This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 FHIR Security 2016-6-28"

From HL7Wiki
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 16: Line 16:
 
|-
 
|-
 
||  x||[mailto:john.moehrke@ge.med.com John Moehrke] Security Co-Chair
 
||  x||[mailto:john.moehrke@ge.med.com John Moehrke] Security Co-Chair
||||x||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
+
||||.||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
 
||||x||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair   
 
||||x||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair   
 
|-
 
|-
||  .||[mailto:gary.dickinson@ehr-standards.com Gary Dickinson] EHR Co-Chair
+
||  x||[mailto:gary.dickinson@ehr-standards.com Gary Dickinson] EHR Co-Chair
 
||||.||[mailto:jc@securityrs.com Johnathan Coleman]CBCC Co-Chair
 
||||.||[mailto:jc@securityrs.com Johnathan Coleman]CBCC Co-Chair
 
||||.||[mailto:Mike.Davis@va.gov Mike Davis]
 
||||.||[mailto:Mike.Davis@va.gov Mike Davis]
Line 27: Line 27:
 
||||.||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||.||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
|-
 
|-
||  x||[mailto:dsilver@electrosoft-inc.com Dave Silver]
+
||  .||[mailto:dsilver@electrosoft-inc.com Dave Silver]
 
||||x||[mailto:robert.horn@agfa.com Rob Horn]  
 
||||x||[mailto:robert.horn@agfa.com Rob Horn]  
 
||||.||[mailto:Judith.Fincher@va.gov Judy Fincher]
 
||||.||[mailto:Judith.Fincher@va.gov Judy Fincher]
 
|-
 
|-
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
||||x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||||.|| [mailto:Beth.Pumo@kp.org Beth Pumo]
||||.|| [mailto:oliver@lawless.co Oliver Lawless]
+
||||x|| [mailto:oliver@lawless.co Oliver Lawless]
 
|-  
 
|-  
 
||  .|| [mailto:rdieterle@enablecare.us Bob Dieterle]
 
||  .|| [mailto:rdieterle@enablecare.us Bob Dieterle]
||||x|| [mailto:mario.hyland@aegis.net Mario Hyland]
+
||||.|| [mailto:mario.hyland@aegis.net Mario Hyland]
 
||||.|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
||||.|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
|-  
 
|-  
Line 48: Line 48:
 
*Roll;  
 
*Roll;  
 
* approval of agenda  
 
* approval of agenda  
* approval of the [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-6-14 June 14, 2016 minutes]
+
* approval of the [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-6-11 June 21, 2016 minutes]
* FHIR spec was updated from last weeks approved CPs, so please review for mistakes.
+
* FHIR spec was updated from two weeks ago approved CPs, so please review for mistakes.
 +
* How should 'test-data' be identified? Is this a legitimate use of security-tags?
 +
** It is clear that security-tags already support de-identified methods. The question is specifically about completely fabricated data. 
 +
** See FHIR chat thread https://chat.fhir.org/#narrow/stream/implementers/topic/Distinguishing.20test.20patients
 +
* De-Identification topics
 +
** mobile health workgroup  http://lists.hl7.org/read/messages?id=297060
 +
** FHIR chat https://chat.fhir.org/#narrow/stream/implementers/topic/De-identification.20mechanisms.20in.20FHIR
 
* Update on action items
 
* Update on action items
* John to close this as done. need to find in our minutes original approval
+
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9563 9563] Add onBehalfOf to Signature datatype ()  
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9176 9176] Security-Labels page for _confidentialiy points at all "Confidentiality" codes, not just _confidentiality. (John Moehrke) None
+
** Proposal edited last week is in the current build
*9563 -- assigned to Kathleen, to work with Rob -- Following the discussion in the CP
+
** http://hl7-fhir.github.io/datatypes.html#Signature
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9563 9563] Add onBehalfOf to Signature datatype ()
 
 
*9564 -- assigned to John -- following the discussion in the CP
 
*9564 -- assigned to John -- following the discussion in the CP
 
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9564 9564] Should FHIR AuditEvent resource include DICOM extension of ATNA Audit log message ? ()  
 
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9564 9564] Should FHIR AuditEvent resource include DICOM extension of ATNA Audit log message ? ()  
Line 76: Line 81:
  
 
* Prepare for a block vote for next week --
 
* Prepare for a block vote for next week --
 +
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9563 9563] Add onBehalfOf to Signature datatype ()
  
