This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "April 3, 2018 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(8 intermediate revisions by 2 users not shown)
Line 33: Line 33:
 
||||x|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
 
||||x|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
 
|-
 
|-
|| || [mailto:Beth.Pumo@kp.org Beth Pumo]
+
|| x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:Bo.Dagnall@dxc.com Bo Dagnall]
 
||||.|| [mailto:Bo.Dagnall@dxc.com Bo Dagnall]
 
||||.|| [mailto:rikimerrick@gmail.com Riki Merrick]
 
||||.|| [mailto:rikimerrick@gmail.com Riki Merrick]
Line 40: Line 40:
 
||. || [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||. || [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
||||.|| [mailto:robert.horn@agfa.com Rob Horn]
+
||||.|| [mailto:pbspamfilteracct@gmail.com Peter Bachman]
||||.|| [mailto: Matt Blackman, Sequoia]
+
||||x|| [mailto: Matt Blackman, Sequoia]
  
 
|-
 
|-
Line 54: Line 54:
 
#''(15 min)'' '''Security Cologne May WGM Agenda'''
 
#''(15 min)'' '''Security Cologne May WGM Agenda'''
  
==Meeting Minutes DRAFT==
 
  
Roll Call, Agenda Approval
 
Kathleen chair
 
  
==Meeting Materials==
+
* Patient Directed backend communication
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/TF4FA%20Presentation%202018%200327.pptx Trust Framework for Federated Authorization presentation]
+
** Zulip chat -https://chat.fhir.org/#narrow/stream/Security.20and.20Privacy/subject/Patient.20directed.20backend.20communication
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/V3%20PSAF%20TF4FA%20Vol%202%20Behavioral%20Model%20May%202018%20Normative%20Ballot%202018%200326%20.docx TF4FA Vol. 2Behavioral Model May Ballot]
+
* Oauth App Registration
*[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22''Is Privacy Obsolete Study Group''] news from EU
+
** Zulip chat https://chat.fhir.org/#narrow/stream/Security.20and.20Privacy/subject/OAuth.20App.20Registration
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/HIMSS%20GDPR%20Webinar%20-%20final%203-20-2018.pdf HIMSS - What Healthcare Organizations need to know about the GDPR] and [https://himss.webex.com/ec3100/eventcenter/recording/recordAction.do?theAction=poprecord&siteurl=himss&entappname=url3100&internalRecordTicket=4832534b000000049e667bcc7b800ce86914021b02caba29afc46ecff27ca74c0cf33e5cbdb77664&renewticket=0&isurlact=true&format=short&rnd=1200686872&RCID=d8fdf672a7c2486c83b5644a70c0ccf3&rID=127858932&needFilter=false&recordID=127858932&apiname=lsr.php&AT=pb&actappname=ec3100&&SP=EC&entactname=%2FnbrRecordingURL.do&actname=%2Feventcenter%2Fframe%2Fg.do HIMSS Presentation recording]
+
* Certificate Management
*[http://www.bbc.com/news/world-europe-43496739 Dutch referendum: Spy tapping powers 'rejected']
+
** Zulip chat https://chat.fhir.org/#narrow/stream/Security.20and.20Privacy/subject/Do.20we.20need.20to.20say.20anything.20about.20Certificate.20Management
 +
 
 +
 
 +
 
 +
==Meeting Minutes==
  
 +
Roll Call, Agenda Approval
 +
Chris Shawn, chair
  
Meeting Minutes (DRAFT)
+
Roll Call, Agenda Review, Meeting Minutes approval
Role Call, Agenda review, meeting minutes approval
 
  
Meeting Minutes for 3/27/2018 approved
+
[http://wiki.hl7.org/index.php?title=March_27,_2018_Security_Conference_Call Meeting Minutes for 3/27/2018]
Motion to approve: (Suzanne/JohnM)
+
* Motion to approve: (Suzanne/JohnM)
objections: none; abstentions: none approval:
+
* Objections: none; Abstentions: none; Approval:11 (approved)
  
 
'''TF4FA Normative Ballot''' - Mike/Kathleen
 
'''TF4FA Normative Ballot''' - Mike/Kathleen
* ballot submitted - Mike/Kathleen
+
* Ballot submitted - Mike/Kathleen
 
