This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 1, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
m
 
(One intermediate revision by one other user not shown)
Line 78: Line 78:
  
 
= Minutes =
 
= Minutes =
#Consensus approval of Feb 23 minutes  
+
*Alex chaired.
#Joint Vocabulary Alignment Discussion update:
+
*Consensus approval of the agenda and Feb 23 minutes  
-Continued work to refine approach to models
+
*Joint Vocabulary Alignment Discussion update: Diana reported that work continues to refine approach to model
#PASS Audit Conceptual Model Discussion: -
+
*PASS Access Control - Diana is still working on disposition of Bernd's comments
Provenance is related to where records are obtained
+
*PASS Audit Conceptual Model Discussion: Diana reported that work is still underway.
Question Raised: "Does Audit create separate list for Provenance? "
+
*John reported on FHIR Security - discussed the CPs in the block vote for the FHIR Security call later in the day. 
#Discussion/Answer:
+
*Mike Davis and Oliver Lawless discussed Oliver's email comments about current FHIR AuditEvent and Provenance CPs and related vocabulary proposals that Security submitted for Harmonization.  Main focus was on whether and how AuditEvent and Provenance Resources, their elements, and vocabulary bindings are related.  Mike cited W3C PROV as foundational for FHIR Provenance, and statement from Satya Sahoo, one of the PROV authors, that the standard considers audit to be a specialization of provenance.  Mike referred the group to the [http://www.csl.sri.com/users/gehani/papers/MW-2012.SPADE.pdf SPADE: Support for Provenance Auditing in Distributed Environment] paper Section 3.1, which discusses how audit is used to provide provenance information
-Audit creates a separate list for Provenance: The Life cycle of resource and life cycle of Order of obligation as different value sets.
+
*Oliver argued that HL7 value sets should be defined by structuring the document for the implementer, and should be mapped to existing standards.  He stated that many codes seemed to be missing.  Kathleen stated that those codes are included in the sub-value sets being proposed for ProvenanceEvent.  Mike discussed the need for these codes to support the business requirements, and that implementer's need to understand the vocabulary from that perspective.
-Audit Provenance Model provides information related to integrity and trustworthiness
+
*Several stated that there should be specific activity value sets for AuditEvent and Provenance.  Kathleen pointed out that AuditEvent has additional audit specific activity value set bindings to AuditEvent.type and AuditEvent.subtype, and that the CRUDE value currently bound to AuditEvent.activity and via are in the DataOperations sub-value set.
-Value sets should be defined by structuring the document for the implementer, and should be mapped to existing standards.
+
*The differences between the set of elements capturing various perspectives on the "action" recorded by audit [i.e., AuditEvent.type, AuditEvent.subtype, and AuditEvent.activity] and AuditEvent.lifecycle [defined as "Identifier for the data life-cycle stage for the object"] were discussed in light of CP 9417.  Due to time limitations, this discussion was tabled until the FHIR Security call.
-Next Step: Kathleen Connor will provide documentation on Provenance and Audit in the Groove space
+
*Rob McClure joined the call to discuss issue referred to Security by Vocabulary WG: FHIR Terminology Servers will be providing access to SNOMED, which is an IP bound code system. The current HL7 approach for dealing with this IP issues are insufficient for this use case.  Rob asked whether Security WG knows of any standard or technology that could be promoted to FHIR, which support the need for users to validate that they have a proper SNOMED license.  E.g., could a licensed requestor/receiver have a token issued that verifies that the user is licensed to access/use SNOMED?
#FHIR Security Report Out: (Rob Mclure)
+
*Kathleen noted that while FHIR recommends OAuth 2.0 for authentication, there is no FHIR profile on OAuth to support, e.g., use of ABAC claims assertions, and that SNOMED Licensees could be considered a Compartment if included as part of a clearance.  Rob will consider drafting a project scope statement proposing that an approach such as this be considered for development.
-Issue Raised: FHIR SVCS uses IP bound code system SNOWMED. Is there a technology that can be promoted to FHIR that would allow value set authority Center SNOWMED, where a ticket is identified as "I am a licence User of SNOWMED?" Can a receiver and requester both be licensed?
 
