This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "September 26, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 61: Line 61:
 
*WG reviewed Grahame Grieve's #FHIR and Bulk Data Access Proposal.  We decided to draft a WG comment about privacy and security topics that we think this project needs to address including how to ensure access is authorized per privacy policy and patient consent directives, how to filter based on Security Labels, how to enforce minimum necessary requirements. John and Kathleen to begin drafting the comment for review on October 3rd call.
 
*WG reviewed Grahame Grieve's #FHIR and Bulk Data Access Proposal.  We decided to draft a WG comment about privacy and security topics that we think this project needs to address including how to ensure access is authorized per privacy policy and patient consent directives, how to filter based on Security Labels, how to enforce minimum necessary requirements. John and Kathleen to begin drafting the comment for review on October 3rd call.
 
*John noted that he plans to hold a FHIR Security call later in the day.  He said that there are a couple of CPs he wanted to work on.
 
*John noted that he plans to hold a FHIR Security call later in the day.  He said that there are a couple of CPs he wanted to work on.
*Mike brought up issues related to legal recourse for data breaches that were raised in response to his request for comment on the challenges he raised in a proposal for a Privacy Study Group.  He noted that most of the breach lawsuits are dismissed or settled with credit monitoring as the only mitigation provided to those whose personal information was breached.  Kathleen noted a recent federal appeals court ruling that may set a new precedent for [https://healthitsecurity.com/news/federal-appeals-court-overturns-carefirst-data-breach-ruling Federal Appeals Court Overturns CareFirst Data Breach Ruling]  Here is a summary of the article:  The US Court of Appeals for the District of Columbia Circuit said
+
*Mike brought up issues related to legal recourse for data breaches that were raised in response to his request for comment on the challenges he raised in a proposal for a Privacy Study Group.  He noted that most of the breach lawsuits are dismissed or settled with credit monitoring as the only mitigation provided to those whose personal information was breached.  Kathleen noted a recent federal appeals court ruling that may set a new precedent for [https://healthitsecurity.com/news/federal-appeals-court-overturns-carefirst-data-breach-ruling Federal Appeals Court Overturns CareFirst Data Breach Ruling]  Here is a summary of the article:  The US Court of Appeals for the District of Columbia Circuit said that a key concern in the case is the injury-in-fact requirement, the Appellate Court said. This is proving whether an injury is “actual or imminent.” [..]“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” the judges wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.” [Article III Standing does not require that a defendant be the most immediate cause of a plaintiffs’ injuries, the ruling noted. Instead, Article III Standing requires only that those injuries be “fairly traceable” to the defendant. “Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,” the judges determined.   
A key concern in the case is the injury-in-fact requirement, the Appellate Court said. This is proving whether an injury is “actual or imminent.” [..]
+
*David Staggs, who is an attorney, explained that most of the breach cases failed because the plaintiff could not establish direct harm under a tort claim.  Rob Horn suggested that breach of contract would be a better basis for a breach lawsuit. Mike invited them to contribute to his "Is Privacy Obsolete" study group.  Kathleen asked whether the proposed study group is sponsored by CBCC or Security.  Mike stated that his intention is for Security WG to sponsor and for CBCC and EHR WGs to co-sponsor it. Since the resulting white paper would not be a balloted item, he thought the development would be more informal.
“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” the judges wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.” […]
 
Article III Standing does not require that a defendant be the most immediate cause of a plaintiffs’ injuries, the ruling noted. Instead, Article III Standing requires only that those injuries be “fairly traceable” to the defendant.
 
“Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,” the judges determined.  David Staggs, who is an attorney, explained that most of the breach cases failed because the plaintiff could not establish direct harm under a tort claim.  Rob Horn suggested that breach of contract would be a better basis for a breach lawsuit. Mike invited them to contribute to his "Is Privacy Obsolete" study group.  Kathleen asked whether the proposed study group is sponsored by CBCC or Security.  Mike stated that his intention is for Security WG to sponsor and for CBCC and EHR WGs to co-sponsor it. Since the resulting white paper would not be a balloted item, he thought the development would be more informal.
 
 
*Kathleen noted that a new version of the ONC Interoperability Standards Advisory is open for comment, and that the HL7 PAC will be soliciting WG input through October 15th.  Kathleen will review for any security hot topics for next call.
 
*Kathleen noted that a new version of the ONC Interoperability Standards Advisory is open for comment, and that the HL7 PAC will be soliciting WG input through October 15th.  Kathleen will review for any security hot topics for next call.
 
*Chris Shawn announced that the Is Privacy Obsolete Study Group will stand up a Google site for contributors to edit the paper, and asked interested parties to contact him or Mike to get access to the site.  He said he'd made the same announcement to CBCC WG earlier.
 
*Chris Shawn announced that the Is Privacy Obsolete Study Group will stand up a Google site for contributors to edit the paper, and asked interested parties to contact him or Mike to get access to the site.  He said he'd made the same announcement to CBCC WG earlier.

