This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "July 24, 2018 CBCP Conference Call"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "==Attendees== {| class="wikitable" |- ! ||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name''' !! |- |- || .|| [mailto:jc@sec...")
 
 
(4 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
||  .|| [mailto:jc@securityrs.com Johnathan Coleman]CBCP Co-Chair  
 
||  .|| [mailto:jc@securityrs.com Johnathan Coleman]CBCP Co-Chair  
 
||||x|| [mailto:suzanne.webb@bookzurman.com Suzanne Gonzales-Webb] CBCP Co-Chair   
 
||||x|| [mailto:suzanne.webb@bookzurman.com Suzanne Gonzales-Webb] CBCP Co-Chair   
||||.|| [mailto:jim.kretz@samhsa.hhs.gov Jim Kretz] CBCP Co-Chair
+
||||x|| [mailto:jim.kretz@samhsa.hhs.gov Jim Kretz] CBCP Co-Chair
 
||||x|| [mailto:david.pyke@readycomputing.com David Pyke] CBCP Co-Chair
 
||||x|| [mailto:david.pyke@readycomputing.com David Pyke] CBCP Co-Chair
 
|-
 
|-
Line 28: Line 28:
 
||||.|| [mailto:saurav.chowdhury@esacinc.com Saurav Chowdhury]
 
||||.|| [mailto:saurav.chowdhury@esacinc.com Saurav Chowdhury]
 
||||.|| [mailto:dave.silver@electrosoft.com Dave Silver]
 
||||.|| [mailto:dave.silver@electrosoft.com Dave Silver]
||||.|| [mailto:fjauregui@electrosoft.com Francisco Jauregui]
+
||||x|| [mailto:fjauregui@electrosoft.com Francisco Jauregui]
 
|-
 
|-
||  x|| [mailto:Mark.Meadows@dch.ga.gov Mark Meadows]  
+
||  .|| [mailto:Mark.Meadows@dch.ga.gov Mark Meadows]  
 
||||.|| [mailto:ayp@securityrs.com Amber Patel]
 
||||.|| [mailto:ayp@securityrs.com Amber Patel]
 
||||x|| [mailto:becky.angeles@carradora.com Becky Angeles]
 
||||x|| [mailto:becky.angeles@carradora.com Becky Angeles]
Line 45: Line 45:
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 +
|-
 +
||  x|| [mailto:Oliver Lawless]
 +
||||.|| [mailto:]
 +
||||.|| [mailto:]
 +
||||x|| [mailto:]
 +
|-
 
|}
 
|}
  
Line 56: Line 62:
 
# eLTSS NIB submitted before Sunday deadline
 
# eLTSS NIB submitted before Sunday deadline
 
#* eLTSS gForge folder:  https://gforge.hl7.org/gf/project/cbcc/docman/eLTSS%20-%20%20ONC%20Electronic%20Long-Term%20Services%20and%20Supports
 
#* eLTSS gForge folder:  https://gforge.hl7.org/gf/project/cbcc/docman/eLTSS%20-%20%20ONC%20Electronic%20Long-Term%20Services%20and%20Supports
#* Latest PSS posted to gForge [
+
# PSS - CBCP Approval (Ken Lord)
 +
# Privacy - Is privacy Obsolete update - Mike Davis
 
# FHIR Consent
 
# FHIR Consent
 
#* FHIR CPs for review
 
#* FHIR CPs for review
 
#* FHIR Consent CPs are located: [https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&querynav=%2Fgf%2Fproject%2Ffhir%2Ftracker%2F%3Faction%3DTrackerItemBrowse%26tracker_id%3D677%26forget_query%3D1&quickquery=1&tracker_item_id=&summary=&submitted_by=&priority=&assigned_to=&extra_field%5B4214%5D=&extra_field%5B4215%5D=&extra_field%5B4060%5D=&extra_field%5B3631%5D=&extra_field%5B3807%5D=19593&extra_field%5B3808%5D=&extra_field%5B3628%5D=&extra_field%5B3626%5D=&extra_field%5B4065%5D=&extra_field%5B4092%5D=&extra_field%5B4063%5D=&extra_field%5B4062%5D=&extra_field%5B2415%5D=-3&extra_field%5B4252%5D=&extra_field%5B3633%5D=&extra_field%5B3969%5D=&extra_field%5B4069%5D=&extra_field%5B4066%5D=&extra_field%5B4071%5D=&extra_field%5B3632%5D=&sortcol=priority&sortord=DESC link to ALL Consent Change requests]
 
