This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 27, 2018 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "Back to Security Main Page ==Attendees== {| class="wikitable" |- !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Membe...")
 
 
(10 intermediate revisions by 2 users not shown)
Line 9: Line 9:
 
||  x|| [mailto:JohnMoerke@gmail.com John Moehrke] Security Co-chair
 
||  x|| [mailto:JohnMoerke@gmail.com John Moehrke] Security Co-chair
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-chair  
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-chair  
||||.|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
+
||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams] Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams] Security Co-chair
 
|-.
 
|-.
||  x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] Security Co-chair
+
||  .|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] Security Co-chair
 
||||x|| [mailto:Suzanne.Webb@bookzurman.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:Suzanne.Webb@bookzurman.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||x|| [mailto:mike.davis@va.gov Mike Davis]
||||x|| [mailto:david.staggs@bookzurman.com David Staggs]
+
||||.|| [mailto:david.staggs@bookzurman.com David Staggs]
 +
 
|-
 
|-
|| .|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
+
|| x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
||||.|| [mailto:Beth.Pumo@kp.org Beth Pumo]
+
||||x|| [mailto:fjaureui@electrosoft-inc.com Francisco Jauregui]
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
+
||||.|| [mailto:joe.lamy@aegis.net Joe Lamy]
||||.|| [mailto:robert.horn@agfa.com Rob Horn]
 
|-
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
 
||||.|| [mailto:glinden@lindentechadvisiors.com Greg Linden]
 
||||.|| [mailto:glinden@lindentechadvisiors.com Greg Linden]
 
|-
 
|-
|| .|| [mailto:pknapp@pknapp.com Paul Knapp]
+
||.|| [mailto:pknapp@pknapp.com Paul Knapp]
 
||||.|| [mailto:grahameg@gmail.com Grahame Grieve]
 
||||.|| [mailto:grahameg@gmail.com Grahame Grieve]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
Line 33: Line 29:
 
|-
 
|-
 
||  .|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
 
||  .|| [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
||||x|| [mailto:jim.kretz@samhsa.gov Jim Kretz]
+
||||.|| [mailto:jim.kretz@samhsa.gov Jim Kretz]
 
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson]
 
||||.|| [mailto:gary.dickinson@ehr-standards.com Gary Dickinson]
 
||||x|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
 
||||x|| [mailto:dsilver@electrosoft-inc.com Dave Silver]
 
|-
 
|-
|| .|| [mailto:oliver@lawless.co Oliver Lawless]
+
|| || [mailto:Beth.Pumo@kp.org Beth Pumo]
||||.|| [mailto:joyce.dunlop@dxc.com Joyce]]
 
||||.|| [mailto:dtao12@gmail.com David Tao]
 
||||.|| [mailto:nathanbotts@westat.com Nathan Botts]
 
|-
 
||  x|| [mailto:fjaureui@electrosoft-inc.com Francisco Jauregui]
 
 
||||.|| [mailto:Bo.Dagnall@dxc.com Bo Dagnall]
 
||||.|| [mailto:Bo.Dagnall@dxc.com Bo Dagnall]
||||.|| [mailto:rikimerrick@gmail.com]
+
||||.|| [mailto:rikimerrick@gmail.com Riki Merrick]
 
||||.|| [mailto:acg.internajonal@gmail.com Theresa Connor]
 
||||.|| [mailto:acg.internajonal@gmail.com Theresa Connor]
 +
|-
 +
||. || [mailto:mjafari@edmondsci.com Mohammed Jafari]
 +
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 +
||||.|| [mailto:robert.horn@agfa.com Rob Horn]
 +
||||.||
 +
 
|-
 
|-
 
|}
 
|}
Line 53: Line 50:
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(5 min)'' '''Review and Approval of [http://wiki.hl7.org/index.php?title=March_13,_2018_Security_Conference_Call March 13, 2018 minutes]
 
