Security Work Group Weekly Conference Call

Meeting Information

Attendees

• Tabitha Albertson
• Bernd Blobel Security Co-chair, absent
• Bill Braithwaite, MD
• Steven Connolly
• Mike Davis Security Co-chair
• Suzanne Gonzales-Webb CBCC Co-chair
• Allen Hobbs
• Don Jorgenson
• John Moehrke Security Co-chair, absent
• Pat Pyette
• Cliff Thompson
• Richard Thoreson CBCC Co-chair
• Serafina Versaggi, scribe
• Tony Weida
• Craig Winter

Agenda

1. (05 min) Roll Call & Call for Additional Agenda Items
2. (55 min) Report Out from Phoenix Working Group Meeting
   • Elections
   • Status of Security & CBCC WG response to MU
   • Ballot reconciliation
     • Security DAM
     • CDA R2 Implementation Guide for Consent Directives
     • PASS-Alpha Access Control
   • New Projects
     • Medical Device Security in Distributed Systems Scope Statement (DRAFT)
     • Privacy Policy Templates
     • Security and Privacy Ontology Scope Statement
     • Revised Security Domain Analysis Modeling Project Scope Statement

1. Action Items:

• Serafina to follow up with HL7 leadership to determine process for submitting WG response to MU IFR
• Team: please read MU IFR (focus on pages 81-94 and Table 2B) and provide comments at next Tuesday's meeting

2. Report Out from Phoenix WGM

Announcements

• Elections
  • John Moerhke elected Security Co-Chair
  • Mike Davis re-elected Security Co-Chair
  • Steve Connolly appointed Vocabulary Facilitator for Security WG
• John Moehrke presented a Risk Assessment methodology for HL7 to the TSC meeting on Monday which was very well received

Status of Security & CBCCC response to MU IFR

• Deadline for response is March 15
• Mike noted that many in this committee are responding to the IFR from their parent organization’s perspective
• Bill Braithwaite reported that HL7 will be submitting a consolidated response for aspects of comments that are HL7 standards specific. An electronic process for submitting work group comments to the HL7 committee is reportedly to be established
• Serafina to check with HL7 leadership and will report back on process for submitting comments to HL7
• Please read MU IFR in advance of next Tuesday’s meeting and bring your comments

Ballot Reconciliation

• Security DAM ballot resolution took place in joint session with Security, CBCC and SOA WGs
  • Comments disposed at the WGM.
  • Security list notification sent on 1/27/2010, and consolidated ballot comments/vote posted on GForge
• CDA R2 IG For CD –comments resolved during WGM
• SOA – PASS Access Control ballot –comments resolved during WGM

Rio Working Group Meeting - May 2010

• Security WG will be in session
• If we are able to ballot for May, Security DAM ballot reconciliation will take place
• There are costs associated with delaying progress on these ballots
• No issue about balloting things, but ballot reconciliation works better in person
• Richard raised a concern about the title for the Security DAM. It does not explicitly include Privacy in the title of the scope
  • Scope statement includes reference to Privacy explicitly but Mike will add the term Privacy to the title of the Scope Statement prior to submitting to TSC

New Projects

• Medical Device Security in Distributed Systems
  • Scope statement crafted during the meeting
  • Health Care Devices (HCD) to sponsor; Security WG will co-sponsor along with other WGs
  • Scope statement will be sent to HCD for approval for September 2010 ballot
• Privacy Policy Templates
  • Create set of pseudo code policies for consumer consent that will be balloted
  • OID assigned to each policy allowing them to be used in formal language like XACML or referenced in a CDA R2 message using an HL7 OID. In the R2 message, specify the attributes that belong to that policy. CDA R2 is not a formal policy language, it applies to an instance of a policy, and needs some reference to a policy
  • Scope statement has prepared by Pat and Don (to be presented next week)
• Security and Privacy Ontology project
  • Bernd made a presentation on ontologies at an EHR work group session and again on Thursday Q4 in a joint SOA, SBCC & Security meeting
  • SOA is also submitting a project for ontology. Mike and Ken Rubin discussed and agreed there are two separate ontology viewpoints and therefore two separate projects
  • Both projects will create SAEAF artifacts
  • Projects will share techniques, policies, tooling
• Revised Security DAM
  • Ioana proposed the creation of a consolidated Security and Privacy DAM.
  • The consolidated DAM will allow specializations of the DAM that are focused on Security and/or Privacy
  • A revised scope statement was submitted on 31 January to reflect the intent to ballot the consolidated DAM as a DSTU ballot in May. If we are unable to make this date, we will withdraw and ballot in Sept 2010
  • While the initial scope statement reflected the consolidation of the two DAMs, steering division approval is required to move the Security DAM from Informative
  • If any objections are raised to balloting as DSTU, we will argue both DAMs are intended for external use and therefore merit normative status. In addition, the Composite Privacy DAM is already DSTU. External organizations want/need to reference normative standards. This goes beyond the scope of HL7 internal use only
    • For example, Steve is working on taking the Security Information model and creating a US realm specific instance by populating it with standards and value sets. We plan to turn this work over to the FHIMS group (Federal Health Information Modeling and Standards)