 
==Minutes==
 
==Minutes==
* John Moehrke chair
+
* John Chair
* approval of agenda - Glen/Rob : unanimous
+
* Approved Agenda
* approval of the [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-6-14 June 14, 2016 minutes] - Glen/Rob : unanimous
+
* Approved minutes from 21st.
* FHIR spec was updated from last weeks approved CPs, so please review for mistakes.
+
* Gary identified a typo -> GF#10254
* Update on action items
+
* 9563 is prototyped and part of upcoming block vote
* Discussion around _confidentiality code vocabulary.
+
* 9564 John is working on it
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9176 9176] Security-Labels page for _confidentialiy points at all "Confidentiality" codes, not just _confidentiality. (John Moehrke) None
+
* discussed 3318
** This is fixed now.  http://hl7-fhir.github.io/v3/ConfidentialityClassification/vs.html -- Need to find prior notes where we agreed this needed to be fixed, and close it based on that meeting. Else we can vote in future block vote.
+
** Added question in followup around how strict the ABAC definition needs to be.  
** Temporary fix, Grahame owns the longer term and wider problem with Vocabulary wg
+
** Action: John to poke Rick
*9563 -- assigned to Kathleen, to work with Rob -- Following the discussion in the CP
+
* Discussion on 9996
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9563 9563] Add onBehalfOf to Signature datatype ()
+
** See threaded discussion on the FHIR Chat
** Edited on the call the Signature datatype to be submitted as 'pre-applied' in preparation for future vote.
+
** https://chat.fhir.org/#narrow/stream/implementers/topic/Provenance.20resource.20for.20Middleware
** updated CP also with text Rob provided.
+
** Oliver has some questions regarding proper use of assembler, composer, and author
* Discussion with Mario on testing
+
** Encouraged discussion on the chat as Glen is the owner of the CP and he is not on right now.
** Kathleen would like to focus on the Financial use-case
+
* EHR Record Lifecycle IG
*** Mario is concerned that the financial use-case might be not mature enough, and no have the broadest representation. Indicating that the percentage of connectathon participants is small compared to others
+
** Gary has shared a draft word document with updates.
*** John I am concerned this is too focused of a set of people. Meaning we don't get new players. I do think that Financial should include use of Provenance. So might we focus Provenamce on Financial?
+
** He is aligning with current build (the changes we have done with Provenance and AuditEvent)
** John would like to focus on Lab use-case
 
*** John - I want a significant use-case (so not Patient) that stands on its own. Meaning people want to test to that use-case alone (Financial also meets these two criteria).
 
** We agree that the addition of AuditEvent testing would be an additional layer, not a mandatory part of the fundamental use-case. (Seems someone has indicated that we wanted it to be mandatory, and Grahame has pushed back. We don't want to be mandatory (yet))
 

Latest revision as of 21:56, 28 June 2016

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692
Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV
If you are having difficulty joining, please try: 
https://global.gotomeeting.com/join/520841173  
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
x John Moehrke Security Co-Chair . Kathleen Connor Security Co-Chair x Suzanne Gonzales-Webb CBCC Co-Chair
x Gary Dickinson EHR Co-Chair . Johnathan ColemanCBCC Co-Chair . Mike Davis
. Reed Gelzer RM-ES Lead . Glen Marshal . Galen Mulrooney
. Dave Silver x Rob Horn . Judy Fincher
x Diana Proud-Madruga . Beth Pumo x Oliver Lawless
. Bob Dieterle . Mario Hyland . Joe Lamy
. Rick Grow . [mailto: Richard Etterma] . [mailto: Wayne Kubic]

Agenda

  • Roll;
  • approval of agenda
  • approval of the June 21, 2016 minutes
  • FHIR spec was updated from two weeks ago approved CPs, so please review for mistakes.
  • How should 'test-data' be identified? Is this a legitimate use of security-tags?
  • De-Identification topics
  • Update on action items
  • 9563 Add onBehalfOf to Signature datatype ()
  • 9564 -- assigned to John -- following the discussion in the CP
    • 9564 Should FHIR AuditEvent resource include DICOM extension of ATNA Audit log message ? ()
  • 7568 -- assigned to Kathleen, seems this should be satisfid by 9840? -- following the discussion in the CP
    • 7568 2015May core #859 - How are agent and activity linked? ()
  • 3318 -- assigned to Rick to work with Mike -- following the discussion in the CP
    • 3318 Clarify how to use RBAC and ABAC using FHIR ()
  • 9042, 9043, 9052 -- assigned to Kathleen, she has the XML almost ready to go
    • 9042 Add RBAC as value set for AuditEvent.participant.role ()
    • 9043 Add ABAC as alternative value set for AuditEvent.participant.role ()
    • 9052 Add SNOMED Stuctural Roles as value set for AuditEvent.participant.role ()
  • 9167 -- assigned to John, only creating an example AuditEvent -- following the discussion in the CP
    • 9167 AuditEvent needs to make more obvious how to record a break-glass event ()
  • 9996 -- assigned to Glen -- following the discussion in the CP
    • 9996 Using Provenance resource to annotate content derived from non-FHIR sources ()
  • FMM evaluation vs desire - We picked 4 last week -- We might want to re-evaluate to level 3. As level 4 means we would need to work hard to get "complete" testing tools and procedures at 100% of functionality. I think we should only target getting some testing ready.
  • Discussion with Mario on getting prepared for next connectathon
    • What use-case should we focus on? (Lab vs Financial vs Patient)
  • Discussion around Record Lifecycle events (6303)? Are we going to support this? Are the vocabulary done yet? (Gary will join)
    • 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set (Gary Dickinson) None
  • Prepare for a block vote for next week --
    • 9563 Add onBehalfOf to Signature datatype ()

Minutes

  • John Chair
  • Approved Agenda
  • Approved minutes from 21st.
  • Gary identified a typo -> GF#10254
  • 9563 is prototyped and part of upcoming block vote
  • 9564 John is working on it
  • discussed 3318
    • Added question in followup around how strict the ABAC definition needs to be.
    • Action: John to poke Rick
  • Discussion on 9996
  • EHR Record Lifecycle IG
    • Gary has shared a draft word document with updates.
    • He is aligning with current build (the changes we have done with Provenance and AuditEvent)