This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 29, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(10 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 
|-
 
|-
||  x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
+
||  .|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
 
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
|-
 
|-
||  x|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
+
||  .|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
 
|-
 
|-
||  .|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
+
||  x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
 
||||.|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
 
||||.|| [mailto:cbrown@socialcare.com Christopher D Brown] TX
 
||||.|| [mailto:cbrown@socialcare.com Christopher D Brown] TX
Line 25: Line 25:
 
      
 
      
 
|-
 
|-
||   || [mailto:mike.davis@va.gov Mike Davis]
+
|| x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
Line 45: Line 45:
 
|-
 
|-
  
||  x|| [mailto:gfm@securityrs.com Glen Marshall], SRS
+
||  .|| [mailto:gfm@securityrs.com Glen Marshall], SRS
 
||||.|| [mailto:akleinebe@gmail.com Bill Kleinebecker ]
 
||||.|| [mailto:akleinebe@gmail.com Bill Kleinebecker ]
 
||||.|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
 
||||.|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
Line 53: Line 53:
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
|-
 
|-
||  x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||  .|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:russell.mcdonell@c-cost.com Russell McDonell]
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
 
||||.|| [mailto:paul.petronelli@gmail.com Paul Petronelli ], Mobile Health
Line 67: Line 67:
 
==Agenda '''DRAFT'''==
 
==Agenda '''DRAFT'''==
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
 
# ''( 5 min)'' '''Roll Call, Agenda Approval'''
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=March_15,_2016_Security_Conference_Call Security WG March 22 Minutes if available]
+
# ''( 5 min)'' '''Approve [http://wiki.hl7.org/index.php?title=March_22,_2016_Security_Conference_Call Security WG March 22, 2016 Minutes]
 
# ''(10 min)'' '''Privacy & Security by Design - update''' - Rick
 
# ''(10 min)'' '''Privacy & Security by Design - update''' - Rick
 
#* Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30475 Meeting information and invite]
 
#* Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30475 Meeting information and invite]
Line 77: Line 77:
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 +
 +
 +
==Minutes==
 +
 +
# Chaired by Alex
 +
# Minutes Approved (Diana, Suzanne ) 2/0/0
 +
# Privacy & Security by Design - update''' - Rick
 +
* Second meeting held with Project Team with ERB, CBCC, and Security
 +
*Produce Class Diagrams using UML Modeling
 +
*Started with the first term consent Privacy term that will be interval for the design of the implementation guide
 +
* privacy Ensured Privacy was captured in the implementation Guide
 +
* Work continues, trading comments and feedback through email
 +
* Second Meeting will be held at 5 p.m., link provided below:
 +
#Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. [http://www.hl7.org/concalls/CallDetails.aspx?concall=30475 Meeting information and invite]
 +
* Reached to Ann Wizower with HL7 Standard Governance board to confirm the items and scope with the PSS are within the boundaries and expected scope per Kathleen's recommendation last week
 +
* Once feedback and evote is received from the Governance Board the PSS will then be delivered back to CBCC they will then take a vote on being sponsor of the project
 +
*Project work is ongoing
 +
 +
- PASS Access Control Services Conceptual Model''' - Diana
 +
* Received commands from Burke
 +
*Mike Davis, Kathleen Connor, Dave Silver and Diana met last week to come up with possible solutions to open issues.
 +
*Eight open issues remain
 +
*First comment recommendation to change disposition to persuasive and the clarification to identify and Check that all references are accurate.
 +
*Second comment recommendation to only reference ISOIC 10746, per Mike Davis recommendation Diana will present it to SOA to see how strongly they feel that Safe is referenced in the Standard.
 +
*Third comment is to delete the section as it is not necessary per suggestion of Burt.  Per Bernd Blobel suggested standards be referenced as in his original comments.
 +
*Comment 15 we accepted Bernd Blobel proposed wording
 +
*Comment 19 it was confirmed the definition was wrong as in the original objection, the statement will be replacing the definition from  ISO 22600-2 which addressed first issue of Original comment. Second comment required that Bernd Blobel needed a refrained policy scenario added. Possible solution for the second comment recommended by Kathleen during the meeting is to consider the Obligation scenario  covers refrained policy and mandates. Mike Davis requested more time to review possible recommendations. 
 +
* Per a conversation with Dave Silver the article that covers the THEWS - Trusted eHealth and eWelfare Space - SlideShare  [http://www.slideshare.net/iirojan/thews-trusted-ehealth-and-ewelfare-space ], the ACS and the document are loosely related and may not be mapped. However, it maybe possible to reference capabilities in the functional model at a high level and reference documentation.
 +
Question (Alex): Do we need a predefined trust model? 
 +
Answer (Mike Davis):  We have a predefined policy where everyone is in the security domain. The VA worked with  PSS for Trust envisioned that has not matured to PSS. The plan was to establish a trust framework that supports FHIR. The idea was to have two separate domains, and a negotiable trust and at run time they would establish the policy by a particular interaction that would have by exchange a FHIR contact. It would not completely be unconstrained, and more similar to a VPN giving an assurance level.
 +
 +
Comment (Diana):  Generalized access control model was used for the basis of this document, it appears there is an assumption of trust with several references that indicate an assumption of Trust that has already been established within use case AC1-Enforced access control decision.
 +
Comment (Alex): We do not need a framework to establish Trust, and can use the use case method as part of the specification.
 +
Comment (Diana): We can add a footnote on how Trust Relationship can Exist, and what is involved in establishing Trust.
 +
Concurrence on Next Step (Mike, Alex): To obtain further clarity from Burt on his comment.  Alex will reach out to Bernd Blobel.
 +
 +
- Joint Vocabulary Alignment Update''' - Diana
 +
* NTR
 +
*Reed is calling to have a meeting next week and requested proposed Agenda items.
 +
# PASS Audit Conceptual Model – Diana
 +
*NTR
 +
*Continued work on functional model that would go into the the functional model
 +
*Working on finalizing the PSS
 +
-FHIR Security report out  - John
 +
*not on call
 +
*

