This wiki has undergone a migration to Confluence found Here
Difference between revisions of "December 15, 2015 Security Conference Call"
Jump to navigation
Jump to search
(Created page with "==Attendees== {| class="wikitable" |- !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !! |- || .|| [mailto:mike.davis@va.gov Mike Davis]Securit...") |
|||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
!x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !! | !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !! | ||
|- | |- | ||
| − | || | + | || x|| [mailto:mike.davis@va.gov Mike Davis]Security Co-chair |
|||||| [mailto:duane.decouteau@gmail.com Duane DeCouteau] | |||||| [mailto:duane.decouteau@gmail.com Duane DeCouteau] | ||
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark] | ||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark] | ||
| Line 13: | Line 13: | ||
||||.|| [mailto:aaron.seib@2311.net Aaron Seib] | ||||.|| [mailto:aaron.seib@2311.net Aaron Seib] | ||
|- | |- | ||
| − | || | + | || x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair |
||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards] | ||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards] | ||
||||.|| [mailto:cbrown@socialcare.com Christopher D Brown] TX | ||||.|| [mailto:cbrown@socialcare.com Christopher D Brown] TX | ||
| Line 20: | Line 20: | ||
||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair | ||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair | ||
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson] | ||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson] | ||
| − | |||| | + | ||||x||[mailto:dsilver@electrosoft-inc.com Dave Silver] |
|- | |- | ||
| Line 29: | Line 29: | ||
|- | |- | ||
||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb] | ||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb] | ||
| − | |||||| [mailto:mailto:robert.horn@agfa.com Rob Horn] | + | ||||x|| [mailto:mailto:robert.horn@agfa.com Rob Horn] |
||||.||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney] | ||||.||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney] | ||
| Line 40: | Line 40: | ||
|| x|| [mailto:rgrow@technatomy.com Rick Grow] | || x|| [mailto:rgrow@technatomy.com Rick Grow] | ||
|||||| [mailto:pknapp@pknapp.com Paul Knapp] | |||||| [mailto:pknapp@pknapp.com Paul Knapp] | ||
| − | |||| | + | ||||x|| [mailto:Debbie.Bucci@hhs.gov Debbie Bucci] |
|- | |- | ||
|| x|| [mailto:gfm@securityrs.com Glen Marshall], SRS | || x|| [mailto:gfm@securityrs.com Glen Marshall], SRS | ||
|||||| [mailto:akleinebe@gmail.com Bill Kleinebecker ] | |||||| [mailto:akleinebe@gmail.com Bill Kleinebecker ] | ||
| − | |||| | + | ||||x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] |
|- | |- | ||
|| || [mailto:oliver@lawless.co Oliver Lawless] | || || [mailto:oliver@lawless.co Oliver Lawless] | ||
| − | |||||| [mailto:robert.horn@agfa.com Rob Horn] | + | ||||x|| [mailto:robert.horn@agfa.com Rob Horn] |
|||||| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ] | |||||| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ] | ||
|- | |- | ||
| Line 56: | Line 56: | ||
|- | |- | ||
|| || [mailto:cdoss@ncat.edu Christopher Doss] | || || [mailto:cdoss@ncat.edu Christopher Doss] | ||
| − | |||| | + | ||||x|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya] |
|||||| [mailto: ] | |||||| [mailto: ] | ||
|- | |- | ||
| Line 67: | Line 67: | ||
# ''( 5 min)'' '''Roll Call, Agenda Approval''' | # ''( 5 min)'' '''Roll Call, Agenda Approval''' | ||
| − | # ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title= | + | # ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=December_08,_2015_Security_Conference_Call December 08 Meeting Minutes] ''' |
# ''( 5 min)'' '''Healthcare Security and Privacy Access Control Catalog''' Update - Rick, Suzanne | # ''( 5 min)'' '''Healthcare Security and Privacy Access Control Catalog''' Update - Rick, Suzanne | ||
# ''( 5 min)'' '''Joint Vocabulary Alignment Update''' - Diana | # ''( 5 min)'' '''Joint Vocabulary Alignment Update''' - Diana | ||
# ''( min)'' '''FHIR Security '''report out - John | # ''( min)'' '''FHIR Security '''report out - John | ||
# ''( 5 min)'' '''PASS Access Control Conceptual Model (SOA) ballot reconciliation''' Update - Diana, Don, Mike, Dave | # ''( 5 min)'' '''PASS Access Control Conceptual Model (SOA) ballot reconciliation''' Update - Diana, Don, Mike, Dave | ||
| − | # ''(10 min)'' '''Upcoming | + | # Remaining meetings for 2015, beginning of 2016 - December 22, 29; January 5 |
| + | # ''(10 min)'' '''Upcoming [[HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG]] - AGENDA ITEMS''' | ||
# '''Update Preview of Audit Functional Model''' - Dave | # '''Update Preview of Audit Functional Model''' - Dave | ||
* in future to update the PASS Audit | * in future to update the PASS Audit | ||
| − | Motion to Approve December | + | == Meeting Minutes == |
| + | |||
| + | '''Motion to Approve December 8 meeting minutes''' | ||
| + | |||
| + | Objections: none; meeting minutes approved: 12 | ||
| + | |||
| + | '''Healthcare Security and Privacy Access Control Catalog''' | ||
| + | |||
| + | No update. No comments returned, no votes returned to date. | ||
| + | |||
| + | '''Joint Vocabulary Alignment update''' | ||
| + | |||
| + | * came to understanding on ''originate'' | ||
| + | * latest version is available for review on the Vocabulary Alignment wiki | ||
| + | ** links added to CBCC and Security to access the wiki | ||
| + | * work is progressing, trying to find common ground/common process - we are getting there | ||
| + | * tried to build definition off a standard model of fairly simple functional/control systems as an alternative to definitions | ||
| + | * struggling on the first basic set of things (last 4-6 weeks), getting comfortable with the representation, artifacts, details of each of the articles--how we want them to be | ||
| + | ** input, output, etc. will serve us to tackle the rest of the vocabulary | ||
| + | ** would like to present in more detail to the Security group (it is in alignment w/security, provenance) now and going forward to retrieve feedback. Expect good reviews from the Security group | ||
| + | |||
| + | * add to agenda for Security WG as a follow-up - to review the items | ||
| + | |||
| + | '''FHIR Security''' | ||
| + | |||
| + | * resolved one CP last week - results are now in the current build (essentially renaming of audit events so they are the same as in provenance...preference for the W3C definition of entity and agency vs ATNA 'participant' and 'object') | ||
| + | |||
| + | '''PASS Access Control Conceptual Model''' | ||
| + | |||
| + | * comments returned from Alex (Bernd's comment) | ||
| + | * is there further ballot reconciliation to be done? | ||
| + | ** only what Alex sent out | ||
| + | * request to withdraw sent to VA and DoD folks - votes have not been withdrawn | ||
| + | ** suggesting to add a capability to our trust framework - along the lines to describe trusted attributes | ||
| + | * we believe that the response should be 'for future use' - we are moving in that direction (there is a gap); but at this time it is not | ||
| + | ** Alex - maybe leave as an open issue and fix in a future build | ||
| + | '''ACTION:''' Alex to approach/confirm with Bernd on this resolution and ask if this resolution is okay. | ||
| + | * Diana will confirm that the resolutions are in the spreadsheet and notify Alex/Bernd when they are ready for Bernd to respond | ||
| + | |||
| + | '''remaining 2015, early 2016 meetings''' | ||
| + | |||
| + | * December 22 - meet; yes | ||
| + | * December 29 - no (Mike is not available) | ||
| + | * January 5 - ? just before WGM (Mike is not available) | ||
| + | * following week is the WGM | ||
| + | Proposal: (as above) (Glen/JohnM) - | ||
| + | objections: none; abstentions: none; motion passed (meeting only on the 22nd) | ||
| + | |||
| + | * confirm quorum at the FHIR meeting this afternoon - TBD | ||
| + | * John M is available if meetings are held | ||
| + | |||
| + | '''Agenda items for upcoming [[HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG]]''' | ||
| + | |||
| + | '''Suzanne to update the calendar''' to be reviewed on the 12/22 meeting | ||
| + | |||
| + | * Wednesday Q2 - remove SOA Security, add PSS Audit Services | ||
| + | * ADD to Tuesday Q3 (joint); Privacy Protection for the Internet of Things - setting up a call with Helen - briefing on the background of the group; Steve Moeller and Kantara will also join; does the Security WG consider emerging technologies that have not been a topic of our work - HEART, privacy protective (what Helen has proposed) how they all fit together ''health Internet of Things'' - ADD | ||
| + | ** would indicate whether or not the WGM is a place to host a meeting...presentation with Alex's students | ||
| + | * remove: Tuesday Q2 PASS AC Ballot reconciliation | ||
| + | |||
| + | '''Mapping of 800-53 security controls to the Functional Model''' | ||
| + | |||
| + | * displayed by Dave Silver | ||
| + | * we will publish the FM along with the text of the FM (description of the functions) | ||
| + | ** The table with the mapping - we have not written up the logic of why they are mapped the way they are. this is our view at this point. the mapping to the 800-53 gives us a way of organizing the functions. some of the 800-53 controls are mappable to one or more of the FM functions. the FM is not canonical in this sense (one and only one); this is something to note. | ||
| + | * provide FM in a word document | ||
| + | * asking for comments on what we have so far - a precursor to our Audit standard (w/SOA); will be going into more detail at the January WGM. | ||
| + | * Mike would like to solicit any other suggestions. The audit model is traceable to other standards that we have (ISO, ASTM...) that are used for the usage of terms and concepts. may not be seen here at this point. | ||
| + | * a link will be provided to the items being presented today | ||
| + | * each of the functions is described in the word document - they should be familiar | ||
| + | * is there a cross walk to NIST SP 800-92 (a functional model for audit logging)? no, this is the only cross walk done at this time | ||
| + | ** it's unfortunate that 800-92 did not clearly do that for us. | ||
| + | |||
| + | * at the WGM, we may have the requirements ready for presentation; approx. 250 requirements written | ||
| + | ** we want to have the requirements traceable to 800-53 | ||
| + | |||
| + | '''ACTION:''' Two documents forwarded to Security WG listserve (Suzanne) | ||
| + | |||
| + | ''Meeting adjourned at 1357 AZT'' --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 16:09, 15 December 2015 (EST) | ||
Latest revision as of 16:34, 22 December 2015
Attendees
| x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|
| x | Mike DavisSecurity Co-chair | Duane DeCouteau | . | Chris Clark | ||||
| x | John MoehrkeSecurity Co-chair | Johnathan Coleman | . | Aaron Seib | ||||
| x | Alexander Mense Security Co-chair | . | Ken Salyards | . | Christopher D Brown TX | |||
| . | Trish WilliamsSecurity Co-chair | . | Gary Dickinson | x | Dave Silver | |||
| x | Kathleen Connor | . | Ioana Singureanu | Mohammed Jafari | ||||
| x | Suzanne Gonzales-Webb | x | Rob Horn | . | Galen Mulrooney | |||
| x | Diana Proud-Madruga | Ken Rubin | William Kinsley | |||||
| x | Rick Grow | Paul Knapp | x | Debbie Bucci | ||||
| x | Glen Marshall, SRS | Bill Kleinebecker | x | Christopher Shawn | ||||
| Oliver Lawless | x | Rob Horn | Serafina Versaggi | |||||
| . | Beth Pumo | Russell McDonell | Paul Petronelli , Mobile Health | |||||
| Christopher Doss | x | Kamalini Vaidya | [mailto: ] |
Agenda DRAFT
- ( 5 min) Roll Call, Agenda Approval
- ( 5 min) Approve December 08 Meeting Minutes
- ( 5 min) Healthcare Security and Privacy Access Control Catalog Update - Rick, Suzanne
- ( 5 min) Joint Vocabulary Alignment Update - Diana
- ( min) FHIR Security report out - John
- ( 5 min) PASS Access Control Conceptual Model (SOA) ballot reconciliation Update - Diana, Don, Mike, Dave
- Remaining meetings for 2015, beginning of 2016 - December 22, 29; January 5
- (10 min) Upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG - AGENDA ITEMS
- Update Preview of Audit Functional Model - Dave
- in future to update the PASS Audit
Meeting Minutes
Motion to Approve December 8 meeting minutes
Objections: none; meeting minutes approved: 12
Healthcare Security and Privacy Access Control Catalog
No update. No comments returned, no votes returned to date.
Joint Vocabulary Alignment update
- came to understanding on originate
- latest version is available for review on the Vocabulary Alignment wiki
- links added to CBCC and Security to access the wiki
- work is progressing, trying to find common ground/common process - we are getting there
- tried to build definition off a standard model of fairly simple functional/control systems as an alternative to definitions
- struggling on the first basic set of things (last 4-6 weeks), getting comfortable with the representation, artifacts, details of each of the articles--how we want them to be
- input, output, etc. will serve us to tackle the rest of the vocabulary
- would like to present in more detail to the Security group (it is in alignment w/security, provenance) now and going forward to retrieve feedback. Expect good reviews from the Security group
- add to agenda for Security WG as a follow-up - to review the items
FHIR Security
- resolved one CP last week - results are now in the current build (essentially renaming of audit events so they are the same as in provenance...preference for the W3C definition of entity and agency vs ATNA 'participant' and 'object')
PASS Access Control Conceptual Model
- comments returned from Alex (Bernd's comment)
- is there further ballot reconciliation to be done?
- only what Alex sent out
- request to withdraw sent to VA and DoD folks - votes have not been withdrawn
- suggesting to add a capability to our trust framework - along the lines to describe trusted attributes
- we believe that the response should be 'for future use' - we are moving in that direction (there is a gap); but at this time it is not
- Alex - maybe leave as an open issue and fix in a future build
ACTION: Alex to approach/confirm with Bernd on this resolution and ask if this resolution is okay.
- Diana will confirm that the resolutions are in the spreadsheet and notify Alex/Bernd when they are ready for Bernd to respond
remaining 2015, early 2016 meetings
- December 22 - meet; yes
- December 29 - no (Mike is not available)
- January 5 - ? just before WGM (Mike is not available)
- following week is the WGM
Proposal: (as above) (Glen/JohnM) - objections: none; abstentions: none; motion passed (meeting only on the 22nd)
- confirm quorum at the FHIR meeting this afternoon - TBD
- John M is available if meetings are held
Agenda items for upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG
Suzanne to update the calendar to be reviewed on the 12/22 meeting
- Wednesday Q2 - remove SOA Security, add PSS Audit Services
- ADD to Tuesday Q3 (joint); Privacy Protection for the Internet of Things - setting up a call with Helen - briefing on the background of the group; Steve Moeller and Kantara will also join; does the Security WG consider emerging technologies that have not been a topic of our work - HEART, privacy protective (what Helen has proposed) how they all fit together health Internet of Things - ADD
- would indicate whether or not the WGM is a place to host a meeting...presentation with Alex's students
- remove: Tuesday Q2 PASS AC Ballot reconciliation
Mapping of 800-53 security controls to the Functional Model
- displayed by Dave Silver
- we will publish the FM along with the text of the FM (description of the functions)
- The table with the mapping - we have not written up the logic of why they are mapped the way they are. this is our view at this point. the mapping to the 800-53 gives us a way of organizing the functions. some of the 800-53 controls are mappable to one or more of the FM functions. the FM is not canonical in this sense (one and only one); this is something to note.
- provide FM in a word document
- asking for comments on what we have so far - a precursor to our Audit standard (w/SOA); will be going into more detail at the January WGM.
- Mike would like to solicit any other suggestions. The audit model is traceable to other standards that we have (ISO, ASTM...) that are used for the usage of terms and concepts. may not be seen here at this point.
- a link will be provided to the items being presented today
- each of the functions is described in the word document - they should be familiar
- is there a cross walk to NIST SP 800-92 (a functional model for audit logging)? no, this is the only cross walk done at this time
- it's unfortunate that 800-92 did not clearly do that for us.
- at the WGM, we may have the requirements ready for presentation; approx. 250 requirements written
- we want to have the requirements traceable to 800-53
ACTION: Two documents forwarded to Security WG listserve (Suzanne)
Meeting adjourned at 1357 AZT --Suzannegw (talk) 16:09, 15 December 2015 (EST)
