This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "July 19, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 
|-
 
|-
||  || [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
+
||  x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
 
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
|-
 
|-
|| X|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
+
|| || [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
 
|-
 
|-
||  .|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
+
||  x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
 
||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
 
||||.|| [mailto:cbrown@socialcare.com Christopher D Brown] TX
 
||||.|| [mailto:cbrown@socialcare.com Christopher D Brown] TX
Line 40: Line 40:
  
 
|-
 
|-
||  .|| [mailto:rgrow@technatomy.com Rick Grow]
+
||  x|| [mailto:rgrow@technatomy.com Rick Grow]
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
 
||||.|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
 
||||.|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
Line 59: Line 59:
 
||  .|| [mailto:cdoss@ncat.edu Christopher Doss]
 
||  .|| [mailto:cdoss@ncat.edu Christopher Doss]
 
||||.|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
 
||||.|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
||||.|| [mailto: TBD ]
+
||||x|| [mailto: David Staggs]
 
|-
 
|-
 
|}
 
|}
Line 73: Line 73:
 
# ''(10 min)'' '''HEART Update on FHIR nexus''' - John for July 11th and Kathleen for July 18th HEART call update on discussions about using FHIR Consent.data to create HEART Registration Sets with Confidentiality code Security Label, and possible use of Security Labels, specifically Confidentiality codes, as part of the HEART Authorization scopes.  Use case under consideration is "no more clipboard".  Eve Maler is developing. Question is how to incorporate Confidentiality code into that use case. Also interest in including Confidentiality codes and perhaps other security labels in the [http://openid.bitbucket.org/HEART/openid-heart-fhir-oauth2.html HEART FHIR OAuth 2.0 Scopes]
 
# ''(10 min)'' '''HEART Update on FHIR nexus''' - John for July 11th and Kathleen for July 18th HEART call update on discussions about using FHIR Consent.data to create HEART Registration Sets with Confidentiality code Security Label, and possible use of Security Labels, specifically Confidentiality codes, as part of the HEART Authorization scopes.  Use case under consideration is "no more clipboard".  Eve Maler is developing. Question is how to incorporate Confidentiality code into that use case. Also interest in including Confidentiality codes and perhaps other security labels in the [http://openid.bitbucket.org/HEART/openid-heart-fhir-oauth2.html HEART FHIR OAuth 2.0 Scopes]
 
# ''(10 min)'' '''Review for FTSD vote on [http://gforge.hl7.org/gf/download/docmanfileversion/9310/14510/HL7%20Project%20Scope%20Statement_DAF_2016_PSS_v3.docx DAF PSS]''' - Kathleen
 
# ''(10 min)'' '''Review for FTSD vote on [http://gforge.hl7.org/gf/download/docmanfileversion/9310/14510/HL7%20Project%20Scope%20Statement_DAF_2016_PSS_v3.docx DAF PSS]''' - Kathleen
# ''(2 min)'' '''Recommended reading: [https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA '''
+
# ''(2 min)'' '''Recommended reading: [https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA] '''
 
Note that there will be a FHIR Security call at 5pm ET
 
Note that there will be a FHIR Security call at 5pm ET
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_security_topics#Agenda_and_Minutes FHIR Security Agenda]
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_security_topics#Agenda_and_Minutes FHIR Security Agenda]
  
 
==Minutes==
 
==Minutes==
 +
* Chaired by Kathleen
 +
 +
* Approved Security WG July 12, 2016 Minutes ( No objections, no Abstentions) 
 +
 +
* Update on the PSAF Security Policy model - Mike & Dave to update on VA Architectural Model, which is based on S&P DAM and earlier PSAF model that Kathleen and Galen started. Mike and Kathleen plan to include this work in the Sept "For Comment" Ballot material.
 +
-Model was presented
 +
- Information Model is based on HL7 (Architectural Model)
 +
- The intent is to bring back
 +
- Working on Word Document that explains all classes in the Information Model
 +
- High Level Main Model
 +
- Showing different types of approaches
 +
- We created sub models, example Trust Framework shows sub-classes harmonizing across different domains showing interoprability
 +
- ACI Access control information of Requester/User is also explained at high level
 +
- Privacy Policy is expanded at high level
 +
- Security Labeling, and other ISO sources are shared in document
 +
- Question Kathleen: Cann we have Reviewing privacy Security health care info shared by none-covered entities
 +
-Have a list of approaches addressing gaps between the User and Vender (such as dealing with vender mobile apps)
 +
-Security side would help enforce policy  a draft available to make comments?
 +
- Comment (Kathleen): "Authorization Token should be in security schemes, coupled with policy"
 +
- Next Step:
 +
- Response (Dave): Draft can be available by next Security WG call
 +
 
