This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 FHIR Security 2018-08-21"

From HL7Wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 22: Line 22:
 
||||.||[mailto:christopher.shawn2@va.gov Chris Shawn] Security co-chair
 
||||.||[mailto:christopher.shawn2@va.gov Chris Shawn] Security co-chair
 
|-
 
|-
||  x||[mailto:jim.kretz@samhsa.hhs.gov Jim Kretz]
+
||  .||[mailto:jim.kretz@samhsa.hhs.gov Jim Kretz]
 
||||.||[mailto:kenneth.salyards@samhsa.hhs.gov Kenneth Salyards]
 
||||.||[mailto:kenneth.salyards@samhsa.hhs.gov Kenneth Salyards]
 
||||.||[mailto:nathanbotts@westat.com Nathan Botts] Mobile co-chair
 
||||.||[mailto:nathanbotts@westat.com Nathan Botts] Mobile co-chair
 
|-
 
|-
 
||  .||[mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||  .||[mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
||||.||[mailto:joe.lamy@aegis.net Joe Lamy] AEGIS
+
||||x||[mailto:joe.lamy@aegis.net Joe Lamy] AEGIS
||||x||[mailto:Beth.Pumo@kp.org Beth Pumo]
+
||||.||[mailto:Beth.Pumo@kp.org Beth Pumo]
 
|-
 
|-
 
||  .||[mailto:irina.connelly@gtri.gatech.edu Irina Connelly]
 
||  .||[mailto:irina.connelly@gtri.gatech.edu Irina Connelly]
Line 72: Line 72:
 
*** Bundle, Linage, MessageHeader, OperationOutcome, Parameters, Subscription, CapabilityStatement, StructureDefinition, ImplementationGuide, SearchParameters, MessageDefinition, OperationDefinition, CompartmentDefinition, StrucureMap, GraphDefinition, ExampleScenario, CodeSystem, ValueSet, ConceptMap, NamingSystem, TermininologyCapability, Library, Questioniare, ActivityDefinition, DeviceDefinition, EntryDefinition, EventDefinition, ObservationDefinition, PlanDefinition, SpecimenDefinition, TestScript, TestReport
 
*** Bundle, Linage, MessageHeader, OperationOutcome, Parameters, Subscription, CapabilityStatement, StructureDefinition, ImplementationGuide, SearchParameters, MessageDefinition, OperationDefinition, CompartmentDefinition, StrucureMap, GraphDefinition, ExampleScenario, CodeSystem, ValueSet, ConceptMap, NamingSystem, TermininologyCapability, Library, Questioniare, ActivityDefinition, DeviceDefinition, EntryDefinition, EventDefinition, ObservationDefinition, PlanDefinition, SpecimenDefinition, TestScript, TestReport
 
** Business-Sensitive,  --- Mostly Public and not sensitive, but care as they may contain business sensitive  
 
** Business-Sensitive,  --- Mostly Public and not sensitive, but care as they may contain business sensitive  
*** Organization, OrganizationAlliliation, HealthcareServices, Endpoint, Location, Substance, BiologicallyDerivedProduct, Device, DeviceMetric, Task,  PractitionerRole, Schedule, Slot, ProcessRequest, ProcessResponse,
+
*** Organization, OrganizationAlliliation, HealthcareServices, Endpoint, Location, Substance, BiologicallyDerivedProduct, Device, DeviceMetric, Task,  PractitionerRole, Schedule, Slot, ProcessRequest, ProcessResponse, Measure, MeasureReport
 
*** all of the Financial ????
 
*** all of the Financial ????
 
*** all of the Medication Definition ???
 
*** all of the Medication Definition ???
Line 131: Line 131:
  
 
==Minutes==
 
==Minutes==
*Roll;
+
* John chaired
 +
* Roll;
 +
* did not approve prior agenda
 +
* Announcements
 +
** Topic for at Baltimore
 +
*** Need an Introduction to Privacy/Security within FHIR -- John -- Monday joint afternoon
 +
*** Deeper dive Tuesday Q3, answer questions from previous -- John
 +
*** Discussion of go-forward plan for FHIR Security
 +
* Review Kathleen's proposal for Safety Checklist
 +
** [https://gforge.hl7.org/gf/project/security/docman/FHIR%20Security/ Feedback for Safety Checklist]
 +
** new version emailed
 +
** Committee review and editing onscreen
 +
*** Significant discussion of the use of SHALL / SHOULD. Concern with IETF use of these words relative to Compliance and Conditional-Compliance
 +
** https://gforge.hl7.org/gf/project/security/docman/FHIR%20Security/FHIR%20Safety%20Checklist%20final-jfm.docx
 +
** ACTION: John to send to FHIR-I as recommendation

