This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "December 12, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name'''  
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name'''  
 
|-
 
|-
||  .|| [mailto:JohnMoerke@gmail.com John Moehrke] Security Co-chair
+
||  x|| [mailto:JohnMoerke@gmail.com John Moehrke] Security Co-chair
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-chair  
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-chair  
 
||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams] Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams] Security Co-chair
|-
+
|-.
||  x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] Security Co-chair
+
||  || [mailto:Christopher.Shawn2@va.gov Christopher Shawn] Security Co-chair
 
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||x|| [mailto:mike.davis@va.gov Mike Davis]
Line 25: Line 25:
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
||||x|| [mailto:glinden@lindentechadvisiors.com Greg Linden]
+
||||.|| [mailto:glinden@lindentechadvisiors.com Greg Linden]
 
|-
 
|-
 
||  .|| [mailto:pknapp@pknapp.com Paul Knapp]
 
||  .|| [mailto:pknapp@pknapp.com Paul Knapp]
Line 47: Line 47:
 
=='''Agenda'''==
 
=='''Agenda'''==
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
#''(3 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=December_05,_2017_Security_Conference_Call December 5, 2017 minutes]'''
+
#''(3 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=December_5,_2017_Security_Conference_Call December 12, 2017 minutes]'''
#''(25 min)'' Next week - '''Using Biometrics for Patient Matching''' - Healthcare Privacy and Security Considerations. Discussion with Privacy Attorney Expert, Devon Connor-Green.
+
#''(30 min)'' Next week - '''[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Bio%20tech%20privacy%20HL7%20WG%20Final.pptx Using Biometrics for Patient Matching]''' - Healthcare Privacy and Security Considerations. Discussion with Privacy Attorney Expert, Devon Connor-Green.
#''(10 min)'' '''Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient.''' - Draft storyboard and flows - Kathleen and Mohammad
+
#''(5 min)'' '''Update on progress of Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient.''' [https://gforge.hl7.org/gf/project/security/docman/Security%20FHIR/Cascading%20OAuth/CCDE%20Jan%202018/HL7%20January%20FHIR%20Connectathon%20CCDE%20Track%20On%20Behalf%20Of%20Scenario%20Sequence%20Diagram%20and%20Walk%20Through.docx Jan 2018 FHIR Connectathon CCDE Sequence Diagram and Walk-through] - Kathleen and Mohammad
 
#''(5 min)'' '''PSAF call report out on [https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/Domain%20Model%20Description%20V2.doc/ HL7 Security and Privacy Domain Model] - Mike Davis and Chris Shawn  
 
#''(5 min)'' '''PSAF call report out on [https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/Domain%20Model%20Description%20V2.doc/ HL7 Security and Privacy Domain Model] - Mike Davis and Chris Shawn  
 
#''(5 min)'' '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
 
#''(5 min)'' '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
Line 55: Line 55:
 
#''(5 min)'' '''FHIR Security update''' Call later? - John Moehrke
 
#''(5 min)'' '''FHIR Security update''' Call later? - John Moehrke
  
==Meeting Materials==
 
*[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22&action=edit&section=6 "Is Privacy Obsolete" Study Group Page"]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/References.docx  Breaches References]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Breaches%20v2.xlsx Breaches Spreadsheet]
 
 
==Minutes==
 
==Minutes==
*Chris Shawn chaired.  
+
*Alex chaired.  
*Agenda informally approved.
+
*Agenda approved. Kathleen moved, Mike seconded. 8-0-0
*Minutes from December 5th reviewed. Minute Approval: XX moved; XX seconded. Approved:  
+
*Minutes from December 5th reviewed. Minute Approval: Mike moved; Kathleen seconded. Approved: 6-0-2.
*RE: '''Using Biometrics for Patient Matching''' - Healthcare Privacy and Security Consierations. Devon Connor-Green....
+
*RE: '''Using Biometrics for Patient Matching''' - Healthcare Privacy and Security Consierations. Devon Connor-Green gave a thorough presentation on current state of biometric application and cloud services generally and in healthcare specifically. Covered the technology and privacy issues including US state laws and GDRP. Gave several US healthcare applications including patient authentication and patient matching, and provided stats on cost saving potential for automated over manual correction of duplicate or uncertain patient matches. Provided insight into privacy and security risks, HIPAA questions related to whether even algorithically transformed biometrics are considered de-identified under HIPAA Privacy rule. Provided potential security and privacy controls that could mitigate risks.
*RE: '''Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient.''' - Kathleen and Mohammad presented updates to the CCDE scenario and discussions with participants...
+
*RE: '''Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient.''' - Kathleen gave a quick update on current efforts to address privacy issues related to letting Apps have access to all Resource Servers that contain a patient's records.
*RE: '''PSAF call report out''' - Mike reported....  
+
*RE: '''PSAF call report out''' - Mike reported on earlier call for PSAF and with CBCP regarding preparations for May 2018 ballot. Plans are to do indepth discussion of DAM updates on CBCP calls.
*RE: Updates to '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] - Mike....
+
*RE: Updates to '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] - Mike discussed his research and analysis of recent breaches especially in US, e.g., the OPM breach, and the court findings to date.
*RE GOM Change vote
+
*RE GOM Change vote - Kathleen asked that the WG confirm a changed recommendation to support the revision to required deviations from standard Decision Making Practice to be sent through TSC as this may be more efficient given regular updates to the DMP standards to which all WGs must resubmit their changes, even if only adopting new update.  WG agreed to modification of previous comments. Kathleen to submit to HQ on WG's behalf.
*RE: FHIR Security call report out - John
+
*RE: FHIR Security call report out - John wants to know who will attend in order to decide whether to hold the call since most CRs for the upcoming For Comment ballot have been resolved. Kathleen to let him know.
 +
*Meeting adjourned.
  
