This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 FHIR Security 2016-2-23"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "==Call Logistics== Weekly: '''Tuesday at 05:00 EST''' (2 PM PST) Conference Audio: '''770-657-9270,''' Access: '''845692'' '''Join online meeting: https://meet.RTC.VA.GOV/...")
 
 
(10 intermediate revisions by 2 users not shown)
Line 20: Line 20:
 
! ||'''Member Name'''|| !!  ||'''Member Name''' !!|| ||'''Member Name''' !!
 
! ||'''Member Name'''|| !!  ||'''Member Name''' !!|| ||'''Member Name''' !!
 
|-
 
|-
|||x|[mailto:jmoehrke@ge.med.com John Moehrke] Security Co-Chair
+
|| x||[mailto:john.moehrke@ge.med.com John Moehrke] Security Co-Chair
 
||||x||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
 
||||x||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
 
||||x||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair   
 
||||x||[mailto:suzanne.webb@engilitycorp.com Suzanne Gonzales-Webb] CBCC Co-Chair   
 
|-
 
|-
|||x|[mailto:gary.dickinson@ehr-standards.com Gary Dickinson] EHR Co-Chair
+
|| x||[mailto:gary.dickinson@ehr-standards.com Gary Dickinson] EHR Co-Chair
||||||[mailto:jc@securityrs.com Johnathan Coleman]CBCC Co-Chair
+
||||.||[mailto:jc@securityrs.com Johnathan Coleman]CBCC Co-Chair
||||||[mailto:Mike.Davis@va.gov Mike Davis]
+
||||.||[mailto:Mike.Davis@va.gov Mike Davis]
 
|-
 
|-
||||[mailto:rgelzer@provider-resources.com Reed Gelzer] RM-ES Lead
+
|| .||[mailto:rgelzer@provider-resources.com Reed Gelzer] RM-ES Lead
|||x|||[mailto:gfm@securityrs.com Glen Marshal]
+
||||x||[mailto:gfm@securityrs.com Glen Marshal]
||||||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
+
||||.||[mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
|-
 
|-
||||[mailto:dsilver@electrosoft-inc.com Dave Silver]
+
|| .||[mailto:dsilver@electrosoft-inc.com Dave Silver]
||||||[mailto:robert.horn@agfa.com Rob Horn]  
+
||||x||[mailto:robert.horn@agfa.com Rob Horn]  
||||x||[mailto:Judith.Fincher@va.gov Judy Fincher]
+
||||.||[mailto:Judith.Fincher@va.gov Judy Fincher]
 
|-
 
|-
|||| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
+
|| x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
||||||[mailto:]  
+
||||x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
||||||[mailto:]
+
||||.||[mailto:]
 
|-
 
|-
 
|}
 
|}
Line 44: Line 44:
 
==Agenda==
 
==Agenda==
 
*Roll; approval of agenda and [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-2-16 February 16 minutes]
 
*Roll; approval of agenda and [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-2-16 February 16 minutes]
 
+
*CP 6303
* [http://gforge.hl7.org/gf/download/docmanfileversion/9042/13902/FHIR%20AuditEvent%20Provenance%20Map.xlsx FHIR P&S Resource Element Harmonization map]
+
* [http://gforge.hl7.org/gf/download/docmanfileversion/9042/13902/FHIR%20AuditEvent%20Provenance%20Map.xlsx FHIR P&S Resource Element Harmonization map]  
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9570 Security CP 9570 Change AuditEvent.agent Definition and Comment]
 
 
 
To align with Provenance, Contract and ConsentDirective agent definition updates [Contract/CD CP 9566], revise current AuditEvent.agent definition as follows: "Several agents may be associated (i.e. has some responsibility for an activity) with an activity and vice-versa. For example, in cases of actions initiated by one user for other users, or in events that involve more than one user, hardware device, software, or system process. However, only one user may be the initiator/requestor for the event."
 
Need documentation or modeling approach to tell which of possibly several AuditEvent.agent(s) is the initiator/requestor
 
 
 
Revision to above to include both an update to definition and comment
 
Change Definition to:  "An actor taking a role in an activity  for which it can be assigned some degree of responsibility for the activity taking place.
 
Description: An agent can be a person, an organization, software, device, or other entities that may be ascribed responsibility."
 