Latest revision as of 19:49, 21 August 2018

Call Logistics

Weekly: Tuesday at 02:00 pm EST

Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 
Online Meeting ID: security36
Phone: +1 515-604-9567, Participant Code: 880898
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
x John Moehrke Security Co-Chair . Kathleen Connor Security Co-Chair . Alexander Mense Security Co-chair
x Suzanne Gonzales-Webb CBCC Co-Chair . Johnathan Coleman CBCC co-chair . Chris Shawn Security co-chair
. Jim Kretz . Kenneth Salyards . Nathan Botts Mobile co-chair
. Diana Proud-Madruga x Joe Lamy AEGIS . Beth Pumo
. Irina Connelly . Matt Blackman Sequoia . Mark Underwood NIST
. Peter Bachman . Grahame Greve FHIR Program Director . Kevin Shekleton (Cerner, CDS Hooks)
x Luis Maas . Julie Maas . Francisco Jauregui
. Gary Dickinson . Dave Silver . Foo Bar

Agenda


ACTIONS

  • Kathleen - update her proposal for safety checklist
  • John - propose next steps on "Security Considerations" on each FHIR page

Security Considerations on each page

  • General sensitivity:
    • All resources can contain sensitive information, these groups are only general expectations based on the Resource intended use-case
    • Public/Infrastructure, --- Should be Public and not sensitive themselves, but care as inappropriate use might put sensitive information within
      • Bundle, Linage, MessageHeader, OperationOutcome, Parameters, Subscription, CapabilityStatement, StructureDefinition, ImplementationGuide, SearchParameters, MessageDefinition, OperationDefinition, CompartmentDefinition, StrucureMap, GraphDefinition, ExampleScenario, CodeSystem, ValueSet, ConceptMap, NamingSystem, TermininologyCapability, Library, Questioniare, ActivityDefinition, DeviceDefinition, EntryDefinition, EventDefinition, ObservationDefinition, PlanDefinition, SpecimenDefinition, TestScript, TestReport
    • Business-Sensitive, --- Mostly Public and not sensitive, but care as they may contain business sensitive
      • Organization, OrganizationAlliliation, HealthcareServices, Endpoint, Location, Substance, BiologicallyDerivedProduct, Device, DeviceMetric, Task, PractitionerRole, Schedule, Slot, ProcessRequest, ProcessResponse, Measure, MeasureReport
      • all of the Financial ????
      • all of the Medication Definition ???
    • Provider-Sensitive, --- Provider identified data, may be appropriate to release for specific use-cases, but does expose the provider individual
      • Appointment, AppointmentResponse, Practitioner, PractitionerRole, Person, CareTeam
      • all Patient-Sensitive
      • all of the Financial
    • Patient-Sensitive
      • Patient, RelatedPerson, Person, Encounter, EpisodeOfCare, Flag
      • all of the Clinical
      • all of the Financial
    • Unknowable -- Could contain anything, thus might be public or might be highly sensitive
      • Binary, List, Group, QuestionaireResponse

resources

references


Current Open issues in gForge

  • 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke) Considered for Future Use
  • 10343 Three+additional+Signature.type+codes (Kathleen Connor) Considered for Future Use
  • 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor) None
  • 12660 HCS+use+clarification (John Moehrke) None
  • 17192 Verification+of+given+resource+without+changing+the+content (Thomas Johansen) None
  • 17299 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke) None
  • 17300 Break-Glass+description+needs+clarifications (John Moehrke) None
  • 14678 Implementation+guide+for+signatures+-+2018-Jan+Core+%231 (Brian Pech) Not Persuasive

Minutes

  • John chaired
  • Roll;
  • did not approve prior agenda
  • Announcements
    • Topic for at Baltimore
      • Need an Introduction to Privacy/Security within FHIR -- John -- Monday joint afternoon
      • Deeper dive Tuesday Q3, answer questions from previous -- John
      • Discussion of go-forward plan for FHIR Security
  • Review Kathleen's proposal for Safety Checklist