Latest revision as of 22:49, 26 September 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair x Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Christopher Shawn
. Mohammed Jafari . Beth Pumo . Ioana Singureanu x Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson . Dave Silver
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (3 min) Roll Call, Agenda Approval
  2. (10 min) Review and Approval of August 29th and September 5th. Review and approval of the HL7 Sept 2017 WGM San Diego Minutes - Deferred.
  3. (10 min) Fifth cochair position and candidate - Kathleen: During the WGM cochairs and others discussed the need to have a 5th cochair to cover deep technical issues related to NIST (we were not able to come up with comments for NIST SP 800-53 by deadline), US federal agency FISMA and other regulatory requirements. AU and EU have coverage thanks to Tricia and Alex. John takes care of our FHIR front, and I typically cover agenda prep, weekly chair duties, Policy Advisory Committee, and Harmonization. So we nominated Chris Shawn from the VA to fill the 5th slot for NIST, FISMA, and help filling in where we are short of meeting chairs because of time zones or day job conflicts. Let's discuss.
  4. (10 min) Review FHIR Security PSS for renewal - John Moehrke
  5. (10 min) #FHIR and Bulk Data Access Proposal

Posted on September 20, 2017 by Grahame Grieve

  1. (10 min) Next version of the Interoperability Standards Advisory- Kathleen. HL7 Policy Advisory Committee [PAC] would like to ask all workgroups to review the ISA for their areas of interest and let the HL7 Policy Advisory Committee know of any suggestions by October 15 at policyinput@lists.hl7.org.
  2. (2 min) FHIR Security call - Call will happen at 5PM ET/2PM PT

Minutes

  • Kathleen chaired. Roll call = 7 at the beginning of the call. Alex Mense joined after voting items were decided.
  • August 29th and September 5th were reviewed and approved. Suzanne moved, John seconded. Motion approved 6-0-0.
  • Chris Shawn was elected interim cochair after Kathleen provided background about the need for a cochair to help the WG cover the US federal laws and security/privacy standards from NIST, etc. Suzanne moved, Chris seconded. Motion approved 6-0-0.
  • John discussed the need to update the FHIR Security PSS end date to 2020 in order to progress the Security WG's FHIR artifact to maturity. John moved, Suzanne seconded. Motion approved 6-0-0.
  • WG reviewed Grahame Grieve's #FHIR and Bulk Data Access Proposal. We decided to draft a WG comment about privacy and security topics that we think this project needs to address including how to ensure access is authorized per privacy policy and patient consent directives, how to filter based on Security Labels, how to enforce minimum necessary requirements. John and Kathleen to begin drafting the comment for review on October 3rd call.
  • John noted that he plans to hold a FHIR Security call later in the day. He said that there are a couple of CPs he wanted to work on.
  • Mike brought up issues related to legal recourse for data breaches that were raised in response to his request for comment on the challenges he raised in a proposal for a Privacy Study Group. He noted that most of the breach lawsuits are dismissed or settled with credit monitoring as the only mitigation provided to those whose personal information was breached. Kathleen noted a recent federal appeals court ruling that may set a new precedent for Federal Appeals Court Overturns CareFirst Data Breach Ruling Here is a summary of the article: The US Court of Appeals for the District of Columbia Circuit said that a key concern in the case is the injury-in-fact requirement, the Appellate Court said. This is proving whether an injury is “actual or imminent.” [..]“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” the judges wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.” [Article III Standing does not require that a defendant be the most immediate cause of a plaintiffs’ injuries, the ruling noted. Instead, Article III Standing requires only that those injuries be “fairly traceable” to the defendant. “Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,” the judges determined.
  • David Staggs, who is an attorney, explained that most of the breach cases failed because the plaintiff could not establish direct harm under a tort claim. Rob Horn suggested that breach of contract would be a better basis for a breach lawsuit. Mike invited them to contribute to his "Is Privacy Obsolete" study group. Kathleen asked whether the proposed study group is sponsored by CBCC or Security. Mike stated that his intention is for Security WG to sponsor and for CBCC and EHR WGs to co-sponsor it. Since the resulting white paper would not be a balloted item, he thought the development would be more informal.
  • Kathleen noted that a new version of the ONC Interoperability Standards Advisory is open for comment, and that the HL7 PAC will be soliciting WG input through October 15th. Kathleen will review for any security hot topics for next call.
  • Chris Shawn announced that the Is Privacy Obsolete Study Group will stand up a Google site for contributors to edit the paper, and asked interested parties to contact him or Mike to get access to the site. He said he'd made the same announcement to CBCC WG earlier.
  • Call adjourned 5 minutes early.

News and Review Material

2018 Interoperability Standards Advisory (ISA) Update The Interoperability Standards Advisory (ISA), a catalog of standards and implementation specifications that can be used to fulfill specific interoperability needs in health care, recently underwent some updates, has some new content, and is now more interactive. ONC wants to hear your feedback before the Interoperability Standards Advisory (ISA) reference edition is published later this year. Comments will be accepted until November 20, 2017 at 5:00 pm ET. Learn more by reading the buzz blog post, Only you can improve the 2018 Interoperability Standards Advisory Reference Edition.