This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "January 31, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by one other user not shown)
Line 58: Line 58:
 
# ''(2 min)'' '''Roll Call, Agenda Approval'''
 
# ''(2 min)'' '''Roll Call, Agenda Approval'''
 
# ''(2 min)'' '''[http://wiki.hl7.org/index.php?title=January_10,_2017_Security_Conference_Call Security WG Call Minutes January 10, 2017]'''
 
# ''(2 min)'' '''[http://wiki.hl7.org/index.php?title=January_10,_2017_Security_Conference_Call Security WG Call Minutes January 10, 2017]'''
# ''(5 min)'' '''[http://gforge...Approval of Publication Request for the HL7 Composite Security and Privacy DAM Informative May 2014 ]'''.  See [http://gforge.hl7.org/gf/download/docmanfileversion/9536/15072/V3DAM_SECURITY_R1_I1_2014MAY.pdf HL7 Composite Security and Privacy DAM Informative May 2014]''' - Kathleen
+
# ''(5 min)'' '''[http://gforge.hl7.org/gf/download/docmanfileversion/9538/15074/V3DAM%20HL7_Publication_Request%20Composite%20Security%20and%20Privacy%20DAM%20May%202014.docx Approval of Publication Request for the HL7 Composite Security and Privacy DAM Informative May 2014 ]'''.  See [http://gforge.hl7.org/gf/download/docmanfileversion/9536/15072/V3DAM_SECURITY_R1_I1_2014MAY.pdf HL7 Composite Security and Privacy DAM Informative May 2014]''' - Kathleen
# ''(10 min)'' '''[http://gforge... TF4FA Ballot Reconciliation Spreadsheet Disposition Review]- Mike and Kathleen   
+
# ''(10 min)'' '''[http://gforge.hl7.org/gf/download/docmanfileversion/9541/15099/V3_PSAF_R1_I1_2017JAN_amalgamated.xls TF4FA Ballot Reconciliation Spreadsheet Disposition Review]- Mike and Kathleen   
 
# ''(10 min)'' '''[http://gforge....Security WGM Minutes Review and Approval]''' - Kathleen
 
# ''(10 min)'' '''[http://gforge....Security WGM Minutes Review and Approval]''' - Kathleen
 
# ''(5 min)'' '''[gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update]''' - Diane
 
# ''(5 min)'' '''[gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update]''' - Diane
Line 68: Line 68:
  
 
=='''Minutes'''==
 
=='''Minutes'''==
* Chaired by Alex
+
* Chaired by John
 
* Agenda Approved (Kathleen, Ioana)
 
