This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "December 5, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Security|Back to Security Main Page]]
 +
 
==Attendees==
 
==Attendees==
 
   
 
   
Line 15: Line 17:
 
||||x|| [mailto:drs@securityrs.com David Staggs]
 
||||x|| [mailto:drs@securityrs.com David Staggs]
 
|-
 
|-
||  .|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
+
||  x|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||||.|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
Line 50: Line 52:
 
#''(10 min)'' '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
 
#''(10 min)'' '''[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22 Is Privacy Obsolete? Study Group wiki page'''] has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
 
#''(10 min)'' '''FHIR Security update''' Call later? - John Moehrke
 
#''(10 min)'' '''FHIR Security update''' Call later? - John Moehrke
#   Next week - '''  Using Biometrics for Patient Matching etc. - Healthcare Privacy and Security Consierations. Discussion with Privacy Attorney Expert, Devon Connor-Green.'''
+
#''(2 min)'' Next week - '''  Using Biometrics for Patient Matching''' - Healthcare Privacy and Security Consierations. Discussion with Privacy Attorney Expert, Devon Connor-Green.
 +
#''(2 min)'' Check out the ONC 2017 Annual Conference videos at links in Meeting Materials below.
  
 
==Minutes==
 
==Minutes==
 
*Chris Shawn chaired.  
 
*Chris Shawn chaired.  
 
*Agenda informally approved.
 
*Agenda informally approved.
 +
*Minutes from November 21st were reviewed. Kathleen moved; Mike seconded. John and Mohammad abstained because they did not attend. Approved 8-2-0.
 +
*Kathleen and Mohammad presented on the draft Consumer Centered Data Exchange (CCDE) Connectathon scenario. Kathleen explained that this scenario is building on previous Connectathons, HIMSS demonstrations, and ONC pilots.  Mohammad presented a sequence diagram for the scenario. [https://gforge.hl7.org/gf/project/security/docman/Security%20FHIR/Cascading%20OAuth/CCDE%20Jan%202018/HL7%20January%20FHIR%20Connectathon%20CCDE%20Track%20On%20Behalf%20Of%20Scenario%20Sequence%20Diagram%20and%20Walk%20Through.docx Jan 2018 FHIR Connectathon CCDE Sequence Diagram and Walk-through]
 +
*Mike asked Mohammad how the scenario Cascading Authorization sequence diagram differed from previous demonstations. Mohammad explained that while the HIMSS 2017 discussed Right of Access [RoA], it did not include the capture of a RoA consent directive. Mohammad stated that there are differences in how app identities are verified than how a generic, enterprise client is identified, e.g., App claims are certified by an App store. There is also a need for the App to discover the Resource Servers that hold Alice's information, but this is a precondition and not part of the sequence flow. John suggested looking at the IHE Mobile Care Service Discovery (mCSD), which addresses this use case, and is the basis for the Sequoia participant directory.
 +
*John discussed the need for privacy protective scopes that SMART on FHIR does not support and has deferred to next generation.  John suggested that the Connectathon might be good place to have a discussion about using HEART confidentiality and sensitivity scopes as well as others.
 +
*RE PSAF - Mike reported out on the PSAF call held earlier. He discussed where the group is going with ballot reconciliation for TF4FA.  Going forward in May to ballot Volume 1 and Volume 2 as normative.  Anticipate significant changes to Volume 1, which is referring to the PASS ACS.  TF4FA comic book models to formal models as in PASS ACS.  We'll move the current models to reference or Volume 3.  Preparing to ballot a revised DAM.  Have a list of changes, but haven't begun the actual changes.  New Chapter, which is of least priority - Authentication, Audit, Provenance, Smart Contracts. But it may be too much to get done by May.
 +
*RE Is Privacy Obsolete?  Mike stated that he's beginning a report outline international in scope.  Looking at what laws have been added or changed recently and impact on vendors.  What are the significant breaches and fines.  What are significant areas that breaches are uncovering.  Also, legal issue discussed in many papers. Collected over 70 recent breaches OPM breach impact.  Union took OPM to court.  Court dismissed the case.  The case is being appealed.  Main purpose of breaches is financial.  Second purpose is for espionage. Third category is for "fun", e.g., to embarrass someone.  Will post the spreadsheet.  Majority are from 2017.
 +
*Meeting adjourned.
 +
 +
==Meeting Materials==
 +
*[http://events.tvworldwide.com/Events/ONCAnnualMeeting2017/VideoId/3080/onc-2017-annual-meeting-keynote-joni-l-rutter-all-of-us-research-program-nih ONC 2017 Annual Meeting videos]
 +
*[http://events.tvworldwide.com/tvwwimages/events/onc/2017 ONC Annual Meeting FINAL with confirmed speakers.pdf Full Agenda]
  
