This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "February 24th Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
Line 25: Line 25:
 
E - 'Mode' the nature of the nodes for vocabulary (selectable or non-selectable, previously as specialized/non-specializable) is not a leaf is selectable for coding in your model.   
 
E - 'Mode' the nature of the nodes for vocabulary (selectable or non-selectable, previously as specialized/non-specializable) is not a leaf is selectable for coding in your model.   
 
i.e. archive in privacy and consent can be done in an abstract section.
 
i.e. archive in privacy and consent can be done in an abstract section.
F - Descritpion; may be updated due to worthsmithing, or other  
+
F - Description; may be updated due to wordsmithing, or other  
 
G - Description taken from ActStateTransitioinOperation
 
G - Description taken from ActStateTransitioinOperation
 
*H - L, Proposed Value Sets
 
*H - L, Proposed Value Sets
 
** I,J,I collection, may/may not be used, combined in collection use and disclosure (these are suggested value sets to be entered in the the 'represetative domain' to work if appropriate by any HL7 realm) checkmarks are being specifically named for inclusion for HL7 realm; black squares indicated those which may follow.
 
** I,J,I collection, may/may not be used, combined in collection use and disclosure (these are suggested value sets to be entered in the the 'represetative domain' to work if appropriate by any HL7 realm) checkmarks are being specifically named for inclusion for HL7 realm; black squares indicated those which may follow.
  
* Taxonomy - need to see how this relates to the current standard.   
+
* Taxonomy - need to see how this relates to the current standard.
** Suggestion: (MDavis) if you look at execute as difined so far is at the same level as the primitives, it should be moved over one to the right, so that it falls under the execute term...so that we have create, delete, modify   so that th
+
** taxonomy it simplifies management; has nothing to do with policy.   
execute: is something generic that you apply directly to a piece of software which in turn may operate or other things.  From a conceputal level (vs software artifacts) you can think about copying apatient record or converting a message from V2 to V3 or a document from English to Frnech...which are implemented by software.  Ata security level you are concerned about by primitive operations on protected objects.  privacy and consent level are things you want people able to do as directed by privacy and consent directives.
+
** security sees spreadsheets as a list of verbs (MDavis)
 +
*** defined as the objects that they are operating on (TWeida)
 +
*** some confusion as some terms seem to be listed as nouns, or possibly in two different contexts
 +
*** these terms are all intented to be 'verbs' - (TWeida)
 +
** Suggestion: (MDavis) if you look at execute as defined so far is at the same level as the primitives, it should be moved over one to the right, so that it falls under the execute term...so that we have create, delete, modify along the same line
 +
** Note:  ability to execute to the backup the objects does not necessarily mean you have the rights to read everyting you backup.  The execute permission should not imply you have all the rights you have to operate on.  need to be careful to avoid the confusion i.e. backup of a file (object); action on an object....its a permission. backup a hard drive becomes a permisison in the security catalog, to do the backup itself--treating the backup as an object it becomes confusing.
 +
** 3 taxonomy needed (RThoreson)
 +
# venacular - common sense
 +
#
 +
#
 +
execute: is something generic that you apply directly to a piece of software which in turn may operate or other things.  From a conceputal level (vs software artifacts) you can think about copying apatient record or converting a message from V2 to V3 or a document from English to French...which are implemented by software.  At a security level you are concerned about by primitive operations on protected objects.  privacy and consent level are things you want people able to do as directed by privacy and consent directives.
 
**we want to be able to harmonize this vocabulary with security; (i.e. move would be a delete and create)
 
**we want to be able to harmonize this vocabulary with security; (i.e. move would be a delete and create)
 +
* CRUDE - Create, Read, Update, Delete, Execute is used across for access--and not necessarily just in healthcare.
 +
* need to be able to execute at an interoperability label
 +
** there are gaps in the shared discussion; and more time will need to be devoted to this subject
 +
 +
How is this list complete for our purposes (as sufficient and complete)?  this is a best first effort, starter set.  They are currently not in the HL7 vocabulary to refer to them.  Are these terms listed in a standardized vocabulary?  '''Goal is the ability to control IT systems'''  Policy is out of scope, and we agree that we are unable to control/enforce what is done beyond the IT realm.
 
#''(15 min)'' '''Item2'''
 
#''(15 min)'' '''Item2'''
 
#''(15 min)'' '''Item3'''  
 
#''(15 min)'' '''Item3'''  

Revision as of 19:20, 24 February 2009

Security Working Group Meeting

==Attendees== (expected)

Agenda

  1. (05 min) Roll Call
  2. (05 min) Approve Minutes & Accept Agenda
  3. (15 min) Proposed Update to Operations vocabulary - Tony Weida Operations Vocabulary spreadsheet

A - Code B - Print name C - Synonyms - D - specialization (and gray areas for E - 'Mode' the nature of the nodes for vocabulary (selectable or non-selectable, previously as specialized/non-specializable) is not a leaf is selectable for coding in your model. i.e. archive in privacy and consent can be done in an abstract section. F - Description; may be updated due to wordsmithing, or other G - Description taken from ActStateTransitioinOperation

  • H - L, Proposed Value Sets
    • I,J,I collection, may/may not be used, combined in collection use and disclosure (these are suggested value sets to be entered in the the 'represetative domain' to work if appropriate by any HL7 realm) checkmarks are being specifically named for inclusion for HL7 realm; black squares indicated those which may follow.
  • Taxonomy - need to see how this relates to the current standard.
    • taxonomy it simplifies management; has nothing to do with policy.
    • security sees spreadsheets as a list of verbs (MDavis)
      • defined as the objects that they are operating on (TWeida)
      • some confusion as some terms seem to be listed as nouns, or possibly in two different contexts
      • these terms are all intented to be 'verbs' - (TWeida)
    • Suggestion: (MDavis) if you look at execute as defined so far is at the same level as the primitives, it should be moved over one to the right, so that it falls under the execute term...so that we have create, delete, modify along the same line
    • Note: ability to execute to the backup the objects does not necessarily mean you have the rights to read everyting you backup. The execute permission should not imply you have all the rights you have to operate on. need to be careful to avoid the confusion i.e. backup of a file (object); action on an object....its a permission. backup a hard drive becomes a permisison in the security catalog, to do the backup itself--treating the backup as an object it becomes confusing.
    • 3 taxonomy needed (RThoreson)
  1. venacular - common sense

execute: is something generic that you apply directly to a piece of software which in turn may operate or other things. From a conceputal level (vs software artifacts) you can think about copying apatient record or converting a message from V2 to V3 or a document from English to French...which are implemented by software. At a security level you are concerned about by primitive operations on protected objects. privacy and consent level are things you want people able to do as directed by privacy and consent directives.

    • we want to be able to harmonize this vocabulary with security; (i.e. move would be a delete and create)
  • CRUDE - Create, Read, Update, Delete, Execute is used across for access--and not necessarily just in healthcare.
  • need to be able to execute at an interoperability label
    • there are gaps in the shared discussion; and more time will need to be devoted to this subject

How is this list complete for our purposes (as sufficient and complete)? this is a best first effort, starter set. They are currently not in the HL7 vocabulary to refer to them. Are these terms listed in a standardized vocabulary? Goal is the ability to control IT systems Policy is out of scope, and we agree that we are unable to control/enforce what is done beyond the IT realm.

  1. (15 min) Item2
  2. (15 min) Item3
  3. (5 min) Other Business

Action Items

Back to Meetings