 +
* Standards Privacy Impact Assessment Cookbook - Rick
 +
-Collected all comment from CBCC and Security work group and submitted to HL7 before the Sunday deadline
 +
-Next step: Document will be ready for Ballot for September
 +
 +
* PASS Access Control Services Conceptual Model - Diana
 +
- 99% complete, only one section out for review by a SME
 +
- Once the review is complete by the SME I will send out Mike Davis as one of the main authors
 +
- Comment (Kathleen): Recommended to send out a subsection of work that is currently active to group prior to publication
 +
* PASS Audit Conceptual Model – Diana
 +
- Meeting once a week on Wednesdays
 +
- We are reviewing previous work audit use cases (Mid Audit Record, Retrieve Disclosure record)
 +
- Mike Davis recommended other use cases that can additionally be leveraged during the Pass Audit Conceptual Model Call
 +
- Next Steps:
 +
- Kathleen will share Katara and other Links on consent with Diana
 +
 +
* HEART Update on FHIR nexus - John for July 11th and Kathleen for July 18th HEART call update on discussions about using FHIR Consent.data to create HEART Registration Sets with Confidentiality code Security Label, and possible use of Security Labels, specifically Confidentiality codes, as part of the HEART Authorization scopes. Use case under consideration is "no more clipboard". Eve Maler is developing. Question is how to incorporate Confidentiality code into that use case. Also interest in including Confidentiality codes and perhaps other security labels in the HEART FHIR OAuth 2.0 Scopes
 +
- We have been looking for HEART in connection with FHIR
 +
- reviewing UMA work on patient control access
 +
-The OATH Resource registration profile did not have a way to describe resource sets
 +
- Shared Graham work which describes resource sets and confidentiality codes
 +
- Shared HEART FHIR OATH scope profile
 +
- Used mechanism Graham provided for patient registered resources
 +
- Calls are open if interesting in attending
 +
- Reviewing privacy Security health care info shared by none-covered entities
 +
- Have a list of approaches addressing gaps between the User and Vendor (such as dealing with vendor mobile apps)
 +
- Security side would help enforce policy
 +
- Recommending to have F2F with HEART group in Baltimore 
 +
* Review for FTSD vote on DAF PSS - Kathleen
 +
-DAF Project scope statement is being reviewed by steering division
 +
Next Step: Approved by Security Work Group ( No Objection)
 +
 +
 +
* Recommended reading: Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA

Latest revision as of 18:53, 26 July 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
x Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson . Dave Silver
x Mike Davis . Ioana Singureanu X Mohammed Jafari
x Suzanne Gonzales-Webb x Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp . Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker . Christopher Shawn
. Oliver Lawless x Grahame Grieve . Serafina Versaggi
. Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss . Kamalini Vaidya x [mailto: David Staggs]