* Agenda Approved (Kathleen, Ioana)
 +
* Announcement ( Mike Davis):
 +
** HL7 has approved the Working Group Attendance representing HL7 at HIMMS 
 +
** Changes have been made to the research work station
 +
** To continue this discussion on next call 
 +
*Security WG Call Minutes January 10, 2017 - Approved
 +
* Approval of Publication Request for the HL7 Composite Security and Privacy DAM Informative May 2014 . See HL7 Composite Security and Privacy DAM Informative May 2014 - Kathleen
 +
** Publication request that was balloted should be reviewd to obtain a motion to approve
 +
** Once approved the publication can move forward
 +
** Mike Davis suggests to reballot a new version that is more updated with a more current position
 +
** Alex suggests if the date on the publication to be dated for May 2014 to reflect when it was originally balloted
 +
** Mike Davis concurs the date reflect the May 2014, and a new version to be balloted with Trust Framework
 +
** Motion Approved: Motion approved publication with contingency to back date to May 2014 Approved.  (Mike Davis, Suzane)
 +
* TF4FA Ballot Reconciliation Spreadsheet Disposition Review- Mike and Kathleen
 +
** Continued work on TF4FA
 +
** During the WKG meeting
 +
** Alex comments that need to be resolved on approach:
 +
** Alex interpreted the diaphragm to say:
 +
*** The two domains with all users data and policy come together to set up contract and set up federated authorization domain
 +
** Alex felt the position should be more clear and state the following: 
 +
*** Two whole domains do not just create federated policy
 +
*** The authorization Policy within Domain A and Authorization Policy in Domain B create a Federated Authorization Policy
 +
** The definition of Domains is included in the document and were reviewed during the call
 +
*** Mike Davis agreed to clarify the definition of Domain upfront to meet Alex's concerns
 +
** Domain Definitions will provide more information upfront and definition but not change the Diagram 
 +
** Mike Davis provided the steps Domain process as the following:
 +
*** A single domain consist of a set of users, subjects, data, managed by a common authority
 +
*** When two or more entities want to federated, Domain A and B have their policy and resources
 +
*** They agree on shared users and Information, and a set of policies
 +
*** Policies are defined by these representations and information model
 +
*** the set of services negotiation the attributes into a binding agreement
 +
*** The services of the Trust Framework is to negotiate this contract
 +
** During the Security Work Group call John suggested the Diagrams should be split up
 +
** Mike Davis disagrees on splitting the diagrams
 +
** Resolution was reached with Alex on the Class Diagram
 +
*** Domain Model to be harmonized with 22600 Model as it have a gap it does not recognize attribute based access control
 +
*** We included the attribute based access control to the model
 +
*** The composition and association is defined in the diagram to harmonize with 22600
 +
** Question (Ioanna) : Does a composite e policy does it have a consensual research and management policy? Can it be an aggregate policy?
 +
** Mike Davis will look into the dam in 22600
 +
** Next steps: Mike Davis will provide better explanation and definitions for the diagram
 +
 +
The remaining Agenda will be discussed on next call:
 +
 +
* WGM Minutes Review and Approval - Kathleen
 +
(5 min) [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diane
 +
(5 min) 21st Century Cures Act Trusted Exchange Framework Discussion for HL7 Policy Advisory Committee- Kathleen
 +
(5 min) Reminder of the relevance to Trust Frameworks of Report to Security WG_Blobel_Implications of SOA architectures for security and privacy -Kathleen
 +
(5 min) Security Labeling Service Revision Update - Diana
 +
(2 min) FHIR AuditEvent and Provenance ballot comments & FHIR Security Call
 +
 +
=='''Background'''==
 +
 +
SECTION 4003 Interoperability (pages 350-379)
 +
 
 +
Key Points
 +
 
 +
Trusted Exchange Framework and Common Agreement
 +
 
 +
· The National Coordinator shall, in collaboration with the National Institute of Standards and Technology and other relevant agencies within HHS, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally.
 +
 
 +
· Not later than 1 year after convening the Health Information Technology Advisory Committee, the National Coordinator shall publish on its public Internet website, and in the Federal Register, the trusted exchange framework and common agreement.
 +
 
 +
· PROCESS: The Secretary shall, through notice and comment rulemaking, establish a process for health information networks that voluntarily elect to adopt the trusted exchange framework and common agreement to attest to such adoption of the framework and agreement.
 +
 +
[http://docs.house.gov/billsthisweek/20161128/CPRT-114-HPRT-RU00-SAHR34.pdf House version 11/25/2016]

Latest revision as of 20:01, 7 February 2017

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair x Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs . Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi . Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp . Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker . Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (2 min) Security WG Call Minutes January 10, 2017
  3. (5 min) Approval of Publication Request for the HL7 Composite Security and Privacy DAM Informative May 2014 . See HL7 Composite Security and Privacy DAM Informative May 2014 - Kathleen
  4. (10 min) TF4FA Ballot Reconciliation Spreadsheet Disposition Review- Mike and Kathleen
  5. (10 min) WGM Minutes Review and Approval - Kathleen
  6. (5 min) [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diane
  7. (5 min) 21st Century Cures Act Trusted Exchange Framework Discussion for HL7 Policy Advisory Committee- Kathleen
  8. (5 min) Reminder of the relevance to Trust Frameworks of Report to Security WG_Blobel_Implications of SOA architectures for security and privacy -Kathleen
  9. (5 min) Security Labeling Service Revision Update - Diana
  10. (2 min) FHIR AuditEvent and Provenance ballot comments & FHIR Security Call

