This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "October 24, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(8 intermediate revisions by 2 users not shown)
Line 6: Line 6:
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name'''  
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name'''  
 
|-
 
|-
||  x|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair
+
||  .|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
+
|||||| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
|-
 
|-
||  .|| [mailto:mike.davis@va.gov Mike Davis]
+
||  x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:drs@securityrs.com David Staggs]
 
||||x|| [mailto:drs@securityrs.com David Staggs]
Line 17: Line 17:
 
|-
 
|-
 
||  .|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||  .|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
||||x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||||.|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:robert.horn@agfa.com Rob Horn]  
 
||||.|| [mailto:robert.horn@agfa.com Rob Horn]  
Line 23: Line 23:
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
||||.|| [mailto:joe.lamy@aegis.net Joe Lamy]
+
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
|-
 
|-
Line 39: Line 39:
 
||||.|| [mailto:Ken.Rubin@hp.com Ken Rubin]
 
||||.|| [mailto:Ken.Rubin@hp.com Ken Rubin]
 
||||.|| [mailto:dtao12@gmail.com David Tao]
 
||||.|| [mailto:dtao12@gmail.com David Tao]
||||.|| [mailto:nathanbotts@westat.com Nathan Botts]
+
||||.|| [mailto:Evelyn Gallegos]
 
|-
 
|-
 
|}
 
|}
Line 49: Line 49:
 
#''(5 min)''  '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
 
#''(5 min)''  '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
 
#''(10 min)'' '''[http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF Updates on the PSAF Project]'''- Mike Davis and Chris Shawn
 
#''(10 min)'' '''[http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF Updates on the PSAF Project]'''- Mike Davis and Chris Shawn
#''(10 min)'' '''IPO? Enforcing Sharing with Protections via Minimum Necesary per POU'''
+
#''(10 min)'' '''IPO? Enforcing Sharing with Protections via Minimum Necessary per POU''' - Kathleen Connor
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning]  
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning]  
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning%202.xlsx  Care Team ABAC Provisioning Table Example]
+
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning%203.xlsx  Care Team ABAC Provisioning Table Example]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary]
 +
*#''(20 min)''FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke
 +
*#''(2 min)''FHIR Security Call later? - John Moehrke
 +
 +
 +
==Minutes==
 +
*Kathleen chaired. Agenda approved with deferral of Oct. 17 minutes and no FHIR Security work.
 +
*Mike led discussion on "Is Privacy Obsolete" update:
 +
*Information has been received on Privacy obsolete
 +
*Wiki initiated, not updated
 +
* in data collection mode; folks on the call have been sending items
 +
* a study group started in ISO around (similar type of effort), they are not very far along
 +
** perhaps we should reach out and see if we can obtain a liaison
 +
* Ann Kevorkian contact--will add to listerve (Mike will add)
 +
** Ann is very well know in PbD, has a WG in OASIS (not very active)
 +
** responded initially vehemently, privacy is not dead but it is being attacked
 +
** let her know that this project is international scoped, EU is doing well but there are other activities
 +
* there is a difference in how security is talking about privacy
 +
* if all your privacy  is released (disclosure of privacy) 'its a security problem'
 +
* cannot have privacy unless security is supporting it
 +
** inconsistency should be noted, and discussed
 +
*** IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of ''security'' and ''privacy''
 +
** we are using security services, access services to control/protect privacy
 +
 +
We still need a project scope statement, or white paper
 +
our SD wants to have a PSS to cover this task
 +
* in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy.  the GDPR qualifying for
 +
** john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work?  There are no good lists; list is available to ISO members (David can give to Mike)
 +
* NIST pub 800-53
 +
* Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy.  MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust.
 +
 +
PSAF
 +
balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc.  where they have a patient consent to
 +
tose three things will be added as part of the deliverables.
 +
 +
*Kathleen presented on work with Learning Health Systems (LHS) WG for consent attributes
 +
* CBCP WG working with ONC eLTSS representatives to develop a model for social services client consenting to program for a certain
 +
* David will follow up on LHS
 +
*Material presented to LHS:
 +
* [https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning]
 +
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning%203.xlsx  Care Team ABAC Provisioning Table Example]
 +
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary]
 +
** Enabling Patient Trusted Care Teams
 +
** Spheres of Teamness and Privacy Protective Information Sharing
 +
*** special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well.
 +
*** in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level
 +
*** organizational construct, where access is based on your compartment ''bucket'' rather than label individually you name everything int he bucket ''as that''... if its the pharmacy ''pharmacy-access only''
 +
** understanding spheres of Teamness and Privacy Protective sharing
 +
** Care Team Structural Roles - examples
 +
** Example of Spheres and Associated Teams
 +
** Care Team Models --> clinician need to know and sharing with protections
 +
** Care Team Type Definitions

Latest revision as of 00:34, 25 October 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Christopher Shawn
. Mohammed Jafari . Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards x [1] . Gary Dickinson . Dave Silver
. Oliver Lawless . Ken Rubin . David Tao . Gallegos

Back to Security Main Page

Agenda

  1. (3 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of October 17, 2017 minutes.
  3. (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
  4. (10 min) Updates on the PSAF Project- Mike Davis and Chris Shawn
  5. (10 min) IPO? Enforcing Sharing with Protections via Minimum Necessary per POU - Kathleen Connor


Minutes

  • Kathleen chaired. Agenda approved with deferral of Oct. 17 minutes and no FHIR Security work.
  • Mike led discussion on "Is Privacy Obsolete" update:
  • Information has been received on Privacy obsolete
  • Wiki initiated, not updated
  • in data collection mode; folks on the call have been sending items
  • a study group started in ISO around (similar type of effort), they are not very far along
    • perhaps we should reach out and see if we can obtain a liaison
  • Ann Kevorkian contact--will add to listerve (Mike will add)
    • Ann is very well know in PbD, has a WG in OASIS (not very active)
    • responded initially vehemently, privacy is not dead but it is being attacked
    • let her know that this project is international scoped, EU is doing well but there are other activities
  • there is a difference in how security is talking about privacy
  • if all your privacy is released (disclosure of privacy) 'its a security problem'
  • cannot have privacy unless security is supporting it
    • inconsistency should be noted, and discussed
      • IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of security and privacy
    • we are using security services, access services to control/protect privacy

We still need a project scope statement, or white paper our SD wants to have a PSS to cover this task

  • in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy. the GDPR qualifying for
    • john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work? There are no good lists; list is available to ISO members (David can give to Mike)
  • NIST pub 800-53
  • Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy. MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust.

PSAF balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc. where they have a patient consent to tose three things will be added as part of the deliverables.

  • Kathleen presented on work with Learning Health Systems (LHS) WG for consent attributes
  • CBCP WG working with ONC eLTSS representatives to develop a model for social services client consenting to program for a certain
  • David will follow up on LHS
  • Material presented to LHS:
  • Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
  • Care Team ABAC Provisioning Table Example
  • Healthcare Team Model Glossary
    • Enabling Patient Trusted Care Teams
    • Spheres of Teamness and Privacy Protective Information Sharing
      • special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well.
      • in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level
      • organizational construct, where access is based on your compartment bucket rather than label individually you name everything int he bucket as that... if its the pharmacy pharmacy-access only
    • understanding spheres of Teamness and Privacy Protective sharing
    • Care Team Structural Roles - examples
    • Example of Spheres and Associated Teams
    • Care Team Models --> clinician need to know and sharing with protections
    • Care Team Type Definitions