*Minutes from November 21st were reviewed.
+
[[Security|Back to Security Main Page]]

Latest revision as of 19:31, 12 December 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John Moehrke Security Co-chair x Kathleen Connor Security Co-chair x Alexander Mense Security Co-chair . Trish Williams Security Co-chair
x Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis x David Staggs
x Mohammed Jafari . Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy x Greg Linden
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards . Jim Kretz . Gary Dickinson x Dave Silver
. Oliver Lawless . Lisa Nelson . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (3 min) Review and Approval of November 21, 2017 minutes, Note Nov 28th call was cancelled.
  3. (10 min) Consumer Centered Data Exchange Connectathon scenario with Cascading Authorized App acting "on behalf of" a patient. - Draft storyboard and flows - Kathleen and Mohammad
  4. (10 min) PSAF call report out on HL7 Security and Privacy Domain Model - Mike Davis and Chris
  5. (10 min) Is Privacy Obsolete? Study Group wiki page has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis and Chris Shawn
  6. (10 min) FHIR Security update Call later? - John Moehrke
  7. (2 min) Next week - Using Biometrics for Patient Matching - Healthcare Privacy and Security Consierations. Discussion with Privacy Attorney Expert, Devon Connor-Green.
  8. (2 min) Check out the ONC 2017 Annual Conference videos at links in Meeting Materials below.

Minutes

  • Chris Shawn chaired.
  • Agenda informally approved.
  • Minutes from November 21st were reviewed. Kathleen moved; Mike seconded. John and Mohammad abstained because they did not attend. Approved 8-2-0.
  • Kathleen and Mohammad presented on the draft Consumer Centered Data Exchange (CCDE) Connectathon scenario. Kathleen explained that this scenario is building on previous Connectathons, HIMSS demonstrations, and ONC pilots. Mohammad presented a sequence diagram for the scenario. Jan 2018 FHIR Connectathon CCDE Sequence Diagram and Walk-through
  • Mike asked Mohammad how the scenario Cascading Authorization sequence diagram differed from previous demonstations. Mohammad explained that while the HIMSS 2017 discussed Right of Access [RoA], it did not include the capture of a RoA consent directive. Mohammad stated that there are differences in how app identities are verified than how a generic, enterprise client is identified, e.g., App claims are certified by an App store. There is also a need for the App to discover the Resource Servers that hold Alice's information, but this is a precondition and not part of the sequence flow. John suggested looking at the IHE Mobile Care Service Discovery (mCSD), which addresses this use case, and is the basis for the Sequoia participant directory.
  • John discussed the need for privacy protective scopes that SMART on FHIR does not support and has deferred to next generation. John suggested that the Connectathon might be good place to have a discussion about using HEART confidentiality and sensitivity scopes as well as others.
  • RE PSAF - Mike reported out on the PSAF call held earlier. He discussed where the group is going with ballot reconciliation for TF4FA. Going forward in May to ballot Volume 1 and Volume 2 as normative. Anticipate significant changes to Volume 1, which is referring to the PASS ACS. TF4FA comic book models to formal models as in PASS ACS. We'll move the current models to reference or Volume 3. Preparing to ballot a revised DAM. Have a list of changes, but haven't begun the actual changes. New Chapter, which is of least priority - Authentication, Audit, Provenance, Smart Contracts. But it may be too much to get done by May.
  • RE Is Privacy Obsolete? Mike stated that he's beginning a report outline international in scope. Looking at what laws have been added or changed recently and impact on vendors. What are the significant breaches and fines. What are significant areas that breaches are uncovering. Also, legal issue discussed in many papers. Collected over 70 recent breaches OPM breach impact. Union took OPM to court. Court dismissed the case. The case is being appealed. Main purpose of breaches is financial. Second purpose is for espionage. Third category is for "fun", e.g., to embarrass someone. Will post the spreadsheet. Majority are from 2017.
  • Meeting adjourned.

Meeting Materials

Back to Security Main Page