This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "August 22, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by 2 users not shown)
Line 56: Line 56:
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(4 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=August_15,_2017_Security_Conference_Call Security WG Call Minutes August 15, 2017]'''
 
#''(4 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=August_15,_2017_Security_Conference_Call Security WG Call Minutes August 15, 2017]'''
#''(20 min)'' '''Cascading OAuth for FHIR Security''' - Mohammad Jafari
+
#''(20 min)'' '''[http://wiki.hl7.org/index.php?title=HIMSS_2017_Patient_Choice Cascading OAuth for FHIR Security - middle of the page]''' - Mohammad Jafari
 
#''(15 min)'' '''[http://wiki.hl7.org/index.php?title=201709_Consumer_Centered_Data_Exchange&section=17 Consumer Centered Data Exchange Connectathon Track]- Aaron Seib
 
#''(15 min)'' '''[http://wiki.hl7.org/index.php?title=201709_Consumer_Centered_Data_Exchange&section=17 Consumer Centered Data Exchange Connectathon Track]- Aaron Seib
 
#''(15 min)'' '''[http://wiki.hl7.org/index.php?title=ONC_Trusted_Exchange_Common_Agreement_Framework_Comments_Page ONC Trusted Exchange Common Agreement Framework Comments]''' - Kathleen
 
#''(15 min)'' '''[http://wiki.hl7.org/index.php?title=ONC_Trusted_Exchange_Common_Agreement_Framework_Comments_Page ONC Trusted Exchange Common Agreement Framework Comments]''' - Kathleen
Line 62: Line 62:
  
 
==News and Review Material==
 
==News and Review Material==
*[http://wiki.hl7.org/index.php?title=201709_Consumer_Centered_Data_Exchange&section=17 Consumer Centered Data Exchange FHIR Wiki]
 
**[https://bitbucket.org/jeastman/consumer-centered-data-exchange/wiki/Home CCDE Collaborative Wiki]
 
**[https://chat.fhir.org/#narrow/stream/implementers/topic/Patient.20Request.20for.20Health.20Information chat.fhir.org about constraining the scope of the use case]
 
 
*[http://www.pewinternet.org/2017/05/22/the-internet-of-things-and-future-shock-too-much-change-too-fast/ PEW Report - The Internet of Things and Future Shock: Too Much Change Too Fast?]Lee Rainie, director of Internet, Science and Technology Research at the Pew Research Center, spoke on May 10, 2017 to the American Bar Association’s [http://www.americanbar.org/content/dam/aba/events/cle/2017/spring/ce1705iot_webbrochure.authcheckdam.pdf Section of Science and Technology Law] about the rise of the Internet of Things and its implications for privacy and cybersecurity. The velocity of change today is remarkable and increasingly challenging to navigate. Rainie discussed Pew Research Center’s reports about [http://www.pewinternet.org/2014/03/11/digital-life-in-2025/ “Digital Life in 2025”]and [http://www.pewinternet.org/2014/05/14/internet-of-things/ “The Internet of Things Will Thrive by 2025],” which present the views of hundreds of “technology builders and analysts” on the future of the internet.
 
*[http://www.pewinternet.org/2017/05/22/the-internet-of-things-and-future-shock-too-much-change-too-fast/ PEW Report - The Internet of Things and Future Shock: Too Much Change Too Fast?]Lee Rainie, director of Internet, Science and Technology Research at the Pew Research Center, spoke on May 10, 2017 to the American Bar Association’s [http://www.americanbar.org/content/dam/aba/events/cle/2017/spring/ce1705iot_webbrochure.authcheckdam.pdf Section of Science and Technology Law] about the rise of the Internet of Things and its implications for privacy and cybersecurity. The velocity of change today is remarkable and increasingly challenging to navigate. Rainie discussed Pew Research Center’s reports about [http://www.pewinternet.org/2014/03/11/digital-life-in-2025/ “Digital Life in 2025”]and [http://www.pewinternet.org/2014/05/14/internet-of-things/ “The Internet of Things Will Thrive by 2025],” which present the views of hundreds of “technology builders and analysts” on the future of the internet.
 
**[http://www.pewinternet.org/2017/05/22/the-public-and-cybersecurity-practices-and-knowledge PEW Report - The public and cybersecurity practices and knowledge] Lee Rainie, director of internet, science and technology research at Pew Research Center, presented the Center’s findings about public practices and knowledge related to cybersecurity to the advisory board of the National Cybersecurity Alliance on May 5, 2017. He discussed the wide variance in what the public knows about key cybersecurity issues and concepts and people’s habits when it comes to handling the passwords to their online accounts and their use of public Wi-Fi networks.
 
**[http://www.pewinternet.org/2017/05/22/the-public-and-cybersecurity-practices-and-knowledge PEW Report - The public and cybersecurity practices and knowledge] Lee Rainie, director of internet, science and technology research at Pew Research Center, presented the Center’s findings about public practices and knowledge related to cybersecurity to the advisory board of the National Cybersecurity Alliance on May 5, 2017. He discussed the wide variance in what the public knows about key cybersecurity issues and concepts and people’s habits when it comes to handling the passwords to their online accounts and their use of public Wi-Fi networks.
 +
 +
== Minutes ==
 +
* Chaired by Alex
 +
* Agenda Approved
 +
* Review and Approval of Security WG Call Minutes August 15, 2017 deferred to next call
 +
* Cascading OAuth for FHIR Security - middle of the page - Mohammad Jafari, Mike Davis, Aaron Seib
 +
** Defer from one Oath server to another Oath server
 +
** Mohammad coded the OAth, did the implementation for cascading Oauth
 +
** Kathleen proposed to find a way for Mohammed to update code
 +
** The Code is not available as an opensource project
 +
** Mohammed currently does not have access to the code
 +
** Mike's comment: The code was provided to VA, and VA can likely provide it as open source
 +
** Cascading OAuth was demonstrated during Patient Choice at HIMMS
 +
** If the Provider has Patient right of access they would have access to the system
 +
** The patient controls to what can be accessed
 +
** A patient that hasn't submitted their consent
 +
** The Patient Authorization server provides information on provisions and rules to the custodian organization
 +
** Patient can direct how information flows
 +
** This authorization server allows the patient manage all of its providers in one place
 +
** It is consumer Centered Data Exchange Connectathon
 +
** The Authorization server check the consent, and based on consent it provides a token
 +
** The Attributes can be detailed
 +
** The Custodian organization receives the token and puts it back to the Oath interceptor
 +
** The resource server collects the data, and labels the data (security labeling server)
 +
** The final step the information is then provided
 +
** If the patients policy inputted for consent directive, the token
 +
** Aaron reviewed consent resource using FHIR Consent Recourse
 +
** Kathleen comment (1): FHIR Consent Recourse will have security labels.
 +
** Mike Davis comment (2)/recommendation to Aaron: In HL7 we have two working groups, in Security and CBCC. For implements the distinction between Security and Privacy are clear. To Avoid confusion we need to keep the separation between privacy and security. 
 +
** The Patient has to provide consent in writing according to law
 +
** Next Step: Aaron to send Dianna email to request to do a presentation to CBCC
 +
* ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
 +
** Item moved to next weeks call
 +
* FHIR Security call - Cancelled
 +
** Call Adjourned**

Latest revision as of 00:30, 29 August 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes August 15, 2017
  3. (20 min) Cascading OAuth for FHIR Security - middle of the page - Mohammad Jafari
  4. (15 min) Consumer Centered Data Exchange Connectathon Track- Aaron Seib
  5. (15 min) ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
  6. (1 min) FHIR Security call - Cancelled

News and Review Material

Minutes

  • Chaired by Alex
  • Agenda Approved
  • Review and Approval of Security WG Call Minutes August 15, 2017 deferred to next call
  • Cascading OAuth for FHIR Security - middle of the page - Mohammad Jafari, Mike Davis, Aaron Seib
    • Defer from one Oath server to another Oath server
    • Mohammad coded the OAth, did the implementation for cascading Oauth
    • Kathleen proposed to find a way for Mohammed to update code
    • The Code is not available as an opensource project
    • Mohammed currently does not have access to the code
    • Mike's comment: The code was provided to VA, and VA can likely provide it as open source
    • Cascading OAuth was demonstrated during Patient Choice at HIMMS
    • If the Provider has Patient right of access they would have access to the system
    • The patient controls to what can be accessed
    • A patient that hasn't submitted their consent
    • The Patient Authorization server provides information on provisions and rules to the custodian organization
    • Patient can direct how information flows
    • This authorization server allows the patient manage all of its providers in one place
    • It is consumer Centered Data Exchange Connectathon
    • The Authorization server check the consent, and based on consent it provides a token
    • The Attributes can be detailed
    • The Custodian organization receives the token and puts it back to the Oath interceptor
    • The resource server collects the data, and labels the data (security labeling server)
    • The final step the information is then provided
    • If the patients policy inputted for consent directive, the token
    • Aaron reviewed consent resource using FHIR Consent Recourse
    • Kathleen comment (1): FHIR Consent Recourse will have security labels.
    • Mike Davis comment (2)/recommendation to Aaron: In HL7 we have two working groups, in Security and CBCC. For implements the distinction between Security and Privacy are clear. To Avoid confusion we need to keep the separation between privacy and security.
    • The Patient has to provide consent in writing according to law
    • Next Step: Aaron to send Dianna email to request to do a presentation to CBCC
  • ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
    • Item moved to next weeks call
  • FHIR Security call - Cancelled
    • Call Adjourned**