 
==Meeting Materials==
 
==Meeting Materials==
Line 78: Line 75:
 
* Vote to approve  WI1709005 Electronic voting for WG co-chair elections - Implementation of electronic voting for WG co-chair elections piloted at September WGM  
 
* Vote to approve  WI1709005 Electronic voting for WG co-chair elections - Implementation of electronic voting for WG co-chair elections piloted at September WGM  
 
* Vote to approve WI1709006 Revise Contract Work process - Implementation of revisions to Contract Work process prepared by EC task force.
 
* Vote to approve WI1709006 Revise Contract Work process - Implementation of revisions to Contract Work process prepared by EC task force.
 +
==Updates to Is Privacy Obsolete Study Group Wiki==
 +
*[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22&action=edit&section=6 "Is Privacy Obsolete" Study Group Page"]
 +
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/References.docx  Breaches References]
 +
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/Breaches%20v2.xlsx Breaches Spreadsheet]

Latest revision as of 20:05, 19 December 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John Moehrke Security Co-chair x Kathleen Connor Security Co-chair x Alexander Mense Security Co-chair . Trish Williams Security Co-chair
Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis x David Staggs
. Mohammed Jafari . Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Greg Linden
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards . Jim Kretz . Gary Dickinson x Dave Silver
. Oliver Lawless . Lisa Nelson . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (3 min) Review and Approval of December 12, 2017 minutes
  3. (30 min) Next week - Using Biometrics for Patient Matching - Healthcare Privacy and Security Considerations. Discussion with Privacy Attorney Expert, Devon Connor-Green.
  4. (5 min) Update on progress of Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient. Jan 2018 FHIR Connectathon CCDE Sequence Diagram and Walk-through - Kathleen and Mohammad
  5. (5 min) PSAF call report out on HL7 Security and Privacy Domain Model - Mike Davis and Chris Shawn
  6. (5 min) Is Privacy Obsolete? Study Group wiki page has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
  7. (5 min) GOM Change vote
  8. (5 min) FHIR Security update Call later? - John Moehrke

Minutes

  • Alex chaired.
  • Agenda approved. Kathleen moved, Mike seconded. 8-0-0
  • Minutes from December 5th reviewed. Minute Approval: Mike moved; Kathleen seconded. Approved: 6-0-2.
  • RE: Using Biometrics for Patient Matching - Healthcare Privacy and Security Consierations. Devon Connor-Green gave a thorough presentation on current state of biometric application and cloud services generally and in healthcare specifically. Covered the technology and privacy issues including US state laws and GDRP. Gave several US healthcare applications including patient authentication and patient matching, and provided stats on cost saving potential for automated over manual correction of duplicate or uncertain patient matches. Provided insight into privacy and security risks, HIPAA questions related to whether even algorithically transformed biometrics are considered de-identified under HIPAA Privacy rule. Provided potential security and privacy controls that could mitigate risks.
  • RE: Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient. - Kathleen gave a quick update on current efforts to address privacy issues related to letting Apps have access to all Resource Servers that contain a patient's records.
  • RE: PSAF call report out - Mike reported on earlier call for PSAF and with CBCP regarding preparations for May 2018 ballot. Plans are to do indepth discussion of DAM updates on CBCP calls.
  • RE: Updates to Is Privacy Obsolete? Study Group wiki page - Mike discussed his research and analysis of recent breaches especially in US, e.g., the OPM breach, and the court findings to date.
  • RE GOM Change vote - Kathleen asked that the WG confirm a changed recommendation to support the revision to required deviations from standard Decision Making Practice to be sent through TSC as this may be more efficient given regular updates to the DMP standards to which all WGs must resubmit their changes, even if only adopting new update. WG agreed to modification of previous comments. Kathleen to submit to HQ on WG's behalf.
  • RE: FHIR Security call report out - John wants to know who will attend in order to decide whether to hold the call since most CRs for the upcoming For Comment ballot have been resolved. Kathleen to let him know.
  • Meeting adjourned.

Meeting Materials

RE GOM Change vote recommendations:

  • Changed Recommendation - Vote to approve WI1709004 Variations from standard DMP - Proposal to stipulate that deviations from the standard/common DMP shall be approved by the TSC. During FM discussion, Mary Kay and Andy Stechishin pointed out that whenever a WG’s DMP changes, they have to be approved by the WG’s Steering Division. So whenever the standard DMP has been updated, all the WGs have to make changes to their DMPs, and have them approved. The proposed change would eliminate the need for WGs who simply adopt the current standard DMPs to have them approved. Only those WGs whose DMPs vary from an update to the standard DMP would need approval by TSC, rather than their Steering Divisions, going forward. This would lower administrative overhead.
  • Vote negative on WI1709002 Non-member participation in User Groups - Implementation of EC decision to limit non-member participation to one-year. Need rationale for what appears to be a barrier to participation. Note, this pertains to User Groups, not Work Groups.
  • Vote to approve WI1709003 Revise resolution of motions by email - Proposal from the CTO to allow submission of email vote on electronic motion (§06.06) to either the list or directly to the Secretary.
  • Vote to approve WI1709004 Variations from standard DMP - Proposal to stipulate that deviations from the standard/common DMP shall be approved by the TSC.
  • Vote to approve WI1709005 Electronic voting for WG co-chair elections - Implementation of electronic voting for WG co-chair elections piloted at September WGM
  • Vote to approve WI1709006 Revise Contract Work process - Implementation of revisions to Contract Work process prepared by EC task force.

Updates to Is Privacy Obsolete Study Group Wiki