#* FHIR Consent CPs are located: [https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&querynav=%2Fgf%2Fproject%2Ffhir%2Ftracker%2F%3Faction%3DTrackerItemBrowse%26tracker_id%3D677%26forget_query%3D1&quickquery=1&tracker_item_id=&summary=&submitted_by=&priority=&assigned_to=&extra_field%5B4214%5D=&extra_field%5B4215%5D=&extra_field%5B4060%5D=&extra_field%5B3631%5D=&extra_field%5B3807%5D=19593&extra_field%5B3808%5D=&extra_field%5B3628%5D=&extra_field%5B3626%5D=&extra_field%5B4065%5D=&extra_field%5B4092%5D=&extra_field%5B4063%5D=&extra_field%5B4062%5D=&extra_field%5B2415%5D=-3&extra_field%5B4252%5D=&extra_field%5B3633%5D=&extra_field%5B3969%5D=&extra_field%5B4069%5D=&extra_field%5B4066%5D=&extra_field%5B4071%5D=&extra_field%5B3632%5D=&sortcol=priority&sortord=DESC link to ALL Consent Change requests]
  
# '''FHIR Security Project Update''' - Johnathan / John Moehrke
+
==Meeting Minutes DRAFT==
#* Weekly meeting on Tuesday - 2 PM Eastern
+
Chair - Dave Pyke
#* [https://www.freeconferencecall.com/join/security36 https://www.freeconferencecall.com/join/security36]; Phone Number: +1 515-604-9567. Participant Passcode: 880898
+
 
 +
eLTSS
 +
* Lynne - publishing folks - any other that we need to do
 +
** they frown upon ballotable material publicly; so items will not be posted on the CBCP wiki
 +
** no other specific instructions were given to get ready for ballot
 +
 
 +
* uploading items to the wiki; need to delete some information
 +
** hesitating to upload spreadsheet; until
 +
* owed to CBCP a final version with executive summary; once ready Irina will provide once ready
 +
 
 +
FHIR Consent
 +
 
 +
CPs items to vote on
 +
 
 +
four have been dealt with one way or another;
 +
# CP 15581 - Motion: Suzanne / Jim Vote on disposition as displayed
 +
#* vote: abstentions: none; against: none; approval: 11
 +
# CP 15641
 +
#* followed up with Michelle with no response
 +
#* wish to close as not persuasive Motion made: Jim / Suzanne
 +
#* Abstention: none; Against: none; Approval: 11
 +
# 17154 Search parameters
 +
#* Securitylabel to security-label (must have dash) Motion: Jim/Suzanne
 +
#* Vote: abstentions: none; against: none; Approval: 11
 +
# CP 14181
 +
#* items have been elimated - could not be mapped to v3 RIM (they are not found in v3 RIM
 +
#*
 +
# CP 11069 (already resolved)
 +
#* suggest to close as this is based on an older version
 +
 
 +
''' ''NEW DISCUSSION:'' '''
 +
additional e-mail discussion:
 +
David Pyke been asked to put forward this statement for voting as a motion to  the group clarifying our stance on consent in FHIR
 +
<quote>
 +
* The Consent resource is the correct (and best) way to store and exchange computable consent agreements in a FHIR environment
 +
* Formal consent documents are contracts and you may use the Contract resource to capture that aspect of them for attachment to the Consent resource as a source document.
 +
* While Consent information may sometimes be found in DocumentReference, Binary, Contract and other resources, Consent is the principle resource for representing consent-related information and is the endpoint where systems should expect to find this information
 +
<endquote>
 +
 
 +
Above given to DAvid by Grahame and Lloyed on FHIR Resource - usage of various resources and their use in FHIR
  
 +
CBCP - information to be sent out for review
 +
Cross-Paradigm Interopbility project
  
==Meeting Minutes DRAFT==
+
showing to transform security labels from FHIR to CDA... not a lot to do on FHIR consent contract or the CA consent; to a large extent is about security labels--there may be misunderstanding
 +
 
 +
* to be proposed as a joint sponsorship; and confirm which WGs are involved--
 +
wait until we get a better descrption if we do need to be involved (based on kathleen description... unsure of scope; involving cross paradign
 +
 
 +
Suzanne - to reach out to Ken Lord before sending information out for CBCP review
 +
 