* No comments
 
* No comments
* need to confirm this is what intended for the v3 ballot package
+
* Need to confirm this is what intended for the v3 ballot package
** short discussion of the document included
+
** Brief discussion of the document included
** this goes to the link with the documents and the .xml file that is used to generate the HTML (PDFS, PSAF v3 Ballot package)
+
** This goes to the link with the documents and the .xml file that is used to generate the HTML (PDFS, PSAF v3 Ballot package)
** note that CBCP co-chair are listed as co-sponsors
+
** Note that CBCP co-chair are listed as co-sponsors
 
* Kathleen will confirm for the WG that it is ready to go
 
* Kathleen will confirm for the WG that it is ready to go
  
PSAF weekly calls are cancelled at this time and may be restarted once reconciliation starts
+
''PSAF weekly calls are cancelled at this time and may restart once ballot reconciliation begins''
 
 
FHIR Securty Updates
 
* call just completed - new time is attracting more people
 
* ZULIP chat is security and privacy stream, additional stream so that only pertinent security and privacy information will be conveyed
 
* Johnathan was able to join, reviewed the key consideration of the ONC white paper
 
** recommend TL@ 1.2 or high in place of just "TLS" adding some references on why we say 1.2
 
** discussion around input validation and vulnerability assessment an dfuture improvement opportuntiites
 
  
Add information from FHIR Security Call
+
'''FHIR Security Updates'''
 +
* Call just completed - new time is attracting more people
 +
* ZULIP chat has two new streams
 +
** Security and Privacy stream, additional stream so that only pertinent security and privacy information are conveyed
 +
** Second stream <<(?) - need>>
 +
* Johnathan Coleman was able to join today’s FHIR Security call
 +
** Reviewed the key consideration of the ONC white paper
 +
** Including recommending ''TLS of 1.2 or higher'' in place of "TLS" adding some references on why we say 1.2
 +
** Discussion around input validation and vulnerability assessment and future improvement opportunities
  
Connectathon -
+
Additional information and links can be found FHIR Security Call:  http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2018-04-03
FHIR Connectathon track - hopefully, take GDPR as a set of requirement and take the S&P capabilities in and around FHIR--can we show a relationship between them
 
* 'hey we have provenancne resournce, can it aid with clase 243 and 398, etc
 
* without goingtinto too much detail, just showing relathiopi, showing how scenarios provie it.. themore we get done the better
 
*setting the bar low, trying to get a cross-reference with the S&P items we have
 
* in that level we can see that we have a gaping hole that we need to add ... if such a thing exisits
 
  
* the toerh is a less forma, grahame is stinterested in standing up a hyperledgerinfranstructiure (general purpose - ''block chair infrastrucutre'') tofor block-chain
+
'''Agenda for Cologne – Agenda Items'''
* call out in zulip chat, in developing asenario around that type of infrastructure... three different proposes but no fis onteh hook
+
Connectathon - JohnM
*
+
* FHIR Connectathon track - hopefully, take GDPR as a set of requirements and take the S&P capabilities in and around FHIR--can we show a relationship between them
 +
** we have provenance resources, can it aid with clause 243 and 398, etc.
 +
** without going into too much detail, just showing relationships, showing how scenarios prove it... the more we get done the better
 +
** setting the bar low, trying to get a cross-reference with the S&P items we have
 +
** in that level we can see that we have a gaping hole that we need to add ... if such a thing exists
 +
** the other is a less formal, Grahame is interested in standing up a hyper ledger infrastructure (general purpose - ''block chain infrastructure'') for block-chain
 +
** call out in ZULIP chat, in developing scenario around that type of infrastructure... three different proposes but no ''fish on the hook''
  
Agenda for Cologne Agenda;;;
 
 
patterns on FHIR  
 
patterns on FHIR  
  
Kathleen received xx from Rene Spronk
+
Kathleen received PowerPoint from Rene Spronk
* he is working on a '''gdpr presentation on healthcare data interoperability''' - on vocab we might need,
+
* Rene is working on a '''GDPR presentation on Healthcare Data Interoperability'''  
* longer than what we can use for the Q3/Q4 MOnday joint,  
+
* Longer than what we can use for the Q3/Q4 Monday joint,  
 
* Kathleen spoke to Gary Dickenson who thought it might be a good idea for meeting with EHR joint
 
* Kathleen spoke to Gary Dickenson who thought it might be a good idea for meeting with EHR joint
** Rene goes through security lables an dmain parts of gdpr which is required in an authomated fashion
+
** Rene goes through security labels and main parts of GDPR which is required in an automated fashion
  
