This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 24, 2017 Security Conference Call"
Jump to navigation
Jump to search
| Line 55: | Line 55: | ||
*#''(20 min)''FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke | *#''(20 min)''FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke | ||
*#''(2 min)''FHIR Security Call later? - John Moehrke | *#''(2 min)''FHIR Security Call later? - John Moehrke | ||
| + | |||
| + | |||
| + | |||
| + | Privacy | ||
| + | * information has been received on Privacy obsolete | ||
| + | * wiki initiated, not updated | ||
| + | * in data collection mode; folks on the call have been sending items | ||
| + | * a study group started in ISO around (similar type of effort), they are not very far along | ||
| + | ** perhaps we should reach out and see if we can obtain a liaison | ||
| + | * Ann Kevorkian contact--will add to listerve (Mike will add) | ||
| + | ** Ann is very well know in PbD, has a WG in OASIS (not very active) | ||
| + | ** responded initially vehemently, privacy is not dead but it is being attacked | ||
| + | ** let her know that this project is international scoped, EU is doing well but there are other activities | ||
| + | * there is a difference in how security is talking about privacy | ||
| + | * if all your privacy is released (disclosure of privacy) 'its a security problem' | ||
| + | * cannot have privacy unless security is supporting it | ||
| + | ** inconsistency should be noted, and discussed | ||
| + | *** IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of ''security'' and ''privacy'' | ||
| + | ** we are using security services, access services to control/protect privacy | ||
| + | |||
| + | We still need a project scope statement, or white paper | ||
| + | our SD wants to have a PSS to cover this task | ||
| + | * in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy. the GDPR qualifying for | ||
| + | ** john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work? There are no good lists; list is available to ISO members (David can give to Mike) | ||
| + | * NIST pub 800-53 | ||
| + | * Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy. MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust. | ||
| + | |||
| + | PSAF | ||
| + | balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc. where they have a patient consent to | ||
| + | tose three things will be added as part of the deliverables. | ||
| + | |||
| + | Evelyn Gallegos | ||
| + | Care Team Provisioning for LHS | ||
| + | on the Care Team side for prevising--enterprises (16:32) | ||
| + | * working with CDC (?) to develop a model | ||
| + | * where clinet is consenting to program for a certain | ||
| + | |||
| + | * David will follow up on LHS | ||
| + | * Care Team and Specially Authorized Access PPT ''' ''<<add link>>'' ''' | ||
| + | ** | ||
| + | ** | ||
| + | ** Enabling Patient Trusted Care Teams | ||
| + | ** Spheres of Teamness and Privacy Protective Information Sharing | ||
| + | *** special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well. | ||
| + | *** in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level | ||
| + | *** organizational construct, where access is based on your compartment ''bucket'' rather than label individually you name everything int he bucket ''as that''... if its the pharmacy ''pharmacy-access only'' | ||
| + | ** understanding spheres of Teamness and Privacy Protective sharing | ||
| + | ** Care Team Structural Roles - examples | ||
| + | ** Example of Spheres and Associated Teams | ||
| + | ** Care Team Models --> clinician need to know and sharing with protections | ||
Revision as of 19:38, 24 October 2017
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| x | Mike Davis | x | Suzanne Gonzales-Webb | . | David Staggs | x | Christopher Shawn | |||
| . | Mohammed Jafari | . | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| . | Diana Proud-Madruga | . | Serafina Versaggi | . | Joe Lamy | . | Galen Mulrooney | |||
| . | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Gallegos |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of October 17, 2017 minutes.
- (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (10 min) Updates on the PSAF Project- Mike Davis and Chris Shawn
- (10 min) IPO? Enforcing Sharing with Protections via Minimum Necessary per POU - Kathleen Connor
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- (20 min)FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke
- (2 min)FHIR Security Call later? - John Moehrke
Privacy
- information has been received on Privacy obsolete
- wiki initiated, not updated
- in data collection mode; folks on the call have been sending items
- a study group started in ISO around (similar type of effort), they are not very far along
- perhaps we should reach out and see if we can obtain a liaison
- Ann Kevorkian contact--will add to listerve (Mike will add)
- Ann is very well know in PbD, has a WG in OASIS (not very active)
- responded initially vehemently, privacy is not dead but it is being attacked
- let her know that this project is international scoped, EU is doing well but there are other activities
- there is a difference in how security is talking about privacy
- if all your privacy is released (disclosure of privacy) 'its a security problem'
- cannot have privacy unless security is supporting it
- inconsistency should be noted, and discussed
- IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of security and privacy
- we are using security services, access services to control/protect privacy
- inconsistency should be noted, and discussed
We still need a project scope statement, or white paper our SD wants to have a PSS to cover this task
- in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy. the GDPR qualifying for
- john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work? There are no good lists; list is available to ISO members (David can give to Mike)
- NIST pub 800-53
- Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy. MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust.
PSAF balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc. where they have a patient consent to tose three things will be added as part of the deliverables.
Evelyn Gallegos Care Team Provisioning for LHS on the Care Team side for prevising--enterprises (16:32)
- working with CDC (?) to develop a model
- where clinet is consenting to program for a certain
- David will follow up on LHS
- Care Team and Specially Authorized Access PPT <<add link>>
- Enabling Patient Trusted Care Teams
- Spheres of Teamness and Privacy Protective Information Sharing
- special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well.
- in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level
- organizational construct, where access is based on your compartment bucket rather than label individually you name everything int he bucket as that... if its the pharmacy pharmacy-access only
- understanding spheres of Teamness and Privacy Protective sharing
- Care Team Structural Roles - examples
- Example of Spheres and Associated Teams
- Care Team Models --> clinician need to know and sharing with protections