 +
 
 +
'''Is Priacy Obsolte''' - update
 +
 
 +
* year / year and a half
 +
* no recent report outs; lots of concern of whether privacy was dead due to large nmber of breachers (large breaches) often without harm to lega regsitutuion to victims--as credit theft
 +
* in the meantime ; we have been engaged with worldwide review; AUS, China Eu India, Japan UK, US among others - specifically did not look at Russia.
 +
* most countries have new privacy laws in place
 +
** EU - GDPR in place
 +
** other countries are looking at GDPR as benchmark (Japan may incorporate GDPR version)
 +
** in US, initial feeling was fragmented state by state and largly with specific industry focus; it is a patchwork of state laws, that being said the US is considered to be strong in terms of privacy because of the FTC enforcement of federal trade commission act; also healthcare is one of the vertical as excellent privacy practice.
 +
***with the FTC the general concensus US privacy enforcement and laws in US are the strictest in the world
 +
; but doesn't address victims do not get credit in the courts--efforts are largly to correct breaches int he first place; in terms of technology, seeing lots of new technology in privacy i.e. zero-knowledge proofs UMA block chans, data beach responses - included in the GDPR; which has raised the bar
 +
*** all 50 US states have breach notification law in place. we have consent management
 +
*** data classification (we call it security labeling) enforcing/segmenting privacy information. 
 +
*** largely if looking at enfocement activities which fall more in what organzations do … we wuld say its a big plus that detracted by the fact that we do have breaches involving billions of dollars; there is reason to question security in facebook, google; knowing we go in at our own risk;
 +
*** privacy is not dead - it has issues there are activities in law and technology in standards bodies to address the issues; may not be the final conclusion for today; goal: wrap up and bief out at the Security/ HL7 WGM meeting
 +
 
 +
 
 +
Oliver: freeze your credit? recourse to protect yourself or is there other
 +
* breaches are not just getting into our account; ie. security clearance infroatmion collected was breached for millions of federal employes, homes they've lived, cards etch... were breaches including healthcare privacy not just credit card monitory involved in identy theft
 +
* there is no effective recourse to sufficiently lock up the information they carry; the GDPR is slapping down on companies on that.  Therorizes that GDPR can protect toursts who travel outside Eu; there are no harsh penalites (in Canada) and make retributions... except through credit monitoring
  
 +
Legal changes/technology changes / enforcement and we're talking about privacy across the board; not just identity theft... its more promising thatn what we toguht whenw e were just looking at victims not getting more than credit monitorying.
  
additional e-mail discussion:
+
Motion made to adjorn: Jim
David Pyke been asked to put forward this statement for voting as a motion to the group clarifying our stance on consent in FHIR
+
Meeeting adjorned at 9:43 Pacific time --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 12:44, 24 July 2018 (EDT)
<quote>
 
* The Consent resource is the correct (and best) way to store and exchange computable consent agreements in a FHIR environment
 
* Formal consent documents are contracts and you may use the Contract resource to capture that aspect of them for attachment to the Consent resource as a source document.
 
* While Consent information may sometimes be found in DocumentReference, Binary, Contract and other resources, Consent is the principle resource for representing consent-related information and is the endpoint where systems should expect to find this information
 
<endquote>
 

Latest revision as of 16:45, 24 July 2018

Attendees

Member Name x Member Name x Member Name x Member Name
. Johnathan ColemanCBCP Co-Chair x Suzanne Gonzales-Webb CBCP Co-Chair x Jim Kretz CBCP Co-Chair x David Pyke CBCP Co-Chair
x Kathleen Connor Security Co-Chair x Mike Davis . John Moehrke Security Co-Chair . Diana Proud-Madruga
x Chris Shawn . Neelima Chennamaraja . Joe Lamy . Greg Linden
. Irina Connelly . Saurav Chowdhury . Dave Silver x Francisco Jauregui
. Mark Meadows . Amber Patel x Becky Angeles . Jennifer Brush
. Mohammad Jafari . Ali Khan . Ken Salyards . Michael Gu
. David Staggs . Bonnie Young . Ioana Singureanu x Beth Pumo
x Lawless . [mailto:] . [mailto:] x [mailto:]


Back to CBCP Main Page

Agenda

  1. Roll Call, Agenda Review
  2. Meeting Minutes approval: none to approve at this time
  3. eLTSS Update - Irina / Becky
  4. eLTSS NIB submitted before Sunday deadline
  5. PSS - CBCP Approval (Ken Lord)
  6. Privacy - Is privacy Obsolete update - Mike Davis
  7. FHIR Consent

Meeting Minutes DRAFT

Chair - Dave Pyke

eLTSS

  • Lynne - publishing folks - any other that we need to do
    • they frown upon ballotable material publicly; so items will not be posted on the CBCP wiki
    • no other specific instructions were given to get ready for ballot
  • uploading items to the wiki; need to delete some information
    • hesitating to upload spreadsheet; until
  • owed to CBCP a final version with executive summary; once ready Irina will provide once ready