#''(5 min)'' '''Review and Approval of [http://wiki.hl7.org/index.php?title=March_13,_2018_Security_Conference_Call March 13, 2018 minutes]
#''(15 min)'' '''TF4FA Updates''' - Mike and Chris
+
#''(30 min)'' '''TF4FA Review for Ballot Submission''' - Diana Proud Madruga and Dave Silver
 
#''(15 min)'' '''FHIR Security Updates''' - John
 
#''(15 min)'' '''FHIR Security Updates''' - John
 +
 +
==Meeting Materials==
 +
 +
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/TF4FA%20Presentation%202018%200327.pptx Trust Framework for Federated Authorization presentation]
 +
*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202018/V3%20PSAF%20TF4FA%20Vol%202%20Behavioral%20Model%20May%202018%20Normative%20Ballot%202018%200326%20.docx TF4FA Vol. 2Behavioral Model May Ballot]
 +
*[http://wiki.hl7.org/index.php?title=%22Is_Privacy_Obsolete%22_Study_Group_Page%22''Is Privacy Obsolete Study Group''] news from EU
 +
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/HIMSS%20GDPR%20Webinar%20-%20final%203-20-2018.pdf HIMSS - What Healthcare Organizations need to know about the GDPR] and [https://himss.webex.com/ec3100/eventcenter/recording/recordAction.do?theAction=poprecord&siteurl=himss&entappname=url3100&internalRecordTicket=4832534b000000049e667bcc7b800ce86914021b02caba29afc46ecff27ca74c0cf33e5cbdb77664&renewticket=0&isurlact=true&format=short&rnd=1200686872&RCID=d8fdf672a7c2486c83b5644a70c0ccf3&rID=127858932&needFilter=false&recordID=127858932&apiname=lsr.php&AT=pb&actappname=ec3100&&SP=EC&entactname=%2FnbrRecordingURL.do&actname=%2Feventcenter%2Fframe%2Fg.do HIMSS Presentation recording]
 +
*[http://www.bbc.com/news/world-europe-43496739 Dutch referendum: Spy tapping powers 'rejected']
 +
 +
==Meeting Minutes DRAFT==
 +
Kathleen chair
 +
Roll Call, Agenda Approval
 +
 +
 +
'''Trust Framework TF4FA "TF"'''
 +
* May 2018 Normative Ballot
 +
** providing more clarification to the ballot material
 +
** New = "enhancements" for this discussion
 +
* Understood that all the volumes in TF have been updated per the ballot comment/reconciliation from May 2014
 +
** Note: some of the comments were OBE since the original ballot
 +
'''Policy Diagram (slide)'''
 +
* No changes made (remains in the document, basic core concept)
 +
* conveying TF accepts/adopts accepts the PMAC ISO 22600-2:2006
 +
'''Trust Context'''
 +
* No changes
 +
'''Trust Services'''
 +
* No changes, another core concept; generalized trust model that we have adopted from PMAC where TF is based
 +
'''Federated Trust Reference Model'''
 +
** No changes; the diagram came about from ballot reconciliation (comments addressed); now showing the three overarching phases (at the top); no longer showing the overlap)
 +
'''Trust Framework Capabilities'''
 +
* no changes, comes from PASS ACS - trust framework service capabilities, TF; this ties our work back to PASS ACS
 +
'''Trust Framework Services (New)'''
 +
* Policy Bridging Service - harmonizes the four policy domains into a unified federation policy (to exchange information)
 +
* External Policy Management Service - a publicly facing service -
 +
* ''' ''NEW ''' ''- Trustworthiness Assessment Service - an event driven service to perform continuous assessment and analysis of initiator behavior.  Adaptive behavior analytics is used to assess whether current trust should be continued or modified; a real-time check; anything that might happen that would affect your decision... 'access decision'
