This wiki has undergone a migration to Confluence found Here
Difference between revisions of "HL7 FHIR Security 2018-04-03"
Jump to navigation
Jump to search
JohnMoehrke (talk | contribs) (→Agenda) |
JohnMoehrke (talk | contribs) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 19: | Line 19: | ||
|- | |- | ||
|| x||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair | || x||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair | ||
| − | ||||.||[mailto: | + | ||||.||[mailto:jc@securityrs.com Johnathan Coleman] CBCC co-chair |
| − | ||||x||[mailto: | + | ||||x||[mailto:christopher.shawn2@va.gov Chris Shawn] Security co-chair |
|- | |- | ||
|| x||[mailto:ali.massihi@hhs.gov Ali Massihi] | || x||[mailto:ali.massihi@hhs.gov Ali Massihi] | ||
| − | ||||.||[mailto: | + | ||||.||[mailto:Mike.Davis@va.gov Mike Davis] |
||||x||[mailto:nathanbotts@westat.com Nathan Botts] Mobile co-chair | ||||x||[mailto:nathanbotts@westat.com Nathan Botts] Mobile co-chair | ||
|- | |- | ||
| − | || | + | || x||[mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga] |
| − | |||| | + | ||||x||[mailto:joe.lamy@aegis.net Joe Lamy] AEGIS |
| − | |||| | + | ||||x||[mailto:Beth.Pumo@kp.org Beth Pumo] |
|- | |- | ||
|| .||[mailto:irina.connelly@gtri.gatech.edu Irina Connelly] | || .||[mailto:irina.connelly@gtri.gatech.edu Irina Connelly] | ||
| − | |||| | + | ||||x||[mailto:mblackmon@sequoiaproject.org Matt Blackman] Sequoia |
||||.||[mailto:mark.underwood@kryptonbrothers.com Mark Underwood] NIST | ||||.||[mailto:mark.underwood@kryptonbrothers.com Mark Underwood] NIST | ||
|- | |- | ||
| − | || | + | || x||[mailto:pbspamfilteracct@gmail.com Peter Bachman] |
||||.||[mailto:grahame@hl7.org Grahame Greve] FHIR Program Director | ||||.||[mailto:grahame@hl7.org Grahame Greve] FHIR Program Director | ||
||||x||Kevin Shekleton (Cerner, CDS Hooks) | ||||x||Kevin Shekleton (Cerner, CDS Hooks) | ||
| Line 76: | Line 76: | ||
==Minutes== | ==Minutes== | ||
| + | * John Chaired | ||
| + | * Minutes approved: Kathleen Connor / Nathan Botts: unanimous | ||
| + | * Announcements given | ||
| + | * Note previous new items have a dedicated thread in the Zulip Security and Privacy stream | ||
| + | * Focus on ONC white paper | ||
| + | * Motion: JC/KC - Where secure http communications are needed, include TLS 1.2 or higher as best-practice in the specification, and consider it as a candidate for being a requirement. | ||
| + | ** Modify first sentence of second paragraph: "TLS 1.2 or higher SHOULD be used for all production data exchange, and disable support for lower versions of TLS." | ||
| + | ** post-paragraph add : "When using TLS use with strong cipher suites (e.g, AES)." | ||
| + | ** References: SMART-on-FHIR, NIST SP 800-52, IETF RFC xxxx on HTTP ...... | ||
| + | ** Action: Matt will provide references used in Sequoia | ||
| + | * New Work | ||
| + | ** Input Validation | ||
| + | *** ACTION: John - find in current spec on Input Validation to see if it captures Security need. If so, then add pointer to it from security, if not then we need to build text | ||
| + | *** ONC: Ensure that API cannot be manipulated to unintentionally expose health information or system vulnerability information. | ||
| + | *** Add to top level security punch list: " Disable any messages that may have been used for debugging or error trapping purposes in a development environment to limit the exposure of information that may make an EHR vulnerable to attack." | ||
| + | ** Continuous security testing and remediation | ||
| + | *** Using off-the-shelf and open-source tools to simulate attacks, code inspection, and in other ways probe for vulnerabilities, and remediation of those vulnerabilities following Risk-Management methodology. | ||
Latest revision as of 22:22, 3 April 2018
Contents
Call Logistics
Weekly: Tuesday at 02:00 EST