FHIR Consent

CPs items to vote on

four have been dealt with one way or another;

  1. CP 15581 - Motion: Suzanne / Jim Vote on disposition as displayed
    • vote: abstentions: none; against: none; approval: 11
  2. CP 15641
    • followed up with Michelle with no response
    • wish to close as not persuasive Motion made: Jim / Suzanne
    • Abstention: none; Against: none; Approval: 11
  3. 17154 Search parameters
    • Securitylabel to security-label (must have dash) Motion: Jim/Suzanne
    • Vote: abstentions: none; against: none; Approval: 11
  4. CP 14181
    • items have been elimated - could not be mapped to v3 RIM (they are not found in v3 RIM
  5. CP 11069 (already resolved)
    • suggest to close as this is based on an older version

NEW DISCUSSION:

additional e-mail discussion:
David Pyke been asked to put forward this statement for voting as a motion to   the group clarifying our stance on consent in FHIR
<quote>
* The Consent resource is the correct (and best) way to store and exchange computable consent agreements in a FHIR environment
* Formal consent documents are contracts and you may use the Contract resource to capture that aspect of them for attachment to the Consent resource as a source document.
* While Consent information may sometimes be found in DocumentReference, Binary, Contract and other resources, Consent is the principle resource for representing consent-related information and is the endpoint where systems should expect to find this information
<endquote>

Above given to DAvid by Grahame and Lloyed on FHIR Resource - usage of various resources and their use in FHIR

CBCP - information to be sent out for review Cross-Paradigm Interopbility project

showing to transform security labels from FHIR to CDA... not a lot to do on FHIR consent contract or the CA consent; to a large extent is about security labels--there may be misunderstanding

  • to be proposed as a joint sponsorship; and confirm which WGs are involved--

wait until we get a better descrption if we do need to be involved (based on kathleen description... unsure of scope; involving cross paradign

Suzanne - to reach out to Ken Lord before sending information out for CBCP review


Is Priacy Obsolte - update

  • year / year and a half
  • no recent report outs; lots of concern of whether privacy was dead due to large nmber of breachers (large breaches) often without harm to lega regsitutuion to victims--as credit theft
  • in the meantime ; we have been engaged with worldwide review; AUS, China Eu India, Japan UK, US among others - specifically did not look at Russia.
  • most countries have new privacy laws in place
    • EU - GDPR in place
    • other countries are looking at GDPR as benchmark (Japan may incorporate GDPR version)
    • in US, initial feeling was fragmented state by state and largly with specific industry focus; it is a patchwork of state laws, that being said the US is considered to be strong in terms of privacy because of the FTC enforcement of federal trade commission act; also healthcare is one of the vertical as excellent privacy practice.
      • with the FTC the general concensus US privacy enforcement and laws in US are the strictest in the world
but doesn't address victims do not get credit in the courts--efforts are largly to correct breaches int he first place; in terms of technology, seeing lots of new technology in privacy i.e. zero-knowledge proofs UMA block chans, data beach responses - included in the GDPR; which has raised the bar
      • all 50 US states have breach notification law in place. we have consent management
      • data classification (we call it security labeling) enforcing/segmenting privacy information.
      • largely if looking at enfocement activities which fall more in what organzations do … we wuld say its a big plus that detracted by the fact that we do have breaches involving billions of dollars; there is reason to question security in facebook, google; knowing we go in at our own risk;
      • privacy is not dead - it has issues there are activities in law and technology in standards bodies to address the issues; may not be the final conclusion for today; goal: wrap up and bief out at the Security/ HL7 WGM meeting


Oliver: freeze your credit? recourse to protect yourself or is there other

  • breaches are not just getting into our account; ie. security clearance infroatmion collected was breached for millions of federal employes, homes they've lived, cards etch... were breaches including healthcare privacy not just credit card monitory involved in identy theft
  • there is no effective recourse to sufficiently lock up the information they carry; the GDPR is slapping down on companies on that. Therorizes that GDPR can protect toursts who travel outside Eu; there are no harsh penalites (in Canada) and make retributions... except through credit monitoring

Legal changes/technology changes / enforcement and we're talking about privacy across the board; not just identity theft... its more promising thatn what we toguht whenw e were just looking at victims not getting more than credit monitorying.

Motion made to adjorn: Jim Meeeting adjorned at 9:43 Pacific time --Suzannegw (talk) 12:44, 24 July 2018 (EDT)