Difference between revisions of "February 24th Security Conference Call"
(→Agenda) |
|||
Line 25: | Line 25: | ||
E - 'Mode' the nature of the nodes for vocabulary (selectable or non-selectable, previously as specialized/non-specializable) is not a leaf is selectable for coding in your model. | E - 'Mode' the nature of the nodes for vocabulary (selectable or non-selectable, previously as specialized/non-specializable) is not a leaf is selectable for coding in your model. | ||
i.e. archive in privacy and consent can be done in an abstract section. | i.e. archive in privacy and consent can be done in an abstract section. | ||
− | F - | + | F - Description; may be updated due to wordsmithing, or other |
G - Description taken from ActStateTransitioinOperation | G - Description taken from ActStateTransitioinOperation | ||
*H - L, Proposed Value Sets | *H - L, Proposed Value Sets | ||
** I,J,I collection, may/may not be used, combined in collection use and disclosure (these are suggested value sets to be entered in the the 'represetative domain' to work if appropriate by any HL7 realm) checkmarks are being specifically named for inclusion for HL7 realm; black squares indicated those which may follow. | ** I,J,I collection, may/may not be used, combined in collection use and disclosure (these are suggested value sets to be entered in the the 'represetative domain' to work if appropriate by any HL7 realm) checkmarks are being specifically named for inclusion for HL7 realm; black squares indicated those which may follow. | ||
− | * Taxonomy - need to see how this relates to the current standard. | + | * Taxonomy - need to see how this relates to the current standard. |
− | ** Suggestion: (MDavis) if you look at execute as | + | ** taxonomy it simplifies management; has nothing to do with policy. |
− | execute: is something generic that you apply directly to a piece of software which in turn may operate or other things. From a conceputal level (vs software artifacts) you can think about copying apatient record or converting a message from V2 to V3 or a document from English to | + | ** security sees spreadsheets as a list of verbs (MDavis) |
+ | *** defined as the objects that they are operating on (TWeida) | ||
+ | *** some confusion as some terms seem to be listed as nouns, or possibly in two different contexts | ||
+ | *** these terms are all intented to be 'verbs' - (TWeida) | ||
+ | ** Suggestion: (MDavis) if you look at execute as defined so far is at the same level as the primitives, it should be moved over one to the right, so that it falls under the execute term...so that we have create, delete, modify along the same line | ||
+ | ** Note: ability to execute to the backup the objects does not necessarily mean you have the rights to read everyting you backup. The execute permission should not imply you have all the rights you have to operate on. need to be careful to avoid the confusion i.e. backup of a file (object); action on an object....its a permission. backup a hard drive becomes a permisison in the security catalog, to do the backup itself--treating the backup as an object it becomes confusing. | ||
+ | ** 3 taxonomy needed (RThoreson) | ||
+ | # venacular - common sense | ||
+ | # | ||
+ | # | ||
+ | execute: is something generic that you apply directly to a piece of software which in turn may operate or other things. From a conceputal level (vs software artifacts) you can think about copying apatient record or converting a message from V2 to V3 or a document from English to French...which are implemented by software. At a security level you are concerned about by primitive operations on protected objects. privacy and consent level are things you want people able to do as directed by privacy and consent directives. | ||
**we want to be able to harmonize this vocabulary with security; (i.e. move would be a delete and create) | **we want to be able to harmonize this vocabulary with security; (i.e. move would be a delete and create) | ||
+ | * CRUDE - Create, Read, Update, Delete, Execute is used across for access--and not necessarily just in healthcare. | ||
+ | * need to be able to execute at an interoperability label | ||
+ | ** there are gaps in the shared discussion; and more time will need to be devoted to this subject | ||
+ | |||
+ | How is this list complete for our purposes (as sufficient and complete)? this is a best first effort, starter set. They are currently not in the HL7 vocabulary to refer to them. Are these terms listed in a standardized vocabulary? '''Goal is the ability to control IT systems''' Policy is out of scope, and we agree that we are unable to control/enforce what is done beyond the IT realm. | ||
#''(15 min)'' '''Item2''' | #''(15 min)'' '''Item2''' | ||
#''(15 min)'' '''Item3''' | #''(15 min)'' '''Item3''' |
Revision as of 19:20, 24 February 2009
Security Working Group Meeting
==Attendees== (expected)
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Richard Thoreson CBCC Co-chair
- Ioana Singureanu
- David Sperzel
- Tony Weida
- Craig Winter
- Russ Hamm
- Steven Connolly
Agenda
- (05 min) Roll Call
- (05 min) Approve Minutes & Accept Agenda
- (15 min) Proposed Update to Operations vocabulary - Tony Weida Operations Vocabulary spreadsheet
A - Code B - Print name C - Synonyms - D - specialization (and gray areas for E - 'Mode' the nature of the nodes for vocabulary (selectable or non-selectable, previously as specialized/non-specializable) is not a leaf is selectable for coding in your model. i.e. archive in privacy and consent can be done in an abstract section. F - Description; may be updated due to wordsmithing, or other G - Description taken from ActStateTransitioinOperation
- H - L, Proposed Value Sets
- I,J,I collection, may/may not be used, combined in collection use and disclosure (these are suggested value sets to be entered in the the 'represetative domain' to work if appropriate by any HL7 realm) checkmarks are being specifically named for inclusion for HL7 realm; black squares indicated those which may follow.
- Taxonomy - need to see how this relates to the current standard.
- taxonomy it simplifies management; has nothing to do with policy.
- security sees spreadsheets as a list of verbs (MDavis)
- defined as the objects that they are operating on (TWeida)
- some confusion as some terms seem to be listed as nouns, or possibly in two different contexts
- these terms are all intented to be 'verbs' - (TWeida)
- Suggestion: (MDavis) if you look at execute as defined so far is at the same level as the primitives, it should be moved over one to the right, so that it falls under the execute term...so that we have create, delete, modify along the same line
- Note: ability to execute to the backup the objects does not necessarily mean you have the rights to read everyting you backup. The execute permission should not imply you have all the rights you have to operate on. need to be careful to avoid the confusion i.e. backup of a file (object); action on an object....its a permission. backup a hard drive becomes a permisison in the security catalog, to do the backup itself--treating the backup as an object it becomes confusing.
- 3 taxonomy needed (RThoreson)
- venacular - common sense
execute: is something generic that you apply directly to a piece of software which in turn may operate or other things. From a conceputal level (vs software artifacts) you can think about copying apatient record or converting a message from V2 to V3 or a document from English to French...which are implemented by software. At a security level you are concerned about by primitive operations on protected objects. privacy and consent level are things you want people able to do as directed by privacy and consent directives.
- we want to be able to harmonize this vocabulary with security; (i.e. move would be a delete and create)
- CRUDE - Create, Read, Update, Delete, Execute is used across for access--and not necessarily just in healthcare.
- need to be able to execute at an interoperability label
- there are gaps in the shared discussion; and more time will need to be devoted to this subject
How is this list complete for our purposes (as sufficient and complete)? this is a best first effort, starter set. They are currently not in the HL7 vocabulary to refer to them. Are these terms listed in a standardized vocabulary? Goal is the ability to control IT systems Policy is out of scope, and we agree that we are unable to control/enforce what is done beyond the IT realm.
- (15 min) Item2
- (15 min) Item3
- (5 min) Other Business