Security Work Group Weekly Conference Call

Meeting Information

Attendees

• Tabitha Albertson
• Tom Bonina
• Bill Braithwaite
• Steven Connolly
• Allen Hobbs
• Don Jorgenson
• John Moehrke Security Co-chair
• Milan Petkovic
• Pat Pyette
• Scott Robertson
• Ioana Singureanu
• David Staggs
• Richard Thoreson CBCC Co-chair
• Serafina Versaggi scribe
• Craig Winter

Agenda

1. (5 min) Roll Call, Approve minutes from Security March 16, 2010 & Call for Additional Agenda Items
2. REPORT OUTS
   • (5 min) PASS Audit update
   • (5 min) Privacy Policy Reference Catalog update
   • (5 min) Security and Privacy Ontology project
3. ACTIVE PROJECTS
4. (100 min) Harmonized Security and Privacy DAM Consolidated Peer Review Comments

Announcements

Minutes

1. Action Items

2. Resolutions

3. Updates/Discussion

PASS Audit update

• Pat: Timeline for the PASS Audit Service ballot:
  • Initial draft for review will be posted on the PASS wiki site on March 24.
  • PASS project group will call for an internal vote to determine whether to forward on March 29. We will be accepting pre-ballot comments up through April 2.
  • Assuming the PASS project group decides to move forward, on April 5th, we go for a vote in the SOA Work Group, and on April 6th, we will look for supporting votes from the Security and CBCC workgroups
  • April 6-9 will be used to put finishing touches on the document if approved by all WGs, and April 9th is the last day to submit for ballot.
• Content focuses on the capabilities and the service required to extract information from an Audit Service to support Disclosure Accounting. This will include both conceptual level and platform independent level and a mapping of conceptual Privacy business artifacts and concepts to what we know about RFC-3881 and health care auditing standards.
• Another aspect of the ballot is related to Submit audit record. That calls out DICOM Supplement 95 and the IHE report audit event, part of ATNA as references and the ballot recommends those options.
• Ioana: If you recall, during the first release of the Composite Privacy DSTU, we had the consent directive override record information model. You may be able to reuse portions of that to account for disclosures, even though it was designed to account for overrides. Everything other than the OverrideRecord (action, Information Artifact that was accessed, the person who access it) is probably the same. That model is not in the current version of the Privacy DSTU, but can be found in Subversion (SVN) under Future Use
• Pat will review the DAMs to make sure that the concepts in the Audit work align with the concepts in the Privacy and harmonized Privacy and Security DAMs. Wherever they don’t, we will bring that back to this group for discussion.

Privacy Policy Reference Catalog

• Pat: Nothing to report on this project. The latest version of the project scope statement is now posted on GForge but haven’t yet sent it to the Steering Division as yet. Pat has requested Suzanne and/or Richard’s help to identify the email address for the appropriate Steering Division and will forward the scope statement as soon as that has been located.
• Will update the group in future meeting.

Security and Privacy Ontology Project

• Mike reports that the project scope statement will be presented to TSC next Monday. He does not expect any further issues to be raised. In addition, the SOA Work Group will modify their Ontology project scope to reflect the Security & Privacy Ontology plan.

Harmonized Security and Privacy DAM Consolidated Peer Review Comments