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 Phone: +1 515-604-9567, Participant Code: 880898 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
| Member Name | Member Name | Member Name | ||||||
|---|---|---|---|---|---|---|---|---|
| x | John Moehrke Security Co-Chair | x | Kathleen Connor Security Co-Chair | . | Alexander Mense Security Co-chair | |||
| x | Suzanne Gonzales-Webb CBCC Co-Chair | . | Johnathan Coleman CBCC co-chair | x | Chris Shawn Security co-chair | |||
| x | Ali Massihi | . | Mike Davis | x | Nathan Botts Mobile co-chair | |||
| x | Diana Proud-Madruga | x | Joe Lamy AEGIS | x | Beth Pumo | |||
| . | Irina Connelly | x | Matt Blackman Sequoia | . | Mark Underwood NIST | |||
| x | Peter Bachman | . | Grahame Greve FHIR Program Director | x | Kevin Shekleton (Cerner, CDS Hooks) | |||
| x | Luis Maas EMR Direct | x | Dave Silver | x | Francisco Jauregui |
Agenda
- Roll;
- approval of agenda
- approval of HL7 FHIR Security 2018-03-20 and HL7 FHIR Security 2018-03-27 Minutes
- Anouncements
- Note new time at 2:00 Eastern Time every Tuesday (just prior to full Security WG meeting)
- Created new stream for Security and Privacy discussions. Specification development, and Implementation.
- Grahame created a new stream for Patient Empowerment. Discussions about empowering patients. Focus on deployment and advocacy.
- Proposed FHIR Connectathon track for Cologne -- GDPR
- Alex has agreed to be a SME. John to support.
- Rene has agreed to help out.
- http://wiki.hl7.org/index.php?title=201805_GDPR
- Blockchain FHIR Connectathon
- Grahame is trying to find a community wanting to 'play' with blockchain. He is willing to standup the infrastructure.
- See blockchain zulip stream https://chat.fhir.org/#narrow/stream/blockchain
- Johnathan specific guidance given a paper from ONC that might guide improvements to the security guidance
- Johnathan confirms he can attend
- KEY PRIVACY AND SECURITY CONSIDERATIONS FOR HEALTHCARE APPLICATION PROGRAMMING INTERFACES (APIS)
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- Improvement beyond SMART scopes
- Patient Directed backend communication
- Oauth App Registration
- Certificate Management
- New business
Minutes
- John Chaired
- Minutes approved: Kathleen Connor / Nathan Botts: unanimous
- Announcements given
- Note previous new items have a dedicated thread in the Zulip Security and Privacy stream
- Focus on ONC white paper
- Motion: JC/KC - Where secure http communications are needed, include TLS 1.2 or higher as best-practice in the specification, and consider it as a candidate for being a requirement.
- Modify first sentence of second paragraph: "TLS 1.2 or higher SHOULD be used for all production data exchange, and disable support for lower versions of TLS."
- post-paragraph add : "When using TLS use with strong cipher suites (e.g, AES)."
- References: SMART-on-FHIR, NIST SP 800-52, IETF RFC xxxx on HTTP ......
- Action: Matt will provide references used in Sequoia
- New Work
- Input Validation
- ACTION: John - find in current spec on Input Validation to see if it captures Security need. If so, then add pointer to it from security, if not then we need to build text
- ONC: Ensure that API cannot be manipulated to unintentionally expose health information or system vulnerability information.
- Add to top level security punch list: " Disable any messages that may have been used for debugging or error trapping purposes in a development environment to limit the exposure of information that may make an EHR vulnerable to attack."
- Continuous security testing and remediation
- Using off-the-shelf and open-source tools to simulate attacks, code inspection, and in other ways probe for vulnerabilities, and remediation of those vulnerabilities following Risk-Management methodology.
- Input Validation