 +
* TF1.4 - Domain Trust Service (this is not the ACS); The Domain Trust Service is a front end, service that is creating and submitting/signing the trust proposals and counter trust-proposals
 +
'''Boundary View '''NEW''' '''
 +
* an enhancement to original presentation; right diagram shows new version - should elaborate and show services
 +
* 'newer names' - diagram reflects the above trust services (4) above
 +
* high level core set of activates, laid out ''clearer'' to see the flow from the initial proposal to the proposals/counter-proposals to the bottom use case accepting the trust contract
 +
'''Functional Framework (New)''' - enhanced
 +
 +
'''Trust Framework Information Model'''
 +
* no changes - remains as high level
 +
* Trust Policy Information Model
 +
**
 +
'''Trust Proposal Message'''
 +
* added two items; bottom right, ''clearance'' and '' basic policy attestations''
 +
* this message gets updated throughout the trust establishment process (proposal/counter-proposal)
 +
--end VOLUME ONE
 +
Note: No changes (above) describes the ballot content for '''no changes from the March 13 presentation'' '''
 +
 +
'''TF4FA Volume 2, Behavioral Model'''
 +
Volume 2 has in large remained intact
 +
 +
Link to Presentation:  <<seeabove>>
 +
 +
'''MOTION:''' Approve the above submission to the ballot Trust Frame for Federation Volume 1, Volume 2 - behavioral model:
 +
(Mike / JohnM)
 +
Discussion: none
 +
Vote: Abstain: none  Oppose: none; motion passes: 10
 +
 +
'''FHIR Security Updates'''
 +
* We have new meeting day/time NEW: hour before the Security WG
 +
** Attended by a few new people today
 +
** Noted today was that we will be creating a new ZULIP stream - there are experts in the fields are finding the S&P developers are noisy and not fulfilling their S&P needs
 +
** Interest in cologne to do a GDPR FHIR Connectathon - mostly discussion less testing
 +
** Block chain potential for FHIR (per Grahame); not a lot interest...there is some ONC work using block chain in provenance
 +
** Heart WG is invigorating their calls - educational information on the project is going out, describing how HEART project
 +
** API security and privacy paper (Johnathan)
 +
*** Grahame - provider-to-provider security needs; others to be continued working on
 +
** Probably need to lay out the topic areas across the cologne agenda so that we can attract interest
 +
(John will work with Kathleen on Agenda/Cologne)
 +
 +
No questions
 +
 +
some authorization services available to do more sophisticated scopes if needed/interested (security WG home page; consumer centered data exchange papers - some of which are the proposed enhancements
 +
 +
'''HIMSS - GDPR, recording and PPT link''' (above)
 +
* impact on US entities; citizens in the EU, processes and collection of data - which may have interest in agencies in the US; including financial transactions
 +
 +
All HL7 V3 vocabulary - for authorization, delegation was approved including the V2 and the addition of the confidentiality
 +
 +
All ready for used with V2
 +
 +
Security labels in header can have high-water mark "access restriction manifest' - repeated security labels (by Rikki Merrick, all optional)
 +
 +
Creates interoperable security labels across all HL7 products
 +
 +
Next week will start preparing the Cologne agenda
 +
 +
Meeting adjourned at 1235 PM Arizona Time