Minutes

  • Chaired by John
  • Agenda Approved (Kathleen, Ioana)
  • Announcement ( Mike Davis):
    • HL7 has approved the Working Group Attendance representing HL7 at HIMMS
    • Changes have been made to the research work station
    • To continue this discussion on next call
  • Security WG Call Minutes January 10, 2017 - Approved
  • Approval of Publication Request for the HL7 Composite Security and Privacy DAM Informative May 2014 . See HL7 Composite Security and Privacy DAM Informative May 2014 - Kathleen
    • Publication request that was balloted should be reviewd to obtain a motion to approve
    • Once approved the publication can move forward
    • Mike Davis suggests to reballot a new version that is more updated with a more current position
    • Alex suggests if the date on the publication to be dated for May 2014 to reflect when it was originally balloted
    • Mike Davis concurs the date reflect the May 2014, and a new version to be balloted with Trust Framework
    • Motion Approved: Motion approved publication with contingency to back date to May 2014 Approved. (Mike Davis, Suzane)
  • TF4FA Ballot Reconciliation Spreadsheet Disposition Review- Mike and Kathleen
    • Continued work on TF4FA
    • During the WKG meeting
    • Alex comments that need to be resolved on approach:
    • Alex interpreted the diaphragm to say:
      • The two domains with all users data and policy come together to set up contract and set up federated authorization domain
    • Alex felt the position should be more clear and state the following:
      • Two whole domains do not just create federated policy
      • The authorization Policy within Domain A and Authorization Policy in Domain B create a Federated Authorization Policy
    • The definition of Domains is included in the document and were reviewed during the call
      • Mike Davis agreed to clarify the definition of Domain upfront to meet Alex's concerns
    • Domain Definitions will provide more information upfront and definition but not change the Diagram
    • Mike Davis provided the steps Domain process as the following:
      • A single domain consist of a set of users, subjects, data, managed by a common authority
      • When two or more entities want to federated, Domain A and B have their policy and resources
      • They agree on shared users and Information, and a set of policies
      • Policies are defined by these representations and information model
      • the set of services negotiation the attributes into a binding agreement
      • The services of the Trust Framework is to negotiate this contract
    • During the Security Work Group call John suggested the Diagrams should be split up
    • Mike Davis disagrees on splitting the diagrams
    • Resolution was reached with Alex on the Class Diagram
      • Domain Model to be harmonized with 22600 Model as it have a gap it does not recognize attribute based access control
      • We included the attribute based access control to the model
      • The composition and association is defined in the diagram to harmonize with 22600
    • Question (Ioanna) : Does a composite e policy does it have a consensual research and management policy? Can it be an aggregate policy?
    • Mike Davis will look into the dam in 22600
    • Next steps: Mike Davis will provide better explanation and definitions for the diagram

The remaining Agenda will be discussed on next call:

  • WGM Minutes Review and Approval - Kathleen

(5 min) [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diane (5 min) 21st Century Cures Act Trusted Exchange Framework Discussion for HL7 Policy Advisory Committee- Kathleen (5 min) Reminder of the relevance to Trust Frameworks of Report to Security WG_Blobel_Implications of SOA architectures for security and privacy -Kathleen (5 min) Security Labeling Service Revision Update - Diana (2 min) FHIR AuditEvent and Provenance ballot comments & FHIR Security Call

Background

SECTION 4003 Interoperability (pages 350-379)   Key Points   Trusted Exchange Framework and Common Agreement   · The National Coordinator shall, in collaboration with the National Institute of Standards and Technology and other relevant agencies within HHS, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally.   · Not later than 1 year after convening the Health Information Technology Advisory Committee, the National Coordinator shall publish on its public Internet website, and in the Federal Register, the trusted exchange framework and common agreement.   · PROCESS: The Secretary shall, through notice and comment rulemaking, establish a process for health information networks that voluntarily elect to adopt the trusted exchange framework and common agreement to attest to such adoption of the framework and agreement.

House version 11/25/2016