To align with Provenance, Contract and ConsentDirective agent definition updates [Contract/CD CP 9566], revise current AuditEvent.agent COMMENT as follows: "Several agents may be associated (i.e. has some responsibility for an activity) with an activity and vice-versa. For example, in cases of actions initiated by one user for other users, or in events that involve more than one user, hardware device, software, or system process. However, only one user may be the initiator/requestor for the event."
 
Need documentation or modeling approach to tell which of possibly several AuditEvent.agent(s) is the initiator/requestor.
 
 
 
  
 
Implement the following changes per 2 new CPs
 
Implement the following changes per 2 new CPs
Line 77: Line 66:
 
Type Coding  
 
Type Coding  
  
*CP #: Add to [http://hl7-fhir.github.io/provenance.html Provenance Resource] a new Provenance.entity.lifecycle element to align with [http://hl7-fhir.github.io/auditevent.html Audit.entity.lifecycle].  
+
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9417 CP 9417: Add to [http://hl7-fhir.github.io/provenance.html Provenance Resource] a new Provenance.entity.lifecycle element to align with [http://hl7-fhir.github.io/auditevent.html Audit.entity.lifecycle].  
 
[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.entity.lifecycle Current Audit.entity.lifecycle Definition]  
 
[http://hl7-fhir.github.io/auditevent-definitions.html#AuditEvent.entity.lifecycle Current Audit.entity.lifecycle Definition]  
 
Identifier for the data life-cycle stage for the entity.
 
Identifier for the data life-cycle stage for the entity.
Line 86: Line 75:
 
Institutional policies for privacy and security may optionally fall under different accountability rules based on data life cycle. This provides a differentiating value for those cases. Comments  
 
Institutional policies for privacy and security may optionally fall under different accountability rules based on data life cycle. This provides a differentiating value for those cases. Comments  
 
This can be used to provide an audit trail for data, over time, as it passes through the system."
 
This can be used to provide an audit trail for data, over time, as it passes through the system."
Possible Provenance.entity.lifecycle would be the same as the Audit.entity.lifecycle.
+
 
 +
*Discuss the various approaches to ranking and typing "bags of agents" including situation where the ranking is between a delegator and a delegatee.  This impacts approaches to use of a Signature Datatype "who" as a delegatee such as a Device, which cannot be a signer party, to sign on behalf of the legal party.  Tabled until next call after issue is reviewed by FM on [http://wiki.hl7.org/index.php?title=February_19,_2016_Financial_Management_Work_Group_Conference_Call#Agenda 2/19 call.]
 +
 
 +
* Discussion items that are possibly ready for a vote.
 +
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9407 9407] Align AuditEvent and Provenance action/activity element. Recommend "Provenance.entity.activity". (Kathleen Connor) None
 +
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9417 9417] Add a new Provenance.entity.lifecycle element to align with Audit.entity.lifecycle. Align definitions. (Kathleen Connor) None
 +
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9570 9570] Change AuditEvent.agent definitions (Kathleen Connor) None
 +
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9571 9571] Change Provenance.agent definition (Kathleen Connor) None
 +
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9562 9562] Change Signature Datatype - make blob 0..1 (Kathleen Connor) None
 +
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9593 9593] Improve advice for Access Denied response (John Moehrke) None
  
 
==Minutes==
 
==Minutes==
*John chaired.  
+
*Discussion on the various approaches to modeling delegation deferred.
*John reported implementing[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9534 Security CP 9534 - Change Contract Actor to Agent] and [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9536 FM CP 9536 Change the name of current Contract.subject to Contract.topic, and update current definitions].  He's checking why these changes are not showing in the Build.
+
*Kathleen to update Agent CP 9570, 9571with revised definitions
*Discussion focused primarily on the CPs related to changes to harmonize actor to agent definitions and comments:
+
*Kathleen to update this group on outcome of FM discussion on
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9566 Security CP 9566 - Change Contract/CD.agent definition and comments]
+
*John to organize block vote for next Tuesday March 1 call.
[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9570 Security CP 9570 - Change AuditEvent.agent definition]
+
*Kathleen to continue work on an aligned definition for activity, as well as other definitions in the cross FHIR S&P alignment spreadsheet.
*[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=9571 Security CP 9571 Change Provenance.agent definition]
 
*Kathleen did walk through of harmonization map among these Resource "agent" definitions and comments.  John explained how the additional fields such as Notes, Requirements, etc. are used.
 
*WG decided to wait until FM reviews CP 9566 before approving these definitions to make sure that all align before committing to Build.
 
*Discussed the various approaches to ranking and typing "bags of agents" including situation where the ranking is between a delegator and a delegatee.  This impacts approaches to use of a Signature Datatype "who" as a delegatee such as a Device, which cannot be a signer party, to sign on behalf of the legal party.  Tabled until next call after issue is reviewed by FM on [http://wiki.hl7.org/index.php?title=February_19,_2016_Financial_Management_Work_Group_Conference_Call#Agenda 2/19 call.]
 

Latest revision as of 19:27, 1 March 2016

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692

Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV

If you are having difficulty joining, please try:

https://global.gotomeeting.com/join/520841173

Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
x John Moehrke Security Co-Chair x Kathleen Connor Security Co-Chair x Suzanne Gonzales-Webb CBCC Co-Chair
x Gary Dickinson EHR Co-Chair . Johnathan ColemanCBCC Co-Chair . Mike Davis
. Reed Gelzer RM-ES Lead x Glen Marshal . Galen Mulrooney
. Dave Silver x Rob Horn . Judy Fincher
x Diana Proud-Madruga x Beth Pumo . [mailto:]

Agenda

Implement the following changes per 2 new CPs

  • CP 1: Align AuditEvent and Provenance action/activity element name and definition. Recommend changing to "activity".

AuditEvent.action [Change to AuditEvent.activity

Question: What to do with the definitional differences - e.g., possibly combine. Current AuditEven.action Definition: Indicator for type of action [Change to "activity".] performed during the event that generated the audit. Control 0..1 Binding AuditEventAction: Indicator for type of action[Change to "activity".] performed during the event that generated the audit. (Required) Type code Requirements This broadly indicates what kind of action [Change to "activity".] was done on the AuditEvent.entity by the AuditEvent.agent.

Definition: An activity is something that occurs over a period of time and acts upon or with entities; it may include consuming, processing, transforming, modifying, relocating, using, or generating entities. Control 0..1 Binding ProvenanceEventCurrentState: The activity that took place. (Extensible) Type Coding

Current Audit.entity.lifecycle Definition Identifier for the data life-cycle stage for the entity. Control 0..1 Binding AuditEventObjectLifecycle: Identifier for the data life-cycle stage for the object. (Extensible) Type Coding Requirements Institutional policies for privacy and security may optionally fall under different accountability rules based on data life cycle. This provides a differentiating value for those cases. Comments This can be used to provide an audit trail for data, over time, as it passes through the system."

  • Discuss the various approaches to ranking and typing "bags of agents" including situation where the ranking is between a delegator and a delegatee. This impacts approaches to use of a Signature Datatype "who" as a delegatee such as a Device, which cannot be a signer party, to sign on behalf of the legal party. Tabled until next call after issue is reviewed by FM on 2/19 call.
  • Discussion items that are possibly ready for a vote.
  • 9407 Align AuditEvent and Provenance action/activity element. Recommend "Provenance.entity.activity". (Kathleen Connor) None
  • 9417 Add a new Provenance.entity.lifecycle element to align with Audit.entity.lifecycle. Align definitions. (Kathleen Connor) None
  • 9570 Change AuditEvent.agent definitions (Kathleen Connor) None
  • 9571 Change Provenance.agent definition (Kathleen Connor) None
  • 9562 Change Signature Datatype - make blob 0..1 (Kathleen Connor) None
  • 9593 Improve advice for Access Denied response (John Moehrke) None

Minutes

  • Discussion on the various approaches to modeling delegation deferred.
  • Kathleen to update Agent CP 9570, 9571with revised definitions
  • Kathleen to update this group on outcome of FM discussion on
  • John to organize block vote for next Tuesday March 1 call.
  • Kathleen to continue work on an aligned definition for activity, as well as other definitions in the cross FHIR S&P alignment spreadsheet.
Retrieved from "https://wiki.hl7.org/w/index.php?title=HL7_FHIR_Security_2016-2-23&oldid=116176"