This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 24, 2017 Security Conference Call"
Jump to navigation
Jump to search
(→Agenda) |
(→Agenda) |
||
| Line 57: | Line 57: | ||
| − | + | ==Minutes== | |
| − | Privacy | + | *Kathleen chaired. Agenda approved with deferral of Oct. 17 minutes and no FHIR Security work. |
| − | * | + | *Mike led discussion on "Is Privacy Obsolete" update: |
| − | * | + | *Information has been received on Privacy obsolete |
| + | *Wiki initiated, not updated | ||
* in data collection mode; folks on the call have been sending items | * in data collection mode; folks on the call have been sending items | ||
* a study group started in ISO around (similar type of effort), they are not very far along | * a study group started in ISO around (similar type of effort), they are not very far along | ||
| Line 86: | Line 87: | ||
tose three things will be added as part of the deliverables. | tose three things will be added as part of the deliverables. | ||
| − | + | *Kathleen presented on work with Learning Health Systems (LHS) WG for consent attributes | |
| − | + | * CBCP WG working with ONC eLTSS representatives to develop a model for social services client consenting to program for a certain | |
| − | on | ||
| − | * working with | ||
| − | |||
| − | |||
* David will follow up on LHS | * David will follow up on LHS | ||
| − | * Care Team | + | *Material presented to LHS: |
| − | * | + | * [https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning] |
| − | * | + | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning%203.xlsx Care Team ABAC Provisioning Table Example] |
| + | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary] | ||
** Enabling Patient Trusted Care Teams | ** Enabling Patient Trusted Care Teams | ||
** Spheres of Teamness and Privacy Protective Information Sharing | ** Spheres of Teamness and Privacy Protective Information Sharing | ||
Revision as of 00:33, 25 October 2017
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| x | Mike Davis | x | Suzanne Gonzales-Webb | . | David Staggs | x | Christopher Shawn | |||
| . | Mohammed Jafari | . | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| . | Diana Proud-Madruga | . | Serafina Versaggi | . | Joe Lamy | . | Galen Mulrooney | |||
| . | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Gallegos |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of October 17, 2017 minutes.
- (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (10 min) Updates on the PSAF Project- Mike Davis and Chris Shawn
- (10 min) IPO? Enforcing Sharing with Protections via Minimum Necessary per POU - Kathleen Connor
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- (20 min)FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke
- (2 min)FHIR Security Call later? - John Moehrke
Minutes
- Kathleen chaired. Agenda approved with deferral of Oct. 17 minutes and no FHIR Security work.
- Mike led discussion on "Is Privacy Obsolete" update:
- Information has been received on Privacy obsolete
- Wiki initiated, not updated
- in data collection mode; folks on the call have been sending items
- a study group started in ISO around (similar type of effort), they are not very far along
- perhaps we should reach out and see if we can obtain a liaison
- Ann Kevorkian contact--will add to listerve (Mike will add)
- Ann is very well know in PbD, has a WG in OASIS (not very active)
- responded initially vehemently, privacy is not dead but it is being attacked
- let her know that this project is international scoped, EU is doing well but there are other activities
- there is a difference in how security is talking about privacy
- if all your privacy is released (disclosure of privacy) 'its a security problem'
- cannot have privacy unless security is supporting it
- inconsistency should be noted, and discussed
- IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of security and privacy
- we are using security services, access services to control/protect privacy
- inconsistency should be noted, and discussed
We still need a project scope statement, or white paper our SD wants to have a PSS to cover this task
- in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy. the GDPR qualifying for
- john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work? There are no good lists; list is available to ISO members (David can give to Mike)
- NIST pub 800-53
- Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy. MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust.
PSAF balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc. where they have a patient consent to tose three things will be added as part of the deliverables.
- Kathleen presented on work with Learning Health Systems (LHS) WG for consent attributes
- CBCP WG working with ONC eLTSS representatives to develop a model for social services client consenting to program for a certain
- David will follow up on LHS
- Material presented to LHS:
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- Enabling Patient Trusted Care Teams
- Spheres of Teamness and Privacy Protective Information Sharing
- special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well.
- in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level
- organizational construct, where access is based on your compartment bucket rather than label individually you name everything int he bucket as that... if its the pharmacy pharmacy-access only
- understanding spheres of Teamness and Privacy Protective sharing
- Care Team Structural Roles - examples
- Example of Spheres and Associated Teams
- Care Team Models --> clinician need to know and sharing with protections
- Care Team Type Definitions
