This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 17, 2017 Security Conference Call"
Jump to navigation
Jump to search
ChrisShawn (talk | contribs) |
|||
(One intermediate revision by one other user not shown) | |||
Line 6: | Line 6: | ||
!x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name''' | !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name''' | ||
|- | |- | ||
− | || | + | || .|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair |
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair | ||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair | ||
||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair | ||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair | ||
Line 91: | Line 91: | ||
=='''Minutes'''== | =='''Minutes'''== | ||
+ | |||
+ | Agenda: no additions/changes | ||
+ | ‘’’Minutes: October 3, and 10th , 2017’’’ | ||
+ | * 10th – Kathleen/Suzanne Motion to approve | ||
+ | ** Objections: none; Abstentions: none; approve 8 | ||
+ | * 3rd – not yet complete | ||
+ | |||
+ | ‘’’Privacy Study Group’’’ | ||
+ | Is Privacy Obsolete? | ||
+ | *Comments are being received on the list—comments are being cataloged | ||
+ | * WG4 (ISO) is planning for a project would be P&S for the internet of things. | ||
+ | **Mike is part of the US TAG | ||
+ | **Ann Kevorkian – Privacy by Design created in OASIS | ||
+ | * Conversation on ‘privacy is dead’ – which Ann did not agree | ||
+ | * Cited GDPR; and suggested that privacy is not dead, but seriously challenged | ||
+ | ** Within NIST privacy | ||
+ | Privacy is about your choice—no concept where we see security services as enforcing privacy; there is no concept of privacy enforcement relying on security services… or that privacy is managed by security—where security fails, privacy also suffers. | ||
+ | * Mike is surprised by ISO on this now being a security issue. | ||
+ | * We need to look at the situations in US, CAN, EU and non-EU as well and take the opinions, viewpoints from each of these areas—belief is country specific is defined by law and will change from country to country—wherein we cannot develop sweeping … | ||
+ | ** David—they were saying there was no such thing as privacy; suggested to changing verbiage to ‘’data protection by design’’ (instead of privacy by design) | ||
+ | * Mike; there’re kind of like in HITSP days wondering why they were in the same room as privacy; HL7 is remarkably mature—expecting the rest of the world to also gone with though us; there is a view point (rest of world) where they have been uninformed in our work; joint information model, etc. it’s not part of their thinking and an obstacle in dialogue. (16:00) | ||
+ | ** conversation will be added to the HL7 listserv thread | ||
+ | |||
+ | Kathleen | ||
+ | In a FHIR audit event, there is a place to add text inhuman readable terms to read what the resource is about: FHIR Security CR 14028 | ||
+ | * Accounting of disclosure; it wouldn’t be structured in the text but other parts of Accounting of Disclosure on audit event would e | ||
+ | Per Mike: regarding fields: | ||
+ | * WHO ‘organization or person—in US, we may ask for both | ||
+ | * Determine if mandatory or optional fields (recommend making everything optional and make law require… | ||
+ | * Patient readable format—cite patient friendly format document in hl7 | ||
+ | * Kathleen; will take into consideration and update as this is the first draft. | ||
+ | |||
+ | For the 2017 we had extensive comments | ||
+ | * There was good acceptance of the points that were made (table) | ||
+ | * <<Add table link>> | ||
+ | # | ||
+ | # Addition of ADT; security labels should be included | ||
+ | #* Security labeling has been added to several other sections (33:12) | ||
+ | #* Section called vocabulary—move the HCS to that section and not keep in the reference section—point out that this is the vocabulary to be used in security labeling | ||
+ | * Also to terminology add SAMHSA vocabulary in ‘VSAC’ (confirm) | ||
+ | ** No other comments, additions | ||
+ | ** Move to add comments as described to submit as a draft tomorrow to ___ | ||
+ | ** Comments as is (Kathleen/Suzanne) | ||
+ | *** Objections: 0, abstentions: none; approve: 9 | ||
+ | |||
+ | * October 31, Kathleen and Suzanne will be out-of-office | ||
+ | * No other discussion items | ||
+ | |||
+ | Motion to adjourn: Kathleen/Suzanne at 12:49 Pacific time |
Latest revision as of 20:05, 31 October 2017
Contents
Attendees
x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
. | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
. | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Christopher Shawn | |||
. | Mohammed Jafari | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
x | Diana Proud-Madruga | . | Serafina Versaggi | . | Joe Lamy | . | Galen Mulrooney | |||
. | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
. | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
. | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of October 3, 2017 Minutesand October 10, 2017 minutes.
- (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (5 min) Update on Security WG Bulk Data Transfer Comments submission - John Moehrke
- (30 min) Review and draft Security WG comments on PAC comment guidelines and highlighted ISA items related to Security and CBCP Scope
- (15 min) FHIR Security call - John is at IHE so no call this afternoon. Kathleen to review draft CR 14028 for Accounting of Disclosure using FHIR AuditEvent.
Meeting Materials
FHIR Security CR 14028
- Accounting of Disclousres
- Specific example of a Privacy report that is HIPAA specific, but the concept is applicable in similar forms
- There is some POLICY that drives a subset of all Access/Use/Disclosures to be explained to the patient.
