This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 24, 2017 Security Conference Call"
Jump to navigation
Jump to search
(2 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
|| .|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair | || .|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair | ||
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair | ||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair | ||
− | |||| | + | |||||| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair |
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair | ||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair | ||
|- | |- | ||
|| x|| [mailto:mike.davis@va.gov Mike Davis] | || x|| [mailto:mike.davis@va.gov Mike Davis] | ||
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb] | ||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb] | ||
− | |||| | + | ||||x|| [mailto:drs@securityrs.com David Staggs] |
||||x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] | ||||x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] | ||
|- | |- | ||
Line 21: | Line 21: | ||
||||.|| [mailto:robert.horn@agfa.com Rob Horn] | ||||.|| [mailto:robert.horn@agfa.com Rob Horn] | ||
|- | |- | ||
− | || | + | || x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga] |
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ] | ||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ] | ||
− | |||| | + | ||||x|| [mailto:joe.lamy@aegis.net Joe Lamy] |
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney] | ||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney] | ||
|- | |- | ||
Line 51: | Line 51: | ||
#''(10 min)'' '''IPO? Enforcing Sharing with Protections via Minimum Necessary per POU''' - Kathleen Connor | #''(10 min)'' '''IPO? Enforcing Sharing with Protections via Minimum Necessary per POU''' - Kathleen Connor | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning] | ||
− | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning% | + | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning%203.xlsx Care Team ABAC Provisioning Table Example] |
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary] | ||
*#''(20 min)''FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke | *#''(20 min)''FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke | ||
Line 57: | Line 57: | ||
− | + | ==Minutes== | |
− | Privacy | + | *Kathleen chaired. Agenda approved with deferral of Oct. 17 minutes and no FHIR Security work. |
− | * | + | *Mike led discussion on "Is Privacy Obsolete" update: |
− | * | + | *Information has been received on Privacy obsolete |
+ | *Wiki initiated, not updated | ||
* in data collection mode; folks on the call have been sending items | * in data collection mode; folks on the call have been sending items | ||
* a study group started in ISO around (similar type of effort), they are not very far along | * a study group started in ISO around (similar type of effort), they are not very far along | ||
Line 86: | Line 87: | ||
tose three things will be added as part of the deliverables. | tose three things will be added as part of the deliverables. | ||
− | + | *Kathleen presented on work with Learning Health Systems (LHS) WG for consent attributes | |
− | + | * CBCP WG working with ONC eLTSS representatives to develop a model for social services client consenting to program for a certain | |
− | on | ||
− | * working with | ||
− | |||
− | |||
* David will follow up on LHS | * David will follow up on LHS | ||
− | * Care Team | + | *Material presented to LHS: |
− | * | + | * [https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20Provisioning%20for%20LHS.pptx Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning] |
− | * | + | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Care%20Team%20ABAC%20Provisioning%203.xlsx Care Team ABAC Provisioning Table Example] |
+ | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Team%20Healthcare%20Models.pdf Healthcare Team Model Glossary] | ||
** Enabling Patient Trusted Care Teams | ** Enabling Patient Trusted Care Teams | ||
** Spheres of Teamness and Privacy Protective Information Sharing | ** Spheres of Teamness and Privacy Protective Information Sharing |
Latest revision as of 00:34, 25 October 2017
Attendees
x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
. | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | ||||
x | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Christopher Shawn | |||
. | Mohammed Jafari | . | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Galen Mulrooney | |||
. | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
. | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
. | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Gallegos |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of October 17, 2017 minutes.
- (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (10 min) Updates on the PSAF Project- Mike Davis and Chris Shawn
- (10 min) IPO? Enforcing Sharing with Protections via Minimum Necessary per POU - Kathleen Connor
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- (20 min)FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke
- (2 min)FHIR Security Call later? - John Moehrke
Minutes
- Kathleen chaired. Agenda approved with deferral of Oct. 17 minutes and no FHIR Security work.
- Mike led discussion on "Is Privacy Obsolete" update:
- Information has been received on Privacy obsolete
- Wiki initiated, not updated
- in data collection mode; folks on the call have been sending items
- a study group started in ISO around (similar type of effort), they are not very far along
- perhaps we should reach out and see if we can obtain a liaison
- Ann Kevorkian contact--will add to listerve (Mike will add)
- Ann is very well know in PbD, has a WG in OASIS (not very active)
- responded initially vehemently, privacy is not dead but it is being attacked
- let her know that this project is international scoped, EU is doing well but there are other activities
- there is a difference in how security is talking about privacy
- if all your privacy is released (disclosure of privacy) 'its a security problem'
- cannot have privacy unless security is supporting it
- inconsistency should be noted, and discussed
- IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of security and privacy
- we are using security services, access services to control/protect privacy
- inconsistency should be noted, and discussed
We still need a project scope statement, or white paper our SD wants to have a PSS to cover this task
- in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy. the GDPR qualifying for
- john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work? There are no good lists; list is available to ISO members (David can give to Mike)
- NIST pub 800-53
- Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy. MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust.
PSAF balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc. where they have a patient consent to tose three things will be added as part of the deliverables.
- Kathleen presented on work with Learning Health Systems (LHS) WG for consent attributes
- CBCP WG working with ONC eLTSS representatives to develop a model for social services client consenting to program for a certain
- David will follow up on LHS
- Material presented to LHS:
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- Enabling Patient Trusted Care Teams
- Spheres of Teamness and Privacy Protective Information Sharing
- special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well.
- in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level
- organizational construct, where access is based on your compartment bucket rather than label individually you name everything int he bucket as that... if its the pharmacy pharmacy-access only
- understanding spheres of Teamness and Privacy Protective sharing
- Care Team Structural Roles - examples
- Example of Spheres and Associated Teams
- Care Team Models --> clinician need to know and sharing with protections
- Care Team Type Definitions