control. -Next Step: To add pass like to follow the form of past Access Control

- Comments on Out of Scope: - (Diane) Capture of Persistence of Audit Trail in changes to clinical information

  • Joint Vocabulary Alignment Update - Diana

- NTR from meeting - Invited Gary to shed light on Past Cycle events

  • PASS Audit Conceptual Model – Diana

- NTR -

  • FHIR Security report out - John

- NTR