- Who, What, Where, When, Reason, Purpose
- Produces some form of report to be delivered to the patient to explain all the disclosures
- Unlikely to be a structured report, but the structured report could be CSV (or AuditEvent)
- Other regulatory examples: Access Log (all accesses regardless of if they qualified under TPO)
- Would capture all potential disclosures in the AuditEvent audit log, and filter to select the reportable disclosures
- Leverage AuditEvent database. Other audit log data may additionally be added but are outside the scope of FHIR.
- Focus only on Accounting of Disclosures where the disclosure is detected and recorded using an electronic reporting sytem (Not including disclosues undetected or unknown)
- Would include paper/fax/mail disclosures provided there is some supervisory system that detects the export
- Would not include paper/fax/mail disclosures that happen outside of a workflow managed or detected by technology
- HOW
- Given that AuditEvent includes comprehensive evidence of all access/use/disclosure, then:
- Filtering of the whole AuditEvent may be complex, and would change as regulations change and as workflow patterns change.
- Filter on all AuditEvents where the Patient of interest is the subject/patient element (See patient compartment)
- Workflows may operate on patient data indirectly and thus would not be detected as having touched the patient
- Some resources don't contain a patient/subject element, but are linked to the patient/subject through another object (need explicit example?)
- Some:
- Of all the events returned from a subject search
- Filter out those events that don't need to be included in the Accounting of Disclosures
- Condense multiple events on the same Disclosure event (many audit log entries will happen that are all related to one session)
- Summarize each Disclosure detected
- Who --
- When --
- Why -- (OAuth purposeOfUse?)
- What ??? Can we leverage the <any> Resource.text element to explain 'what' data was disclosed?
- AuditEvent.text -- This field may be useful on some types of audit event recording
- De-Duplicate similar events into some description of a number of Disclosures over a period of time
- a PDF can be created with the details from this analysis or possibly a structured/coded form
- REFERENCES
- http://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html From <http://www.hhs.gov/hipaa/for-professionals/faq/right-to-an-accounting-of-disclosures>
- HITECH AoD From <http://www.hipaasurvivalguide.com/hitech-act-13405.php>
Minutes
Agenda: no additions/changes ‘’’Minutes: October 3, and 10th , 2017’’’
- 10th – Kathleen/Suzanne Motion to approve
- Objections: none; Abstentions: none; approve 8
- 3rd – not yet complete
‘’’Privacy Study Group’’’ Is Privacy Obsolete?
- Comments are being received on the list—comments are being cataloged
- WG4 (ISO) is planning for a project would be P&S for the internet of things.
- Mike is part of the US TAG
- Ann Kevorkian – Privacy by Design created in OASIS
- Conversation on ‘privacy is dead’ – which Ann did not agree
- Cited GDPR; and suggested that privacy is not dead, but seriously challenged
- Within NIST privacy
Privacy is about your choice—no concept where we see security services as enforcing privacy; there is no concept of privacy enforcement relying on security services… or that privacy is managed by security—where security fails, privacy also suffers.
- Mike is surprised by ISO on this now being a security issue.
- We need to look at the situations in US, CAN, EU and non-EU as well and take the opinions, viewpoints from each of these areas—belief is country specific is defined by law and will change from country to country—wherein we cannot develop sweeping …
- David—they were saying there was no such thing as privacy; suggested to changing verbiage to ‘’data protection by design’’ (instead of privacy by design)
- Mike; there’re kind of like in HITSP days wondering why they were in the same room as privacy; HL7 is remarkably mature—expecting the rest of the world to also gone with though us; there is a view point (rest of world) where they have been uninformed in our work; joint information model, etc. it’s not part of their thinking and an obstacle in dialogue. (16:00)
- conversation will be added to the HL7 listserv thread
Kathleen In a FHIR audit event, there is a place to add text inhuman readable terms to read what the resource is about: FHIR Security CR 14028
- Accounting of disclosure; it wouldn’t be structured in the text but other parts of Accounting of Disclosure on audit event would e
Per Mike: regarding fields:
- WHO ‘organization or person—in US, we may ask for both
- Determine if mandatory or optional fields (recommend making everything optional and make law require…
- Patient readable format—cite patient friendly format document in hl7
- Kathleen; will take into consideration and update as this is the first draft.
For the 2017 we had extensive comments
- There was good acceptance of the points that were made (table)
- <<Add table link>>
- Addition of ADT; security labels should be included
- Security labeling has been added to several other sections (33:12)
- Section called vocabulary—move the HCS to that section and not keep in the reference section—point out that this is the vocabulary to be used in security labeling
- Also to terminology add SAMHSA vocabulary in ‘VSAC’ (confirm)
- No other comments, additions
- Move to add comments as described to submit as a draft tomorrow to ___
- Comments as is (Kathleen/Suzanne)
- Objections: 0, abstentions: none; approve: 9
- October 31, Kathleen and Suzanne will be out-of-office
- No other discussion items
Motion to adjourn: Kathleen/Suzanne at 12:49 Pacific time