Back to Security Main Page

Agenda DRAFT

  1. (2 min) Roll Call, Agenda Approval
  2. (3 min) Approve Security WG July 12, 2016 Minutes
  3. (15 min) Update on the PSAF Security Policy model - Mike & Dave to update on VA Architectural Model, which is based on S&P DAM and earlier PSAF model that Kathleen and Galen started. Mike and Kathleen plan to include this work in the Sept "For Comment" Ballot material.
  4. (5 min) Standards Privacy Impact Assessment Cookbook - Rick
  5. (5 min) PASS Access Control Services Conceptual Model - Diana
  6. (5 min) PASS Audit Conceptual Model – Diana
  7. (10 min) HEART Update on FHIR nexus - John for July 11th and Kathleen for July 18th HEART call update on discussions about using FHIR Consent.data to create HEART Registration Sets with Confidentiality code Security Label, and possible use of Security Labels, specifically Confidentiality codes, as part of the HEART Authorization scopes. Use case under consideration is "no more clipboard". Eve Maler is developing. Question is how to incorporate Confidentiality code into that use case. Also interest in including Confidentiality codes and perhaps other security labels in the HEART FHIR OAuth 2.0 Scopes
  8. (10 min) Review for FTSD vote on DAF PSS - Kathleen
  9. (2 min) Recommended reading: Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA

Note that there will be a FHIR Security call at 5pm ET See agenda at FHIR Security Agenda

Minutes

  • Chaired by Kathleen
  • Approved Security WG July 12, 2016 Minutes ( No objections, no Abstentions)
  • Update on the PSAF Security Policy model - Mike & Dave to update on VA Architectural Model, which is based on S&P DAM and earlier PSAF model that Kathleen and Galen started. Mike and Kathleen plan to include this work in the Sept "For Comment" Ballot material.

-Model was presented - Information Model is based on HL7 (Architectural Model) - The intent is to bring back - Working on Word Document that explains all classes in the Information Model - High Level Main Model - Showing different types of approaches - We created sub models, example Trust Framework shows sub-classes harmonizing across different domains showing interoprability - ACI Access control information of Requester/User is also explained at high level - Privacy Policy is expanded at high level - Security Labeling, and other ISO sources are shared in document - Question Kathleen: Cann we have Reviewing privacy Security health care info shared by none-covered entities -Have a list of approaches addressing gaps between the User and Vender (such as dealing with vender mobile apps) -Security side would help enforce policy a draft available to make comments? - Comment (Kathleen): "Authorization Token should be in security schemes, coupled with policy" - Next Step: - Response (Dave): Draft can be available by next Security WG call

  • Standards Privacy Impact Assessment Cookbook - Rick

-Collected all comment from CBCC and Security work group and submitted to HL7 before the Sunday deadline -Next step: Document will be ready for Ballot for September

  • PASS Access Control Services Conceptual Model - Diana

- 99% complete, only one section out for review by a SME - Once the review is complete by the SME I will send out Mike Davis as one of the main authors - Comment (Kathleen): Recommended to send out a subsection of work that is currently active to group prior to publication

  • PASS Audit Conceptual Model – Diana

- Meeting once a week on Wednesdays - We are reviewing previous work audit use cases (Mid Audit Record, Retrieve Disclosure record) - Mike Davis recommended other use cases that can additionally be leveraged during the Pass Audit Conceptual Model Call - Next Steps: - Kathleen will share Katara and other Links on consent with Diana

  • HEART Update on FHIR nexus - John for July 11th and Kathleen for July 18th HEART call update on discussions about using FHIR Consent.data to create HEART Registration Sets with Confidentiality code Security Label, and possible use of Security Labels, specifically Confidentiality codes, as part of the HEART Authorization scopes. Use case under consideration is "no more clipboard". Eve Maler is developing. Question is how to incorporate Confidentiality code into that use case. Also interest in including Confidentiality codes and perhaps other security labels in the HEART FHIR OAuth 2.0 Scopes

- We have been looking for HEART in connection with FHIR - reviewing UMA work on patient control access -The OATH Resource registration profile did not have a way to describe resource sets - Shared Graham work which describes resource sets and confidentiality codes - Shared HEART FHIR OATH scope profile - Used mechanism Graham provided for patient registered resources - Calls are open if interesting in attending - Reviewing privacy Security health care info shared by none-covered entities - Have a list of approaches addressing gaps between the User and Vendor (such as dealing with vendor mobile apps) - Security side would help enforce policy - Recommending to have F2F with HEART group in Baltimore

  • Review for FTSD vote on DAF PSS - Kathleen

-DAF Project scope statement is being reviewed by steering division Next Step: Approved by Security Work Group ( No Objection)


  • Recommended reading: Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA