This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 FHIR Security 2016-2-02"

From HL7Wiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 22: Line 22:
 
||||[mailto:jmoehrke@ge.med.com John Moehrke] Security Co-Chair
 
||||[mailto:jmoehrke@ge.med.com John Moehrke] Security Co-Chair
 
|||x|||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
 
|||x|||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
|||x|||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair   
+
||||||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair   
 
|-
 
|-
||x||[mailto:gary.dickinson@ehr-standards.com Gary Dickinson] EHR Co-Chair
+
||||[mailto:gary.dickinson@ehr-standards.com Gary Dickinson] EHR Co-Chair
 
||||||[mailto:jc@securityrs.com Johnathan Coleman]CBCC Co-Chair
 
||||||[mailto:jc@securityrs.com Johnathan Coleman]CBCC Co-Chair
|||x|||[mailto:Mike.Davis@va.gov Mike Davis]
+
||||||[mailto:Mike.Davis@va.gov Mike Davis]
 
|-
 
|-
 
||||[mailto:rgelzer@provider-resources.com Reed Gelzer] RM-ES Lead
 
||||[mailto:rgelzer@provider-resources.com Reed Gelzer] RM-ES Lead
||||||[mailto:gfm@securityrs.com Glen Marshal]
+
|||x|||[mailto:gfm@securityrs.com Glen Marshal]
 
||||||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
|-
 
|-
 
||||[mailto:dsilver@electrosoft-inc.com Dave Silver]
 
||||[mailto:dsilver@electrosoft-inc.com Dave Silver]
 
|||x|||[mailto:robert.horn@agfa.com Rob Horn]  
 
|||x|||[mailto:robert.horn@agfa.com Rob Horn]  
|||x|||[mailto:Judith.Fincher@va.gov Judy Fincher]
+
||||||[mailto:Judith.Fincher@va.gov Judy Fincher]
 
|-
 
|-
||x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
+
|||| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||||||[mailto:]  
 
||||||[mailto:]  
 
||||||[mailto:]
 
||||||[mailto:]
Line 43: Line 43:
  
 
==Agenda==
 
==Agenda==
*Align AuditEvent and Provenance action/activity element.  Recommend "activity".
 
  
Implement the following changes per CP XXX
+
 
 +
Implement the following changes per 2 new CPs
 +
 
 +
*CP 1: Align AuditEvent and Provenance action/activity element name and definition.  Recommend changing to "activity".
 
[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.action AuditEvent.action [Change to ''AuditEvent.activity'']
 
[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.action AuditEvent.action [Change to ''AuditEvent.activity'']
  
Question of what to do with the definitional differences - e.g., possibly combine.
+
Question: What to do with the definitional differences - e.g., possibly combine.
Definition: Indicator for type of action [''Change to "activity".''] performed during the event that generated the audit.  
+
[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.action Current AuditEven.action Definition]: Indicator for type of action [''Change to "activity".''] performed during the event that generated the audit.  
 
Control 0..1  
 
Control 0..1  
 
Binding AuditEventAction: Indicator for type of action[''Change to "activity".''] performed during the event that generated the audit. (Required)  
 
Binding AuditEventAction: Indicator for type of action[''Change to "activity".''] performed during the event that generated the audit. (Required)  
Line 61: Line 63:
 
Binding ProvenanceEventCurrentState: The activity that took place. (Extensible)  
 
Binding ProvenanceEventCurrentState: The activity that took place. (Extensible)  
 
Type Coding  
 
Type Coding  
Summary true
 
==Minutes==
 
*Kathleen cochaired.
 
*After a quick review of the agenda, participants decided to defer discussion until John Moehrke, the Security FHIR Facilitator, is able to join.
 
*Kathleen submitted [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9407 CP 9407] on this topic.
 
* Call adjourned early.
 
 
  
 
+
*CP 2: Add to [http://hl7-fhir.github.io/provenance.html Provenance Resource] a new Provenance.entity.lifecycle element to align with [http://hl7-fhir.github.io/auditevent.html Audit.entity.lifecycle].  
 
+
[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.entity.lifecycle Current Audit.entity.lifecycle Definition]  
*Add [http://hl7-fhir.github.io/provenance.html Provenance.entity.lifecycle] to align with [http://hl7-fhir.github.io/auditevent.html Audit.entity.lifecycle].  
 
**[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.entity.lifecycle Audit.entity.lifecycle Definition]  
 
 
Identifier for the data life-cycle stage for the entity.
 
Identifier for the data life-cycle stage for the entity.
 
Control 0..1  
 
Control 0..1  
Line 81: Line 74:
 
This can be used to provide an audit trail for data, over time, as it passes through the system."
 
This can be used to provide an audit trail for data, over time, as it passes through the system."
 
Possible Provenance.entity.lifecycle would be the same as the Audit.entity.lifecycle.
 
Possible Provenance.entity.lifecycle would be the same as the Audit.entity.lifecycle.
 +
 +
==Minutes==
 +
*Kathleen cochaired.
 +
*After a quick review of the agenda, participants decided to defer discussion until John Moehrke, the Security FHIR Facilitator, is able to join.
 +
*Kathleen submitted [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9407 CP 9407] which reads: Consider aligning AuditEvent and Provenance by changing "AuditEvent.action" to "AuditEvent.activity" per Security WG objective to align concepts/elements/definitions across FHIR AuditEvent, Provenance, and Security Labels and FHIR Consent Directive with W3C PROV to the extent that alignment makes sense. And/or provide more documentation about how the AuditEvent.action relates to the Provenance.activity associated with the same event.
 +
Consider harmonizing or bi-referencing AuditEvent.action/activity and Provenance.activity definitions.  For example:
 +
AuditEvent.action/activity Definition: Indicator for type of action [''Change to "activity"?''] performed during the event that generated the audit. The AuditEvent.action/activity is a system view of all or a component activity in the same event's Provenance.activity.
 +
Provenance.activity Definition: An activity is something that occurs over a period of time and acts upon or with entities; it may include consuming, processing, transforming, modifying, relocating, using, or generating entities. The Provenance.activity is a workflow view of an audited single or multiple component system event.
 +
*Kathleen submitted [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9417 CP9417]which reads:   Add a new Provenance.entity.lifecycle element to align with Audit.entity.lifecycle.  This element would track a Provenance.entity's lifecycle stage prior to the Provenance.activity by which an agent generates the Provenance Target.
 +
That target's lifecycle stage as authenticated may be updated if it is an entity input to a succeeding legally authenticated version of the same Resource.
 +
E.g.,an authenticator signs a completed resource input, thereby creating the Provenance target,. That target may then become the authenticated entity in a Provenance Resource on a legally authenticated verson of that entity [new Provenance target] by way of a legal authenticator's signature.
 +
Provide documentation explaining the relationship of Provenance.activity to Provenance.entity.lifecycle, and its concurrent relationship to any associated AuditEvent.entity.lifecycle.
 +
 +
* Call adjourned early.

Latest revision as of 03:05, 4 February 2016

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692

Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV

If you are having difficulty joining, please try:

https://global.gotomeeting.com/join/520841173

Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
John Moehrke Security Co-Chair x Kathleen Connor Security Co-Chair Suzanne Gonzales-Webb CBCC Co-Chair
Gary Dickinson EHR Co-Chair Johnathan ColemanCBCC Co-Chair Mike Davis
Reed Gelzer RM-ES Lead x Glen Marshal Galen Mulrooney
Dave Silver x Rob Horn Judy Fincher
Diana Proud-Madruga [mailto:] [mailto:]

Agenda

Implement the following changes per 2 new CPs

  • CP 1: Align AuditEvent and Provenance action/activity element name and definition. Recommend changing to "activity".

AuditEvent.action [Change to AuditEvent.activity

Question: What to do with the definitional differences - e.g., possibly combine. Current AuditEven.action Definition: Indicator for type of action [Change to "activity".] performed during the event that generated the audit. Control 0..1 Binding AuditEventAction: Indicator for type of action[Change to "activity".] performed during the event that generated the audit. (Required) Type code Requirements This broadly indicates what kind of action [Change to "activity".] was done on the AuditEvent.entity by the AuditEvent.agent.

Definition: An activity is something that occurs over a period of time and acts upon or with entities; it may include consuming, processing, transforming, modifying, relocating, using, or generating entities. Control 0..1 Binding ProvenanceEventCurrentState: The activity that took place. (Extensible) Type Coding

Current Audit.entity.lifecycle Definition Identifier for the data life-cycle stage for the entity. Control 0..1 Binding AuditEventObjectLifecycle: Identifier for the data life-cycle stage for the object. (Extensible) Type Coding Requirements Institutional policies for privacy and security may optionally fall under different accountability rules based on data life cycle. This provides a differentiating value for those cases. Comments This can be used to provide an audit trail for data, over time, as it passes through the system." Possible Provenance.entity.lifecycle would be the same as the Audit.entity.lifecycle.

Minutes

  • Kathleen cochaired.
  • After a quick review of the agenda, participants decided to defer discussion until John Moehrke, the Security FHIR Facilitator, is able to join.
  • Kathleen submitted CP 9407 which reads: Consider aligning AuditEvent and Provenance by changing "AuditEvent.action" to "AuditEvent.activity" per Security WG objective to align concepts/elements/definitions across FHIR AuditEvent, Provenance, and Security Labels and FHIR Consent Directive with W3C PROV to the extent that alignment makes sense. And/or provide more documentation about how the AuditEvent.action relates to the Provenance.activity associated with the same event.

Consider harmonizing or bi-referencing AuditEvent.action/activity and Provenance.activity definitions. For example: AuditEvent.action/activity Definition: Indicator for type of action [Change to "activity"?] performed during the event that generated the audit. The AuditEvent.action/activity is a system view of all or a component activity in the same event's Provenance.activity. Provenance.activity Definition: An activity is something that occurs over a period of time and acts upon or with entities; it may include consuming, processing, transforming, modifying, relocating, using, or generating entities. The Provenance.activity is a workflow view of an audited single or multiple component system event.

  • Kathleen submitted CP9417which reads:  Add a new Provenance.entity.lifecycle element to align with Audit.entity.lifecycle.  This element would track a Provenance.entity's lifecycle stage prior to the Provenance.activity by which an agent generates the Provenance Target.

That target's lifecycle stage as authenticated may be updated if it is an entity input to a succeeding legally authenticated version of the same Resource. E.g.,an authenticator signs a completed resource input, thereby creating the Provenance target,. That target may then become the authenticated entity in a Provenance Resource on a legally authenticated verson of that entity [new Provenance target] by way of a legal authenticator's signature. Provide documentation explaining the relationship of Provenance.activity to Provenance.entity.lifecycle, and its concurrent relationship to any associated AuditEvent.entity.lifecycle.

  • Call adjourned early.