This wiki has undergone a migration to Confluence found Here
Difference between revisions of "June 27, 2017 Security Conference Call"
Jump to navigation
Jump to search
| Line 63: | Line 63: | ||
== '''News and Reminders''' == | == '''News and Reminders''' == | ||
| − | * Thanks John for pointing out the "major change" [https://americansecuritytoday.com/nist-launches-new-special-publication-sp-800-63-suite NIST Launches New Special Publication (SP) 800-63 Suite!] | + | * Thanks John for pointing out the "major change" [https://americansecuritytoday.com/nist-launches-new-special-publication-sp-800-63-suite NIST Launches New Special Publication (SP) 800-63 Suite!]. RE: "Gone are the days of levels of assurance (LOAs), replaced by ordinals for individual parts of the digital identity flow, enabling implementers more flexibility in their design and operations." Likely means we need to rework the Security Labels for Trust Level of Assurance codes. |
* Thanks Rene Spronk for this blog: [http://www.ringholm.com/column/GDPR_impact_on%20healthcare_data_interoperability.htm Impact of the GDPR on the use of interoperability standards]. His suggestion that "A label on an item of data that states "data subject to the Data Portability rights" would be useful for any 'downstream' processors of that data, for that specific data item would also be subject to the Data Portability right within a receiving application" could be done using the Security Label Category for Consent Directive types. It would require adding a new code to the ActConsentDirective code system during November Harmonization cycle. | * Thanks Rene Spronk for this blog: [http://www.ringholm.com/column/GDPR_impact_on%20healthcare_data_interoperability.htm Impact of the GDPR on the use of interoperability standards]. His suggestion that "A label on an item of data that states "data subject to the Data Portability rights" would be useful for any 'downstream' processors of that data, for that specific data item would also be subject to the Data Portability right within a receiving application" could be done using the Security Label Category for Consent Directive types. It would require adding a new code to the ActConsentDirective code system during November Harmonization cycle. | ||
*[https://www.nist.gov/news-events/events/2017/06/privacy-risk-assessment-prerequisite-privacy-risk-management June 5, 2017 NIST Privacy Risk Assessment Workshop Opening Session Video] and [https://www.nist.gov/file/372021 NIST Privacy Risk Workshop slides] related to [http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf NIST Internal Report 8062 "An Introduction to Privacy Engineering and Risk Management in Federal Systems"] | *[https://www.nist.gov/news-events/events/2017/06/privacy-risk-assessment-prerequisite-privacy-risk-management June 5, 2017 NIST Privacy Risk Assessment Workshop Opening Session Video] and [https://www.nist.gov/file/372021 NIST Privacy Risk Workshop slides] related to [http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf NIST Internal Report 8062 "An Introduction to Privacy Engineering and Risk Management in Federal Systems"] | ||
Revision as of 17:29, 27 June 2017
Contents
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | . | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| x | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Mohammed Jafari | |||
| x | Glen Marshall, SRS | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Galen Mulrooney | |||
| . | Duane DeCouteau | . | Chris Clark | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | . | Christopher D Brown TX | . | Gary Dickinson | x | Dave Silver | |||
| x | Rick Grow | . | William Kinsley | . | Paul Knapp | x | Mayada Abdulmannan | |||
| . | Kamalini Vaidya | . | Bill Kleinebecker | x | Christopher Shawn | . | Grahame Grieve | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (2 min) Roll Call, Agenda Approval
- (4 min) Review and Approval of Security WG Call Minutes June 20, 2017
- (10 min) Review News and Reminders - See below.
- (20 min) July Harmonization Proposal QA Review and Request for approval of initial submission see *July 2017 Harmonization Proposal Overview - Kathleen
- (5 min)FHIR Security call this week
News and Reminders
- Thanks John for pointing out the "major change" NIST Launches New Special Publication (SP) 800-63 Suite!. RE: "Gone are the days of levels of assurance (LOAs), replaced by ordinals for individual parts of the digital identity flow, enabling implementers more flexibility in their design and operations." Likely means we need to rework the Security Labels for Trust Level of Assurance codes.
- Thanks Rene Spronk for this blog: Impact of the GDPR on the use of interoperability standards. His suggestion that "A label on an item of data that states "data subject to the Data Portability rights" would be useful for any 'downstream' processors of that data, for that specific data item would also be subject to the Data Portability right within a receiving application" could be done using the Security Label Category for Consent Directive types. It would require adding a new code to the ActConsentDirective code system during November Harmonization cycle.
- June 5, 2017 NIST Privacy Risk Assessment Workshop Opening Session Video and NIST Privacy Risk Workshop slides related to NIST Internal Report 8062 "An Introduction to Privacy Engineering and Risk Management in Federal Systems"
- Mid June, the Digital Commerce and Consumer Protection Subcommittee within the Energy and Commerce Committeeheld a series of hearings on Internet of Things, which touched on privacy and security challenges. See:
- Reminder the SMART app specification (including their basic OAuth 2.0 profile) is available for review at https://github.com/smart-on-fhir/smart-on-fhir.github.io/tree/into-hl7
- Please review and provide FMG comment by July 12 on FHIR Conformance QA Criteria. Requested comment areas: Are these criteria complete? Are there others we need? Are these criteria useful? Are there any of these we shouldn't be wasting our time on? Are these criteria reasonable? If you're going to be creating your own IGs and associated resources, would you be comfortable adhering to these criteria?
