This wiki has undergone a migration to Confluence found Here
Difference between revisions of "201805 GDPR"
Jump to navigation
Jump to search
JohnMoehrke (talk | contribs) |
|||
(11 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:201805_FHIR_Connectathon_Track_Proposals|May 2018 Proposals]] | [[Category:201805_FHIR_Connectathon_Track_Proposals|May 2018 Proposals]] | ||
+ | *[http://wiki.hl7.org/index.php?title=GDPR_(General_Data_Protection_Regulation) HL7 Security WG GDPR wiki] | ||
__NOTOC__ | __NOTOC__ | ||
=Track Name= | =Track Name= | ||
− | GDPR | + | GDPR - General Data Protection Regulation |
==Submitting WG/Project/Implementer Group== | ==Submitting WG/Project/Implementer Group== | ||
Line 12: | Line 13: | ||
==Justification== | ==Justification== | ||
− | The justification for this track is to explore how the FHIR specification and Implementation Guides enable and support compliance with GDPR. | + | The justification for this track is to explore how the FHIR specification and Implementation Guides enable and support compliance with GDPR. This is not an overall examination of GDPR. |
This is a collaborative effort, please sign up to help | This is a collaborative effort, please sign up to help | ||
+ | |||
+ | [https://chat.fhir.org/#narrow/stream/Security.20and.20Privacy/topic/GPDR Zulip chat thread on GDPR] for ongoing dialog | ||
===Relevant background=== | ===Relevant background=== | ||
Line 21: | Line 24: | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/HIMSS%20GDPR%20Webinar%20-%20final%203-20-2018.pdf HIMSS presentation on GDPR] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/HIMSS%20GDPR%20Webinar%20-%20final%203-20-2018.pdf HIMSS presentation on GDPR] | ||
+ | * blog by Rene http://www.ringholm.com/column/GDPR_impact_on%20healthcare_data_interoperability.htm | ||
+ | * IHE whitepaper on GDPR - https://www.ihe-europe.net/sites/default/files/GDPR_WEB_00.pdf | ||
+ | * Useful GDPR regulation text reference https://gdpr-info.eu/ | ||
==Proposed Track Leads== | ==Proposed Track Leads== | ||
Line 31: | Line 37: | ||
*http://test.fhir.org/r3 | *http://test.fhir.org/r3 | ||
+ | ==Actors== | ||
+ | * Agent-Systems -- any system participating in the creation, use, or disclosure of identifiable data | ||
+ | * etc... | ||
− | == | + | ==FHIR Capabilities== |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Expect to produce a cross-reference between the existing FHIR Security & Privacy capabilities and how they aid with GDPR compliance. | |
+ | * Provenance resource | ||
+ | * AuditEvent resource | ||
+ | * Consent resource | ||
+ | * Identity | ||
+ | ** Patient resource | ||
+ | ** RelatedPerson | ||
+ | ** Practitioner, PractitionerRole | ||
+ | ** Group | ||
+ | ** Organization | ||
+ | ** Location | ||
+ | ** etc. | ||
+ | * Security-label mechanism in all FHIR Resource definitions (.meta.security) | ||
+ | ** Confidentiality classification | ||
+ | ** Sensitivity classification | ||
+ | ** Compartment classification | ||
+ | ** Integrity classification | ||
+ | ** Handling caveat | ||
+ | * Security-label vocabulary (aka HCS) | ||
+ | * Signature datatype | ||
+ | * De-Identification | ||
+ | * Authorization mechanisms | ||
+ | ** SMART-on-FHIR | ||
+ | ** Sync for Science | ||
+ | ** IHE-IUA | ||
+ | ** HEART | ||
+ | ** etc... | ||
+ | * User/system Authentication | ||
+ | ** Open-ID-Connect profile of OAuth | ||
+ | *** by way of SMART-on-FHIR | ||
+ | * Communications security | ||
+ | ** HTTPS | ||
==Testing Scenarios== | ==Testing Scenarios== | ||
− | [[ | + | * Privacy Consents -- follow [[201801 Consumer Centered Data Exchange]] |
+ | ** or enhancements as needed | ||
+ | * TBD |
Latest revision as of 20:59, 17 May 2018
Track Name
GDPR - General Data Protection Regulation
Submitting WG/Project/Implementer Group
Security WG
Track Orientation Presentation -- TBD
Justification
The justification for this track is to explore how the FHIR specification and Implementation Guides enable and support compliance with GDPR. This is not an overall examination of GDPR.
This is a collaborative effort, please sign up to help
Zulip chat thread on GDPR for ongoing dialog
Relevant background
Prior Connectathon track 201709 Consumer Centered Data Exchange and 201801 Consumer Centered Data Exchange
- HIMSS presentation on GDPR
- blog by Rene http://www.ringholm.com/column/GDPR_impact_on%20healthcare_data_interoperability.htm
- IHE whitepaper on GDPR - https://www.ihe-europe.net/sites/default/files/GDPR_WEB_00.pdf
- Useful GDPR regulation text reference https://gdpr-info.eu/
Proposed Track Leads
- John Moehrke -Security WG co-chair - JohnMoehrke@gmail.com -- skype JohnMoehrke
- Alex Mense - Security WG co-chair
- Rene Spronk
Expected participants
- John Moehrke (HL7 Security co-chair) SME on FHIR Consent
- http://test.fhir.org/r3
Actors
- Agent-Systems -- any system participating in the creation, use, or disclosure of identifiable data
- etc...
FHIR Capabilities
Expect to produce a cross-reference between the existing FHIR Security & Privacy capabilities and how they aid with GDPR compliance.
- Provenance resource
- AuditEvent resource
- Consent resource
- Identity
- Patient resource
- RelatedPerson
- Practitioner, PractitionerRole
- Group
- Organization
- Location
- etc.
- Security-label mechanism in all FHIR Resource definitions (.meta.security)
- Confidentiality classification
- Sensitivity classification
- Compartment classification
- Integrity classification
- Handling caveat
- Security-label vocabulary (aka HCS)
- Signature datatype
- De-Identification
- Authorization mechanisms
- SMART-on-FHIR
- Sync for Science
- IHE-IUA
- HEART
- etc...
- User/system Authentication
- Open-ID-Connect profile of OAuth
- by way of SMART-on-FHIR
- Open-ID-Connect profile of OAuth
- Communications security
- HTTPS
Testing Scenarios
- Privacy Consents -- follow 201801 Consumer Centered Data Exchange
- or enhancements as needed
- TBD