#Discussion/Answer:
 
-Profile on OATH allows claims assertions
 
-Includes License and tickets
 
-next step: OATH maybe a possible solution, review the requirements and draft a project scope statement.
 

Latest revision as of 17:35, 7 March 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
x John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
. Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson . Dave Silver
x Mike Davis . Ioana Singureanu . Mohammed Jafari
x Suzanne Gonzales-Webb x Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker x Christopher Shawn
. Oliver Lawless . ... . Serafina Versaggi
X Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss X Kamalini Vaidya . [mailto: Stephanie Dyke ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve February 23, 2016 Security WG Conference Call Minutes
  3. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  4. ( 5 min) Joint Vocabulary Alignment Update - Diana
  5. ( 5 min) PASS Audit Conceptual Model – Diana
  6. ( 5 min) FHIR Security report out - John

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda

Minutes

  • Alex chaired.
  • Consensus approval of the agenda and Feb 23 minutes
  • Joint Vocabulary Alignment Discussion update: Diana reported that work continues to refine approach to model
  • PASS Access Control - Diana is still working on disposition of Bernd's comments
  • PASS Audit Conceptual Model Discussion: Diana reported that work is still underway.
  • John reported on FHIR Security - discussed the CPs in the block vote for the FHIR Security call later in the day.
  • Mike Davis and Oliver Lawless discussed Oliver's email comments about current FHIR AuditEvent and Provenance CPs and related vocabulary proposals that Security submitted for Harmonization. Main focus was on whether and how AuditEvent and Provenance Resources, their elements, and vocabulary bindings are related. Mike cited W3C PROV as foundational for FHIR Provenance, and statement from Satya Sahoo, one of the PROV authors, that the standard considers audit to be a specialization of provenance. Mike referred the group to the SPADE: Support for Provenance Auditing in Distributed Environment paper Section 3.1, which discusses how audit is used to provide provenance information.
  • Oliver argued that HL7 value sets should be defined by structuring the document for the implementer, and should be mapped to existing standards. He stated that many codes seemed to be missing. Kathleen stated that those codes are included in the sub-value sets being proposed for ProvenanceEvent. Mike discussed the need for these codes to support the business requirements, and that implementer's need to understand the vocabulary from that perspective.
  • Several stated that there should be specific activity value sets for AuditEvent and Provenance. Kathleen pointed out that AuditEvent has additional audit specific activity value set bindings to AuditEvent.type and AuditEvent.subtype, and that the CRUDE value currently bound to AuditEvent.activity and via are in the DataOperations sub-value set.
  • The differences between the set of elements capturing various perspectives on the "action" recorded by audit [i.e., AuditEvent.type, AuditEvent.subtype, and AuditEvent.activity] and AuditEvent.lifecycle [defined as "Identifier for the data life-cycle stage for the object"] were discussed in light of CP 9417. Due to time limitations, this discussion was tabled until the FHIR Security call.
*Rob McClure joined the call to discuss issue referred to Security by Vocabulary WG:  FHIR Terminology Servers will be providing access to SNOMED, which is an IP bound code system. The current HL7 approach for dealing with this IP issues are insufficient for this use case.  Rob asked whether Security WG knows of any standard or technology that could be promoted to FHIR, which support the need for users to validate that they have a proper SNOMED license.  E.g., could a licensed requestor/receiver have a token issued that verifies that the user is licensed to access/use SNOMED?
  • Kathleen noted that while FHIR recommends OAuth 2.0 for authentication, there is no FHIR profile on OAuth to support, e.g., use of ABAC claims assertions, and that SNOMED Licensees could be considered a Compartment if included as part of a clearance. Rob will consider drafting a project scope statement proposing that an approach such as this be considered for development.