Minutes from Security WG

Tuesday Q1

• Attendee
  • John Moehrke - Co-Chair
  • Alex Mense - Co-Chair
  • Miyohara, Hideyuki
  • Jonathan Coleman
  • Clay Sebourn - Clay.Sebourn@emc.com
  • NOT! Princess Trish Williams - Co-Chair

• Agenda Reviewed HL7 WGM May 2015 - Paris, France - Security WG
  • Approved 4/0/0
  • Jonathan Coleman - Moved
  • Alex - Second
• Minutes
  • HL7 Security January 2015 WGM Minutes
  • Approved 4/0/0
  • Jonathan Coleman - Moved
  • Alex - Second
• International Reportout
  • ISO - Hideyuki
    • Presentation attacked
  • IHE - John
    • ATNA Query (FHIR AuditEvent, and SYSLOG; Option for SYSLOG Filter)
    • Reminder about De-Identification Handbook as implementation guide on ISO Pseudonymization
      • http://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_Handbook_De-Identification_Rev1.1_2014-06-06.pdf

Tuesday Q2

• Attendee
  • John Moehrke - Co-Chair
  • Alex Mense - Co-Chair
  • Miyohara, Hideyuki
  • Jonathan Coleman
  • Clay Sebourn - Clay.Sebourn@emc.com
  • Trish Williams - Co-Chair
  • Jeff Ting - Jeffery.Ting@SystemsMadeSimple.com
  • Comelia Felder - comelia.felder@roche.com

• Privacy on FHIR - Jonathan Coleman
  • ONC and VA initiative to demonstrate Privacy on FHIR
  • Not an effort to create standards or guidance documentation
  • Using HCS, SLS, Ontology, DS4P, and consent
  • OpenID, OAuth2, UMA
• Data Provenance IG - Jonathan Coleman
  • comments resolved awaiting final DSTU soon
• FHIR Ballot triage

Tuesday Q3

• FHIR Ballot triage

Tuesday Q4

lack of quorum, canceled

Wednesday Q2

• Joint with SOA (hosted by SEC)
• PASS Access Control. Addresses the information and capabilities required to provide Access Control service to protect resources in a distributed healthcare environment, where interoperability requirements exist.
• Current status of PASS is DSTU (but out of date) it will go forward to Normative Ballot Sept 2015.
  • Under consideration is a Platform Specific Model targeting FHIR resource access management. SEC should take the lead, and get a project lead for this. Need to understand the Argonaut project content on security. Are they leveraging PASS. Clarification from Josh Mandel will be sought.
    • Under a Platform Specific Model this would require specification of the security token platform?
    • RESTful API already can use/does use PASS. The application in healthcare further includes patient consent and additional context specific attributes.
    • For instance, Privacy on FHIR (VA/ONC US specific) demonstrates the use of standard tools to apply to healthcare including PASS; SMART initiative uses PASS; and Argonaut project using it? HEART (OAuth, OpenID Connect, and UMA committees) to come to healthcare to help healthcare - John M engaging with this.
    • PASS Access control specific to FHIR. This should be constrained further to a specific interaction model (SOAP, V2 messaging, CDA, transactions, etc).
  • Suggested to also go into normative ballot is the use of FHIR Security/Privacy related Resources as Access Decision Information (ACI) sources for Privacy Enforcement Point (PEP) realizations. This is a clarifier of the Platform Specific Model(discussed above)
• Security will find lead (from those working on the problem). The project will not be created until the people are found.

• PSS on Approved at TSC 12/05/2015
  • Project Summary for HL7 Privacy and Security Architecture Framework [PSAF aka 'Privacy Safe'].

Attendees: