This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "September 28, 2010 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 42: Line 42:
 
#Security and Privacy Ontology Project – where we are and where we plan to go.  #*Includes a brief demonstration of the tool (Protégé) used to develop the ontology – ''Tony Weida'' (30 minutes)
 
#Security and Privacy Ontology Project – where we are and where we plan to go.  #*Includes a brief demonstration of the tool (Protégé) used to develop the ontology – ''Tony Weida'' (30 minutes)
 
#Status update on the Composite Security and Privacy Domain Analysis Model DSTU R1 post May 2010 ballot reconciliation – ''Ioana Singureanu'' (15 minutes)
 
#Status update on the Composite Security and Privacy Domain Analysis Model DSTU R1 post May 2010 ballot reconciliation – ''Ioana Singureanu'' (15 minutes)
#NHIN Direct – ''John Moehrke'' (10 minutes)
+
#[http://nhindirect.org/ NHIN Direct] – ''John Moehrke'' (10 minutes)
#Federal Identity, Credential, and Access Management (FICAM)  – ''Mike Davis'' (10 minutes)
+
#Federal Identity, Credential, and Access Management [http://www.educause.edu/Resources/FederalIdentityCredentialandAc/202089 (FICAM)] – ''Mike Davis'' (10 minutes)
#National Strategy for Trusted Identities in Cyberspace – ''Mike Davis'' (10 minutes)
+
#[http://www.dhs.gov/xlibrary/assets/ns_tic.pdf National Strategy for Trusted Identities in Cyberspace] – ''Mike Davis'' (10 minutes)
 
#US and International Realm Report Out on efforts related to building trusted relationships between patients and service providers – ''Richard Thoreson'' and ''International HL7 members'' (50 minutes)
 
#US and International Realm Report Out on efforts related to building trusted relationships between patients and service providers – ''Richard Thoreson'' and ''International HL7 members'' (50 minutes)
 
#*Richard would like to hear from the different realms (nations) with respect to how they are approaching Privacy and the issue of TRUST: establishing the ability to share health care information with other providers.  It is proposed to have a round table discussion involving participants from Australia (Heather Grain), Canada, England, France (Manuel), Japan (Hideyuki ‘Hidei’ Miyohara)
 
#*Richard would like to hear from the different realms (nations) with respect to how they are approaching Privacy and the issue of TRUST: establishing the ability to share health care information with other providers.  It is proposed to have a round table discussion involving participants from Australia (Heather Grain), Canada, England, France (Manuel), Japan (Hideyuki ‘Hidei’ Miyohara)
Line 52: Line 52:
 
#* ISO Draft for Purpose of Use (POU) – ''Mike Davis'' (10 minutes)
 
#* ISO Draft for Purpose of Use (POU) – ''Mike Davis'' (10 minutes)
 
#*OASIS TC: Language Extensions to XACML - ''David Staggs'' (10 minutes)
 
#*OASIS TC: Language Extensions to XACML - ''David Staggs'' (10 minutes)
#*New OASIS Technical Committee – Privacy Management Reference Model (PMRM) – ''Suzanne Gonzales-Webb'' (10 minutes)
+
#*[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pmrm New OASIS Technical Committee] [http://xml.coverpages.org/PMRM-Overview-OASIS-Webinar-20100223.pdf Privacy Management Reference Model (PMRM)] – ''Suzanne Gonzales-Webb'' (10 minutes)
 
#*[http://www.connectingforhealth.nhs.uk/systemsandservices/data/lra Logical Record Architecture] (U.K. project) – ''Stan Huff'' TBD (''Allen Hobbs'' to reach out to Stan for availability) (10 minutes)
 
#*[http://www.connectingforhealth.nhs.uk/systemsandservices/data/lra Logical Record Architecture] (U.K. project) – ''Stan Huff'' TBD (''Allen Hobbs'' to reach out to Stan for availability) (10 minutes)
  
Line 63: Line 63:
 
#To make it easier for a patient to express consent
 
#To make it easier for a patient to express consent
 
#To make it easier to express rules for privacy inside engines
 
#To make it easier to express rules for privacy inside engines
*There was some discussion regarding a spreadsheet describing the VA Permission Catalog Tony presented for discussion.  Permissions (rows) Functional Roles (columns)   
+
*Tony presented a spreadsheet describing the VA Permission Catalog which generated some discussion.  Permissions (rows) Functional Roles (columns)   
**Mike indicated that he opposes any attempt to map permissions to a particular role.  This table presented was created during the development of the permission catalog to drive out the permissions.  But it was not intended to assign those to specific functional roles.  It was only to discover the roles to include in the catalog.   
+
**Mike opposes any attempt to map permissions to a particular role.  This table presented was created during the development of the permission catalog to drive out the permissions.  But it was not intended to assign those to specific functional roles.  It was only to discover the roles to include in the catalog.   
**The assignment of functional roles is not consistent from one organization to the next
+
***The assignment of functional roles is not consistent from one organization to the next.  Including this as an example is fine, but it should not be incorporated into the ontology itself
**Actions and Objects
+
***For interoperability purposes, you can’t pass the name of a functional role and expect to know what that means.
**As an example, this is fine, but it should not be incorporated into the ontology itself
+
***Tony: So the relationship between a Functional Role and a collection of permissions will be made at the local level and therefore it is appropriate to represent that in the DemoLocal ontology.  Tony will migrate those to the demo namespace.
**For interoperability purposes, you can’t pass the name of a functional role and expect to know what that means.
+
**Mike: Using other Standards (ANSI INCITS), you can mutually agree on an arbitrary set of permissions and assign a common role name to them for interoperability purposes.  But we’re not trying to make on a national or international basis, trying to make those assignments.
**Tony: So the relationship between a Functional Role and a collection of permissions will be made at the local level and therefore it is appropriate to represent that in the DemoLocal ontology.  Tony will migrate those to the demo namespace.
+
**Structural Roles are different.  They exist at a higher level in the hierarchy and provide only access to high level workflows.
**Mike: Using other Standards (ANSI INCITD), you can mutually agree on an arbitrary set of permissions and assign a common role name to them for interoperability purposes.  But we’re not trying to make on a national or international basis, trying to make those assignments.
 
**Structural Roles are different.  They exist at a higher level in the hierarchy and provide only access to high level workflows.  At level, it is more all encompassing.
 
 
***A Structural Role is a precursor role.  It is the role that you have to have to enter a generalized workflow.  Functional roles describe the detailed things that you can do within a workflow.
 
***A Structural Role is a precursor role.  It is the role that you have to have to enter a generalized workflow.  Functional roles describe the detailed things that you can do within a workflow.
***This is an important point to capture – we need to make this clear in the ontology.  So this table is not in any sense normative.
+
***This is an important point to capture – we need to make this clear in the ontology.  We clarified this point in the Permissions Catalog and we need to make this point clear in the ontology. So this table is not in any sense normative.
 
*Tony: The fact that were able to divide the ontology into sub ontologies, helps to distinguish what is part of the HL7 standard, versus what’s part of the VA standard or anything else.
 
*Tony: The fact that were able to divide the ontology into sub ontologies, helps to distinguish what is part of the HL7 standard, versus what’s part of the VA standard or anything else.
 
*The final topic under discussion today related to using SWRL (Semantic Web Rule Language)
 
*The final topic under discussion today related to using SWRL (Semantic Web Rule Language)

Latest revision as of 19:02, 29 September 2010

Security Working Group Meeting

Back to Security Main Page

Attendees

Agenda

  1. (05 min) Roll Call, Call for additional agenda items & Accept Agenda
  2. (20 min) Monday Q3/Q4 Face to Face Agenda Items
  3. (35 min) Tony Weida: Ontology update

ADMINISTRATIVE NOTE: A new livemeeting link will be sent out after the HL7 Plenary and Working Group meeting Please be on the look out for it, thank you. ~Suzanne

Minutes

1. Action Items

  1. Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences
  2. Mike will reach out to the SOA Health Care Services Ontology project to see if they can attend the Security and Privacy Ontology report out portion of the joint session

2. Resolutions - none

3. Updates/Discussion

Boston WGM Joint Security/CBCC Agenda Discussion – Monday, Q3/Q4

  • Tentative Agenda is as follows:
    • Report Outs
  1. Security and Privacy Ontology Project – where we are and where we plan to go. #*Includes a brief demonstration of the tool (Protégé) used to develop the ontology – Tony Weida (30 minutes)
  2. Status update on the Composite Security and Privacy Domain Analysis Model DSTU R1 post May 2010 ballot reconciliation – Ioana Singureanu (15 minutes)
  3. NHIN DirectJohn Moehrke (10 minutes)
  4. Federal Identity, Credential, and Access Management (FICAM)Mike Davis (10 minutes)
  5. National Strategy for Trusted Identities in CyberspaceMike Davis (10 minutes)
  6. US and International Realm Report Out on efforts related to building trusted relationships between patients and service providers – Richard Thoreson and International HL7 members (50 minutes)
    • Richard would like to hear from the different realms (nations) with respect to how they are approaching Privacy and the issue of TRUST: establishing the ability to share health care information with other providers. It is proposed to have a round table discussion involving participants from Australia (Heather Grain), Canada, England, France (Manuel), Japan (Hideyuki ‘Hidei’ Miyohara)
    • The goal is to start identifying information services that work as building blocks for community-based trust networks and safety net services.
  7. Privacy Policy Reference Catalog Project Status – Pat Pyette (10 minutes)
  8. External Standards Update

Security and Privacy Ontology Project Update

  • A formal peer review for the Security and Privacy Ontology has been proposed. The Boston WGM meeting is not the proper forum to conduct the peer review so it will take place in subsequent regular Tuesday conference calls.
    • The criteria for review is being developed along with a peer review form which will be distributed via the Security, CBBC and SOA lists announcing the review and inviting participation. Input to the peer review will be used by Tony to help shape the ontology represented in OWL.
  • Tony presented the latest update to the ontology and discussed various specifics of OWL and the Protégé interface
    • OntoClean methodology – OntoClean.org. The OntoClean methodology provides a framework for analyzing ontologies based on formal, domain-independent properties of classes (meta-properties). Ideally one would want to automate the analysis of the ontology but the current version of Protégé that we’re using has not been updated to include those features.
    • The intent for the ontology is to become a standard to support interoperability. Two major goals:
  1. To make it easier for a patient to express consent
  2. To make it easier to express rules for privacy inside engines
  • Tony presented a spreadsheet describing the VA Permission Catalog which generated some discussion. Permissions (rows) Functional Roles (columns)
    • Mike opposes any attempt to map permissions to a particular role. This table presented was created during the development of the permission catalog to drive out the permissions. But it was not intended to assign those to specific functional roles. It was only to discover the roles to include in the catalog.
      • The assignment of functional roles is not consistent from one organization to the next. Including this as an example is fine, but it should not be incorporated into the ontology itself
      • For interoperability purposes, you can’t pass the name of a functional role and expect to know what that means.
      • Tony: So the relationship between a Functional Role and a collection of permissions will be made at the local level and therefore it is appropriate to represent that in the DemoLocal ontology. Tony will migrate those to the demo namespace.
    • Mike: Using other Standards (ANSI INCITS), you can mutually agree on an arbitrary set of permissions and assign a common role name to them for interoperability purposes. But we’re not trying to make on a national or international basis, trying to make those assignments.
    • Structural Roles are different. They exist at a higher level in the hierarchy and provide only access to high level workflows.
      • A Structural Role is a precursor role. It is the role that you have to have to enter a generalized workflow. Functional roles describe the detailed things that you can do within a workflow.
      • This is an important point to capture – we need to make this clear in the ontology. We clarified this point in the Permissions Catalog and we need to make this point clear in the ontology. So this table is not in any sense normative.
  • Tony: The fact that were able to divide the ontology into sub ontologies, helps to distinguish what is part of the HL7 standard, versus what’s part of the VA standard or anything else.
  • The final topic under discussion today related to using SWRL (Semantic Web Rule Language)
    • A way to demonstrate access control decision making
    • OWL doesn’t have the power to do pattern matching in a convenient way. But this rule language was designed to work hand-in-hand with OWL
    • SWRL Rules can be used to illustrate how people might use elements of the ontology to make access control decisions
    • People are requested to think about whether SWRL is appropriate to use in relation to developing the ontology using the Protégé tool.

The meeting was adjourned at 3 PM EDT


No significant decisions or motions were made


Back to Security Main Page