Latest revision as of 18:52, 5 April 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
. Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
. John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
x Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson x Dave Silver
x Mike Davis . Ioana Singureanu . Mohammed Jafari
x Suzanne Gonzales-Webb . Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
. Glen Marshall, SRS . Bill Kleinebecker . Christopher Shawn
. Oliver Lawless . [mailto . Serafina Versaggi
. Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss . Kamalini Vaidya . [mailto: TBD ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve Security WG March 22, 2016 Minutes
  3. (10 min) Privacy & Security by Design - update - Rick
  4. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  5. ( 5 min) Joint Vocabulary Alignment Update - Diana
  6. ( 5 min) PASS Audit Conceptual Model – Diana
  7. ( 5 min) FHIR Security report out - John

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda


Minutes

  1. Chaired by Alex
  2. Minutes Approved (Diana, Suzanne ) 2/0/0
  3. Privacy & Security by Design - update - Rick
  • Second meeting held with Project Team with ERB, CBCC, and Security
  • Produce Class Diagrams using UML Modeling
  • Started with the first term consent Privacy term that will be interval for the design of the implementation guide
  • privacy Ensured Privacy was captured in the implementation Guide
  • Work continues, trading comments and feedback through email
  • Second Meeting will be held at 5 p.m., link provided below:
  1. Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. Meeting information and invite
  • Reached to Ann Wizower with HL7 Standard Governance board to confirm the items and scope with the PSS are within the boundaries and expected scope per Kathleen's recommendation last week
  • Once feedback and evote is received from the Governance Board the PSS will then be delivered back to CBCC they will then take a vote on being sponsor of the project
  • Project work is ongoing

- PASS Access Control Services Conceptual Model - Diana

  • Received commands from Burke
  • Mike Davis, Kathleen Connor, Dave Silver and Diana met last week to come up with possible solutions to open issues.
  • Eight open issues remain
  • First comment recommendation to change disposition to persuasive and the clarification to identify and Check that all references are accurate.
  • Second comment recommendation to only reference ISOIC 10746, per Mike Davis recommendation Diana will present it to SOA to see how strongly they feel that Safe is referenced in the Standard.
  • Third comment is to delete the section as it is not necessary per suggestion of Burt. Per Bernd Blobel suggested standards be referenced as in his original comments.
  • Comment 15 we accepted Bernd Blobel proposed wording
  • Comment 19 it was confirmed the definition was wrong as in the original objection, the statement will be replacing the definition from ISO 22600-2 which addressed first issue of Original comment. Second comment required that Bernd Blobel needed a refrained policy scenario added. Possible solution for the second comment recommended by Kathleen during the meeting is to consider the Obligation scenario covers refrained policy and mandates. Mike Davis requested more time to review possible recommendations.
  • Per a conversation with Dave Silver the article that covers the THEWS - Trusted eHealth and eWelfare Space - SlideShare [1], the ACS and the document are loosely related and may not be mapped. However, it maybe possible to reference capabilities in the functional model at a high level and reference documentation.

Question (Alex): Do we need a predefined trust model? Answer (Mike Davis): We have a predefined policy where everyone is in the security domain. The VA worked with PSS for Trust envisioned that has not matured to PSS. The plan was to establish a trust framework that supports FHIR. The idea was to have two separate domains, and a negotiable trust and at run time they would establish the policy by a particular interaction that would have by exchange a FHIR contact. It would not completely be unconstrained, and more similar to a VPN giving an assurance level.

Comment (Diana): Generalized access control model was used for the basis of this document, it appears there is an assumption of trust with several references that indicate an assumption of Trust that has already been established within use case AC1-Enforced access control decision. Comment (Alex): We do not need a framework to establish Trust, and can use the use case method as part of the specification. Comment (Diana): We can add a footnote on how Trust Relationship can Exist, and what is involved in establishing Trust. Concurrence on Next Step (Mike, Alex): To obtain further clarity from Burt on his comment. Alex will reach out to Bernd Blobel.

- Joint Vocabulary Alignment Update - Diana

  • NTR
  • Reed is calling to have a meeting next week and requested proposed Agenda items.
  1. PASS Audit Conceptual Model – Diana
  • NTR
  • Continued work on functional model that would go into the the functional model
  • Working on finalizing the PSS

-FHIR Security report out - John

  • not on call