This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 FHIR security topics"

From HL7Wiki
Jump to navigation Jump to search
 
(137 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
[[Security|Back to Security Main Page]]
 +
 +
==Call Logistics==
 +
Weekly: '''Tuesday at 2:00pm Eastern Time'''
 +
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36
 +
Online Meeting ID: security36
 +
Phone: +1 515-604-9567, Participant Code: 880898
 +
Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
 +
 +
==Scope: Develop and Maintain FHIR Security Resources==
 
Project ID [http://www.hl7.org/Special/committees/secure/projects.cfm?action=edit&ProjectNumber=1209 1209]  
 
Project ID [http://www.hl7.org/Special/committees/secure/projects.cfm?action=edit&ProjectNumber=1209 1209]  
  
* '''[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4968 FHIR disposition link on gForge]''' for review/discussion (ongoing weekly agenda item)
+
This project will identify and define resources, terminology, profiles, extensions as well as security label metadata necessary to support Healthcare Security and Privacy requirements.
 +
 
 +
These requirements include those identified by international domains as articulated in legislation, policy, related standards, and those documented in HL7 Privacy and Security related domain analysis, architectural frameworks, services, and functional models, and various v2, v3, CDA, and FHIR interchange specifications. Specifically, this includes the AuditEvent resource, Provenance resource, Signature datatype, assigned to Security by the FMG as well as profiles and implementation guides created against these resources.
 +
 
 +
The development and maintenance of these artifacts will be conducted in collaboration with other relevant domain work groups as outlined in the Security WG mission and charter.
 +
 
 +
The Security WG will develop guidance regarding use of HL7 Security Standards (e.g. Role and Attribute-based access controls and vocabularies. In addition, the Security WG will work with appropriate external standards organizations to develop appropriate guidance on the use of general purpose security technologies, such as user authentication and authorization, that would aid with the secure and privacy protecting use of FHIR; and guide the FHIR community on the appropriate use of these solutions through the security pages of the FHIR specification, assigned to Security WG by the FMG.
 +
 
 +
 
 +
== Agenda and Minutes==
 +
Agenda and minutes now managed in Confluence http://confluence.hl7.org:8090/display/SEC/Meeting+Index
 +
* HL7 FHIR Security 2019-0108 -- cancelled due to travel to WGM
 +
* HL7 FHIR Security 2019-01-01 -- cancelled due to holidays
 +
* HL7 FHIR Security 2018-12-25 -- cancelled due to holidays
 +
* [[HL7 FHIR Security 2018-12-18]]
 +
* [[HL7 FHIR Security 2018-12-11]]
 +
* [[HL7 FHIR Security 2018-12-04]]
 +
* HL7 FHIR Security 2018-11-27 -- cancelled due to conflict
 +
* HL7 FHIR Security 2018-11-20 -- no meeting happened
 +
* [[HL7 FHIR Security 2018-11-13]]
 +
* November 6, 2018 -- cancelled due to lack of agenda (actually held but didn't start due to lack of agenda)
 +
* [[HL7 FHIR Security 2018-10-30]]
 +
* [[HL7 FHIR Security 2018-10-23]]
 +
* October 2 -- cancelled due to WGM
 +
* September 25 -- cancelled due to pre WGM
 +
* September 18, 2018 -- canceled due to day-job conflict and lack of agenda
 +
* September 11, 2018 -- canceled due to day-job conflict
 +
* [[HL7 FHIR Security 2018-09-04]]
 +
* [[HL7 FHIR Security 2018-08-28]]
 +
* [[HL7 FHIR Security 2018-08-21]]
 +
* [[HL7 FHIR Security 2018-08-14]]
 +
* August 7, 2018 -- cancelled due to conflict with ONC Interop Event
 +
* [[HL7 FHIR Security 2018-07-31]]
 +
* no qurum
 +
* July 17, 2018 -- cancelled due to IHE face-to-face in Chicago
 +
* [[HL7 FHIR Security 2018-07-10]]
 +
* [[HL7 FHIR Security 2018-07-03]]
 +
* [[HL7 FHIR Security 2018-06-26]]
 +
* June 19, 2018 - canceled due to conflict with FHIR DevDays
 +
* [[HL7 FHIR Security 2018-06-12]]
 +
* [[HL7 FHIR Security 2018-06-05]]
 +
* [[HL7 FHIR Security 2018-05-29]]
 +
* May 22, 2018 -- canceled due to post WGM return
 +
* May 15, 2018 -- canceled due to HL7 WGM in Cologne
 +
* [[HL7 FHIR Security 2018-05-08]]
 +
* May 1, 2018 -- canceled due to IHE face-to-face in Chicago
 +
* [[HL7 FHIR Security 2018-04-24]]
 +
* [[HL7 FHIR Security 2018-04-17]]
 +
* [[HL7 FHIR Security 2018-04-10]]
 +
* [[HL7 FHIR Security 2018-04-03]]
 +
* [[HL7 FHIR Security 2018-03-27]]
 +
* [[HL7 FHIR Security 2018-03-20]]
 +
* [[HL7 FHIR Security 2018-03-13]]
 +
* March 6, 2018 - canceled due to HIMSS
 +
* [[HL7 FHIR Security 2018-02-27]]
 +
* [[HL7 FHIR Security 2018-02-20]]
 +
* February 13, 2018 -- canceled due to IHE face-to-face in Oslo
 +
* [[HL7 FHIR Security 2018-02-06]]
 +
* January 30, 2018 -- canceled due to HL7 WGM
 +
* January 23, 2018 -- canceled due travel to HL7 WGM
 +
* January 16, 2018 -- no quorum
 +
* January 9, 2018 -- canceled due to availability
 +
* January 2, 2018 -- canceled due to the holidays
 +
* December 26, 2017 -- canceled due to holidays
 +
* December 19, 2017 -- canceled due to holidays
 +
* December 12, 2017 -- informal work on HCS
 +
* [[HL7 FHIR Security 2017-12-05]]
 +
* [[HL7 FHIR Security 2017-11-28]]
 +
* [[HL7 FHIR Security 2017-11-21]]
 +
* [[HL7 FHIR Security 2017-11-14]]
 +
* [[HL7 FHIR Security 2017-11-07]]
 +
* [[HL7 FHIR Security 2017-10-31]]
 +
* October 24, 2017 -- canceled due to John not being available
 +
* October 17, 2017 -- canceled due to John not being available
 +
* [[HL7 FHIR Security 2017-10-10]]
 +
* [[HL7 FHIR Security 2017-10-03]]
 +
* [[HL7 FHIR Security 2017-09-26]]
 +
* September 19, 2017 -- canceled due to WGM
 +
* September 12, 2017 -- canceled due to WGM
 +
* September 5, 2017 -- canceled due to WGM
 +
* [[HL7 FHIR Security 2017-08-29]]
 +
* August 22, 2017 -- No quorum
 +
* [[HL7 FHIR Security 2017-08-15]]
 +
* August 8, 2017 -- canceled
 +
* August 1, 2017 -- canceled
 +
* [[HL7 FHIR Security 2017-07-25]]
 +
* July 18, 2017 - canceled due to conflict with IHE face-to-face meeting
 +
* [[HL7 FHIR Security 2017-07-11]]
 +
* July 4, 2017 - canceled due to USA holiday
 +
* [[HL7 FHIR Security 2017-06-27]]
 +
* June 20, 2017 - canceled due to resource availability.
 +
* [[HL7 FHIR Security 2017-06-13]]
 +
* [[HL7 FHIR Security 2017-06-06]]
 +
* May 30, 2017 -- canceled due to holiday
 +
* [[HL7 FHIR Security 2017-05-23]]
 +
* May 15, 2017 -- Canceled due to travel from Madrid
 +
* May 8, 2017 -- Canceled due to Madrid HL7 WGM
 +
* May 2, 2017 -- ?????  Canceled due to travel to Madrid
 +
* April 25, 2017 -- Canceled due to IHE face-to-face
 +
* [[HL7 FHIR Security 2017-04-18]]
 +
* [[HL7 FHIR Security 2017-04-11]]
 +
* [[HL7 FHIR Security 2017-04-04]]
 +
* [[HL7 FHIR Security 2017-03-28]]
 +
* March 21, 2017 -- Canceled
 +
* [[HL7 FHIR Security 2017-03-14]]
 +
* February 21, 2017 - Canceled due to HIMSS
 +
* [[HL7 FHIR Security 2017-02-14]]
 +
* February 7, 2017 - Canceled due to IHE face-to-face meeting
 +
* [[HL7 FHIR Security 2017-01-31]]
 +
* [[HL7 FHIR Security 2017-01-24]]
 +
* December 27, 2016 Canceled
 +
* December 20, 2016 Canceled
 +
* [[HL7 FHIR Security 2016-12-06]]
 +
* [[HL7 FHIR Security 2016-11-29]]
 +
* November 22, 2016 canceled
 +
* November 15, 2016 canceled
 +
* [[HL7 FHIR Security 2016-11-08]]
 +
* [[HL7 FHIR Security 2016-11-01]]
 +
* [[HL7 FHIR Security 2016-10-25]]
 +
* [[HL7 FHIR Security 2016-10-18]]
 +
* [[HL7 FHIR Security 2016-10-11]]
 +
* [[HL7 FHIR Security 2016-10-04]]
 +
* September 27, 2016 Canceled
 +
* September 20, 2016 Canceled
 +
* September 13, 2016 Canceled
 +
*[[HL7 FHIR Security 2016-9-06]]
 +
*[[HL7 FHIR Security 2016-8-30]]
 +
* August 23, 2016 - Canceled
 +
* August 16, 2016 - Canceled
 +
*[[HL7 FHIR Security 2016-8-9]]
 +
* August 2 2016 - Canceled
 +
* July 26 2016 - Canceled
 +
*[[HL7 FHIR Security 2016-7-19]]
 +
*[[HL7 FHIR Security 2016-7-12]]
 +
* July 5 2016 - Canceled
 +
*[[HL7 FHIR Security 2016-6-28]]
 +
*[[HL7 FHIR Security 2016-6-21]]
 +
*[[HL7 FHIR Security 2016-6-14]]
 +
*[[HL7 FHIR Security 2016-6-07]]
 +
*[[HL7 FHIR Security 2016-5-31]]
 +
*[[HL7 FHIR Security 2016-5-24]]
 +
*[[HL7 FHIR Security 2016-5-3]]
 +
*[[HL7 FHIR Security 2016-4-26]]
 +
*[[HL7 FHIR Security 2016-4-19]]
 +
*[[HL7 FHIR Security 2016-4-12]]
 +
*[[HL7 FHIR Security 2016-4-5]]
 +
*[[HL7 FHIR Security 2016-3-29]]
 +
*[[HL7 FHIR Security 2016-3-22]]
 +
*[[HL7 FHIR Security 2016-3-15]]
 +
*[[HL7 FHIR Security 2016-3-8]]
 +
*[[HL7 FHIR Security 2016-3-1]]
 +
*[[HL7 FHIR Security 2016-2-23]]
 +
*[[HL7 FHIR Security 2016-2-16]]
 +
*[[HL7 FHIR Security 2016-2-02]]
 +
*[[HL7 FHIR Security 2016-01-26]]
 +
*[[HL7 FHIR Security 2016-01-05]]
 +
*[[HL7 FHIR Security 2015-12-29]]
 +
*[[HL7 FHIR Security 2015-12-22]]
 +
*[[HL7 FHIR Security 2015-12-15]]
 +
*[[HL7 FHIR Security 2015-12-08]]
 +
*[[HL7 FHIR Security 2015-12-01]]
 +
*[[HL7 FHIR Security 2015-11-24]]
 +
*[[HL7 FHIR Security 2015-11-17]]
 +
*[[HL7 FHIR Security 2015-11-10]]
 +
 
 +
==Export from Gforge Security Open==
 +
'''[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4968 FHIR disposition link on gForge]''' for review/discussion (ongoing weekly agenda item)
 +
 
 +
John moved the items from November 3rd, 2015 gForge export and distributed them to the various parts: Provenance, AuditEvent, Security pages, and Signature.
 +
 
 +
=Provenance=
 +
[[HL7 FHIR Provenance Resource|HL7 FHIR Provenance Resource Project Work]]
 +
 
 +
=AuditEvent=
 +
[[HL7 FHIR AuditEvent Resource|HL7 FHIR AuditEvent Resource Project Work]]
 +
 
 +
=Security Pages=
 
* [http://hl7-fhir.github.io/security.html Security] pages
 
* [http://hl7-fhir.github.io/security.html Security] pages
 
** Including guidance on Authentication and Authorization
 
** Including guidance on Authentication and Authorization
 
** [http://hl7-fhir.github.io/security-labels.html Security Labels] Page
 
** [http://hl7-fhir.github.io/security-labels.html Security Labels] Page
 
*** including meta tag use for security labels
 
*** including meta tag use for security labels
 +
* from GForge
 +
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=3318 3318] Clarify how to use RBAC and ABAC using FHIR ()
 +
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=8738 8738] Unapplied QA changes around security and services ()
 +
** [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9036 9036] Handling of meta values that should force version, such as security_labels
 +
** [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9037 9037] Security page should recognize HEART
 +
** [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9078&start=0 9078] HTTP Caching Warning for FHIR GET REST services
 +
 +
=Signatures Datatype=
 
* [http://hl7-fhir.github.io/datatypes.html#signature Signature] Data Type
 
* [http://hl7-fhir.github.io/datatypes.html#signature Signature] Data Type
* [http://hl7-fhir.github.io/provenance.html Provenance] Resource
+
* from GForge
** Including signature use within Provenance
+
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=8827 8827] Signature datatype does not include counter-signature type ()
** Provenance.activity value-set needs to be enlarged with existing vocabulary, and discussion around if it should be marked as Extensible.
+
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=8731 8731] Canonicalization for signatures ()
** Provenance.entity.role unclear how each vocabulary item should be used.
+
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7752 7752] 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Related
*** how is derivation to be used?
+
**[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9082 9082] Update of signature type displayNames
*** how is revision to be used, other than the duplicate indication that would be in Provenance.activity.
+
 
** Provenance.reason binding only to the PurposeOfUse is not granular. Seems there should be a more clear distinction between reason and activity. question on why this is Extensible
+
=Not Security WG, but are listed as interested party=
** show how a resource and provenance would look as that resource transitions through lifecycle. In this way one would be able to find each step of the lifecycle, by way of version; and the provenance statement by way of the pointer to that version specific.
+
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=5525 5525] Consent Directive does not appear to be aligned with the 80% ()
**
+
 
** Detailed work plan and notes [[HL7 FHIR Provenance Resource]]
+
 
* [http://hl7-fhir.github.io/auditevent.html AuditEvent] Resource
+
=Relation of Provenance and Audit Event, and Security Labels=
** harmonize the structure, element names, and vocabulary as much as possible with Provenance.
+
*Who records Provenance vs AuditEvent; what are the various architectures. The important point is to assure that the architecture chosen doesn't miss information.
** address the thought experiment of why do we have both Provenance and AuditEvent. (motivation vs consequence) (medical records vs security surveillance)
+
*Risks to Confidentiality, Integrity, and Availability.
*** See http://hl7-fhir.github.io/auditevent-mappings.html#w3c.prov
+
*Role of [http://hl7-fhir.github.io/w5 W5]
*** See http://hl7-fhir.github.io/auditevent-mappings.html#fhirprovenance
+
* [http://hl7-fhir.github.io/consent.html Privacy Consent] as a profile on [http://hl7-fhir.github.io/contract.html Contract]
*** See http://hl7-fhir.github.io/provenance-mappings.html#w3c.prov
 
*** See http://hl7-fhir.github.io/provenance-mappings.html#fhirauditevent
 
*** See http://hl7-fhir.github.io/w5
 
** Who records Provenance vs AuditEvent; what are the various architectures. The important point is to assure that the architecture chosen doesn't miss information.
 
* and various other things concerning Security -- Risks to Confidentiality, Integrity, and Availability.
 
* also interested in
 
** [http://hl7-fhir.github.io/w5 W5]
 
** [http://hl7-fhir.github.io/consent.html Privacy Consent] as a profile on [http://hl7-fhir.github.io/contract.html Contract]
 

Latest revision as of 16:17, 29 January 2019

Back to Security Main Page

Call Logistics

Weekly: Tuesday at 2:00pm Eastern Time
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 
Online Meeting ID: security36
Phone: +1 515-604-9567, Participant Code: 880898
Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes

Scope: Develop and Maintain FHIR Security Resources

Project ID 1209

This project will identify and define resources, terminology, profiles, extensions as well as security label metadata necessary to support Healthcare Security and Privacy requirements.

These requirements include those identified by international domains as articulated in legislation, policy, related standards, and those documented in HL7 Privacy and Security related domain analysis, architectural frameworks, services, and functional models, and various v2, v3, CDA, and FHIR interchange specifications. Specifically, this includes the AuditEvent resource, Provenance resource, Signature datatype, assigned to Security by the FMG as well as profiles and implementation guides created against these resources.

The development and maintenance of these artifacts will be conducted in collaboration with other relevant domain work groups as outlined in the Security WG mission and charter.

The Security WG will develop guidance regarding use of HL7 Security Standards (e.g. Role and Attribute-based access controls and vocabularies. In addition, the Security WG will work with appropriate external standards organizations to develop appropriate guidance on the use of general purpose security technologies, such as user authentication and authorization, that would aid with the secure and privacy protecting use of FHIR; and guide the FHIR community on the appropriate use of these solutions through the security pages of the FHIR specification, assigned to Security WG by the FMG.


Agenda and Minutes

Agenda and minutes now managed in Confluence http://confluence.hl7.org:8090/display/SEC/Meeting+Index

Export from Gforge Security Open

FHIR disposition link on gForge for review/discussion (ongoing weekly agenda item)

John moved the items from November 3rd, 2015 gForge export and distributed them to the various parts: Provenance, AuditEvent, Security pages, and Signature.

Provenance

HL7 FHIR Provenance Resource Project Work

AuditEvent

HL7 FHIR AuditEvent Resource Project Work

Security Pages

  • Security pages
    • Including guidance on Authentication and Authorization
    • Security Labels Page
      • including meta tag use for security labels
  • from GForge
    • 3318 Clarify how to use RBAC and ABAC using FHIR ()
    • 8738 Unapplied QA changes around security and services ()
    • 9036 Handling of meta values that should force version, such as security_labels
    • 9037 Security page should recognize HEART
    • 9078 HTTP Caching Warning for FHIR GET REST services

Signatures Datatype

  • Signature Data Type
  • from GForge
    • 8827 Signature datatype does not include counter-signature type ()
    • 8731 Canonicalization for signatures ()
    • 7752 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Related
    • 9082 Update of signature type displayNames

Not Security WG, but are listed as interested party

  • 5525 Consent Directive does not appear to be aligned with the 80% ()


Relation of Provenance and Audit Event, and Security Labels

  • Who records Provenance vs AuditEvent; what are the various architectures. The important point is to assure that the architecture chosen doesn't miss information.
  • Risks to Confidentiality, Integrity, and Availability.
  • Role of W5
  • Privacy Consent as a profile on Contract