* possible new codes for v3
+
* Additional new codes for v3 possible
** have server which can deal with security labels
+
** currently have server which can deal with security labels
**mayb ebe able to mock up POU, certain kinds of actions, involving gdpr
+
** additional information from discussion regarding GDPR/New Codes for v3/Security labels
** use cases featuring gdpr, SL, etc (suggested)
+
** For Connectathon may be able to mock up Purpose of Use of certain kinds of actions involving GDPR
 +
** Use cases featuring GDPR, Security Labels, etc (suggested)
  
Next week - kathleen should have something to present in regard to the Cologne agenda
+
Next week - Kathleen should have something to present regarding the Cologne agenda
reminder: one of th ethoguhts was to have a couple of our FHIR security topic areas have prominent spots in the weeklong agenda, for people who wouldn't normally find us...can find us
+
Reminder: one of the thoughts was to have a couple of our FHIR security topic areas have prominent spots in the weeklong agenda, for people ''who would not normally find us...can find us''
* johnM is trying to find what those times areas might be... (for cologne agenda)
+
* JohnM is trying to find what those times areas might be... (for Cologne agenda)
* l*block of time...would be great to have input from the FHIR WG... risk management an ditems like that
+
* allowing a block of time would be great to have input from the FHIR WG... for risk management and items like that
*suggesteions requested for topic areas...we can determine where our priorities line up.  
+
* Suggestions requested for topic areas...we can determine where our priorities line up.  
 
+
* Kathleen noted that the HIMSS GDPR presentation and recording in the meeting material below are excellent for those in US who are wondering how US entities and US citizens in EU may be affected.
 
+
*Kathleen also noted that she'd uploaded numerous recent privacy issue links to the [http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 "Is Privacy Obsolete" Study Group page]
 
+
*Meeting call adjorned at 1228 Arizona time --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 15:26, 3 April 2018 (EDT)
Additional items?
+
==Meeting Material and Links==
'''
+
*John Moehrke created new stream for Security and Privacy discussions. Specification development, and Implementation. https://chat.fhir.org/#narrow/stream/Security.20and.20Privacy
in materials, kathleen adds salient information to meeting minutes -
+
*Grahame Grieve created a new stream for Patient Empowerment. Discussions about empowering patients. Focus on deployment and advocacy. https://chat.fhir.org/#narrow/stream/patient.20empowerment
* take a look at changes to .. so that you have a navigating
+
*Proposed FHIR Connectathon track for Cologne -- GDPR  Alex has agreed to be a SME. John to support. Rene has agreed to help out. http://wiki.hl7.org/index.php?title=201805_GDPR
privacy obsolete - added links, to breahes, breaches to be considered in court, suveince techniques, etc. related to privacy issues
+
*Blockchain FHIR Connectathon  Grahame is trying to find a community wanting to 'play' with blockchain. He is willing to standup the infrastructure. See blockchain zulip stream https://chat.fhir.org/#narrow/stream/blockchain
the HIMSS presentation on GDPR is excellent if you wanto have a sense on what US entities might be interested on... may have interest
+
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/TF4FA%20Presentation%202018%200327.pptx Trust Framework for Federated Authorization presentation]
 
+
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/V3%20PSAF%20TF4FA%20Vol%202%20Behavioral%20Model%20May%202018%20Normative%20Ballot%202018%200326%20.docx TF4FA Vol. 2Behavioral Model May Ballot]
meeting call adjorned at 1228 Arizona time --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 15:26, 3 April 2018 (EDT)
+
*[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22''Is Privacy Obsolete Study Group''] news from EU
 +
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/HIMSS%20GDPR%20Webinar%20-%20final%203-20-2018.pdf HIMSS - What Healthcare Organizations need to know about the GDPR] and [https://himss.webex.com/ec3100/eventcenter/recording/recordAction.do?theAction=poprecord&siteurl=himss&entappname=url3100&internalRecordTicket=4832534b000000049e667bcc7b800ce86914021b02caba29afc46ecff27ca74c0cf33e5cbdb77664&renewticket=0&isurlact=true&format=short&rnd=1200686872&RCID=d8fdf672a7c2486c83b5644a70c0ccf3&rID=127858932&needFilter=false&recordID=127858932&apiname=lsr.php&AT=pb&actappname=ec3100&&SP=EC&entactname=%2FnbrRecordingURL.do&actname=%2Feventcenter%2Fframe%2Fg.do HIMSS Presentation recording]
 +
*[http://www.bbc.com/news/world-europe-43496739 Dutch referendum: Spy tapping powers 'rejected']

Latest revision as of 20:44, 8 April 2018

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John Moehrke Security Co-chair x Kathleen Connor Security Co-chair x Alexander Mense Security Co-chair . Trish Williams Security Co-chair
x Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis . David Staggs
. Diana Proud-Madruga x Francisco Jauregui x Joe Lamy . Greg Linden
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards . Jim Kretz . Gary Dickinson x Dave Silver
x Beth Pumo . Bo Dagnall . Riki Merrick . Theresa Connor
. Mohammed Jafari . Ioana Singureanu . Peter Bachman x [mailto: Matt Blackman, Sequoia]

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of March 27, 2018 minutes
  3. (5 min) TF4FA Normative Ballot submitted - Mike
  4. (15 min) FHIR Security Updates - John
  5. (15 min) Security Cologne May WGM Agenda



Meeting Minutes

Roll Call, Agenda Approval Chris Shawn, chair

Roll Call, Agenda Review, Meeting Minutes approval

Meeting Minutes for 3/27/2018

  • Motion to approve: (Suzanne/JohnM)
  • Objections: none; Abstentions: none; Approval:11 (approved)

TF4FA Normative Ballot - Mike/Kathleen

  • Ballot submitted - Mike/Kathleen
  • No comments
  • Need to confirm this is what intended for the v3 ballot package
    • Brief discussion of the document included
    • This goes to the link with the documents and the .xml file that is used to generate the HTML (PDFS, PSAF v3 Ballot package)
    • Note that CBCP co-chair are listed as co-sponsors
  • Kathleen will confirm for the WG that it is ready to go

PSAF weekly calls are cancelled at this time and may restart once ballot reconciliation begins

FHIR Security Updates

  • Call just completed - new time is attracting more people
  • ZULIP chat has two new streams
    • Security and Privacy stream, additional stream so that only pertinent security and privacy information are conveyed
    • Second stream <<(?) - need>>
  • Johnathan Coleman was able to join today’s FHIR Security call
    • Reviewed the key consideration of the ONC white paper
    • Including recommending TLS of 1.2 or higher in place of "TLS" adding some references on why we say 1.2
    • Discussion around input validation and vulnerability assessment and future improvement opportunities

Additional information and links can be found FHIR Security Call: http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2018-04-03

Agenda for Cologne – Agenda Items Connectathon - JohnM

  • FHIR Connectathon track - hopefully, take GDPR as a set of requirements and take the S&P capabilities in and around FHIR--can we show a relationship between them
    • we have provenance resources, can it aid with clause 243 and 398, etc.
    • without going into too much detail, just showing relationships, showing how scenarios prove it... the more we get done the better
    • setting the bar low, trying to get a cross-reference with the S&P items we have
    • in that level we can see that we have a gaping hole that we need to add ... if such a thing exists
    • the other is a less formal, Grahame is interested in standing up a hyper ledger infrastructure (general purpose - block chain infrastructure) for block-chain
    • call out in ZULIP chat, in developing scenario around that type of infrastructure... three different proposes but no fish on the hook

patterns on FHIR

Kathleen received PowerPoint from Rene Spronk

  • Rene is working on a GDPR presentation on Healthcare Data Interoperability
  • Longer than what we can use for the Q3/Q4 Monday joint,
  • Kathleen spoke to Gary Dickenson who thought it might be a good idea for meeting with EHR joint
    • Rene goes through security labels and main parts of GDPR which is required in an automated fashion
  • Additional new codes for v3 possible
    • currently have server which can deal with security labels
    • additional information from discussion regarding GDPR/New Codes for v3/Security labels
    • For Connectathon may be able to mock up Purpose of Use of certain kinds of actions involving GDPR
    • Use cases featuring GDPR, Security Labels, etc (suggested)

Next week - Kathleen should have something to present regarding the Cologne agenda Reminder: one of the thoughts was to have a couple of our FHIR security topic areas have prominent spots in the weeklong agenda, for people who would not normally find us...can find us

  • JohnM is trying to find what those times areas might be... (for Cologne agenda)
  • allowing a block of time would be great to have input from the FHIR WG... for risk management and items like that
  • Suggestions requested for topic areas...we can determine where our priorities line up.
  • Kathleen noted that the HIMSS GDPR presentation and recording in the meeting material below are excellent for those in US who are wondering how US entities and US citizens in EU may be affected.
  • Kathleen also noted that she'd uploaded numerous recent privacy issue links to the "Is Privacy Obsolete" Study Group page
  • Meeting call adjorned at 1228 Arizona time --Suzannegw (talk) 15:26, 3 April 2018 (EDT)

Meeting Material and Links