Latest revision as of 18:40, 1 April 2018

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John Moehrke Security Co-chair x Kathleen Connor Security Co-chair x Alexander Mense Security Co-chair . Trish Williams Security Co-chair
. Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis . David Staggs
x Diana Proud-Madruga x Francisco Jauregui . Joe Lamy . Greg Linden
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards . Jim Kretz . Gary Dickinson x Dave Silver
Beth Pumo . Bo Dagnall . Riki Merrick . Theresa Connor
. Mohammed Jafari . Ioana Singureanu . Rob Horn .

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of March 13, 2018 minutes
  3. (30 min) TF4FA Review for Ballot Submission - Diana Proud Madruga and Dave Silver
  4. (15 min) FHIR Security Updates - John

Meeting Materials

Meeting Minutes DRAFT

Kathleen chair Roll Call, Agenda Approval


Trust Framework TF4FA "TF"

  • May 2018 Normative Ballot
    • providing more clarification to the ballot material
    • New = "enhancements" for this discussion
  • Understood that all the volumes in TF have been updated per the ballot comment/reconciliation from May 2014
    • Note: some of the comments were OBE since the original ballot

Policy Diagram (slide)

  • No changes made (remains in the document, basic core concept)
  • conveying TF accepts/adopts accepts the PMAC ISO 22600-2:2006

Trust Context

  • No changes

Trust Services

  • No changes, another core concept; generalized trust model that we have adopted from PMAC where TF is based

Federated Trust Reference Model

    • No changes; the diagram came about from ballot reconciliation (comments addressed); now showing the three overarching phases (at the top); no longer showing the overlap)

Trust Framework Capabilities

  • no changes, comes from PASS ACS - trust framework service capabilities, TF; this ties our work back to PASS ACS

Trust Framework Services (New)

  • Policy Bridging Service - harmonizes the four policy domains into a unified federation policy (to exchange information)
  • External Policy Management Service - a publicly facing service -
  • NEW - Trustworthiness Assessment Service - an event driven service to perform continuous assessment and analysis of initiator behavior. Adaptive behavior analytics is used to assess whether current trust should be continued or modified; a real-time check; anything that might happen that would affect your decision... 'access decision'
  • TF1.4 - Domain Trust Service (this is not the ACS); The Domain Trust Service is a front end, service that is creating and submitting/signing the trust proposals and counter trust-proposals

Boundary View NEW

  • an enhancement to original presentation; right diagram shows new version - should elaborate and show services
  • 'newer names' - diagram reflects the above trust services (4) above
  • high level core set of activates, laid out clearer to see the flow from the initial proposal to the proposals/counter-proposals to the bottom use case accepting the trust contract

Functional Framework (New) - enhanced

Trust Framework Information Model

  • no changes - remains as high level
  • Trust Policy Information Model

Trust Proposal Message

  • added two items; bottom right, clearance and basic policy attestations
  • this message gets updated throughout the trust establishment process (proposal/counter-proposal)

--end VOLUME ONE Note: No changes (above) describes the ballot content for no changes from the March 13 presentation

TF4FA Volume 2, Behavioral Model Volume 2 has in large remained intact

Link to Presentation: <<seeabove>>

MOTION: Approve the above submission to the ballot Trust Frame for Federation Volume 1, Volume 2 - behavioral model: (Mike / JohnM) Discussion: none Vote: Abstain: none Oppose: none; motion passes: 10

FHIR Security Updates

  • We have new meeting day/time NEW: hour before the Security WG
    • Attended by a few new people today
    • Noted today was that we will be creating a new ZULIP stream - there are experts in the fields are finding the S&P developers are noisy and not fulfilling their S&P needs
    • Interest in cologne to do a GDPR FHIR Connectathon - mostly discussion less testing
    • Block chain potential for FHIR (per Grahame); not a lot interest...there is some ONC work using block chain in provenance
    • Heart WG is invigorating their calls - educational information on the project is going out, describing how HEART project
    • API security and privacy paper (Johnathan)
      • Grahame - provider-to-provider security needs; others to be continued working on
    • Probably need to lay out the topic areas across the cologne agenda so that we can attract interest

(John will work with Kathleen on Agenda/Cologne)

No questions

some authorization services available to do more sophisticated scopes if needed/interested (security WG home page; consumer centered data exchange papers - some of which are the proposed enhancements

HIMSS - GDPR, recording and PPT link (above)

  • impact on US entities; citizens in the EU, processes and collection of data - which may have interest in agencies in the US; including financial transactions

All HL7 V3 vocabulary - for authorization, delegation was approved including the V2 and the addition of the confidentiality

All ready for used with V2

Security labels in header can have high-water mark "access restriction manifest' - repeated security labels (by Rikki Merrick, all optional)

Creates interoperable security labels across all HL7 products

Next week will start preparing the Cologne agenda

Meeting adjourned at 1235 PM Arizona Time

Retrieved from "https://wiki.hl7.org/w/index.php?title=March_27,_2018_Security_Conference_Call&oldid=155249"