Difference between revisions of "October 19, 2010 Security Conference Call"
Finaversaggi (talk | contribs) m (→Attendees) |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 21: | Line 21: | ||
==Agenda== | ==Agenda== | ||
#''(05 min)'' Roll Call, Approve [http://wiki.hl7.org/index.php?title=September_28%2C_2010_Security_Conference_Call Minutes] & Accept Agenda | #''(05 min)'' Roll Call, Approve [http://wiki.hl7.org/index.php?title=September_28%2C_2010_Security_Conference_Call Minutes] & Accept Agenda | ||
− | #''( | + | #''(15 min)'' Review of [http://wiki.hl7.org/index.php?title=September_28%2C_2010_Security_Conference_Call September 28 – Action Items] |
− | #''( | + | #''(50 min)'' '''Generalized Attributes for Cross-Domain Communication ''' Ed Coyne, Mike Davis |
− | #''( | + | * begin CBCC meeting hour |
− | + | #''(40 min)'' [http://gforge.hl7.org/gf/download/docmanfileversion/5914/7649/Security-PrivacyOntologyReviewCriteria2010.10.18.docx Security and Privacy Ontology Review Criteria] - Tony Weida | |
+ | #''(10 min)'' [http://gforge.hl7.org/gf/download/docmanfileversion/5926/7674/OntologyLayeringArchitectureandReviewGrid_v12010.10.19.docx HL7 Security and Privacy Ontology Architecture v0.1] ''Jon Farmer'' | ||
+ | |||
+ | |||
+ | '''Roll Call, Call for additional agenda items & Accept Agenda''' | ||
+ | Meeting Minutes reviewed. Motion made to approve meeting minutes, motion seconded. | ||
+ | Hearing no objections, meeting minutes were approved. | ||
+ | |||
+ | No additional agenda items added. Proposed Agenda accepted. | ||
+ | |||
+ | '''Review of [http://wiki.hl7.org/index.php?title=September_28%2C_2010_Security_Conference_Call September 28 – Action Items]''' | ||
+ | |||
+ | '''Action Item 1''' | ||
+ | ''Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences'' | ||
+ | |||
+ | Richard had a brief conversation that occurred at the HL7 meeting in Cambridge. ''Richard hopes to have something circulated in a week (paper also distributed at WG meeting)'' | ||
+ | Question: (Mike) Is this an ongoing effort? | ||
+ | Answer: This is basically, a white paper to suggest different kinds of ways how (CBCC) attempts to conceptualize; how we might measure (i.e. each US state or any other place) the quality of the performance of data being shared. How we effectively share and do not share our data—how we share as in ‘’community based collaborative care. | ||
+ | Result: ''Richard and CBCC will continue work on this area as a CBCC action item.'' As Security working group is unsure of the crossover (of Security) on this project. From the Cambridge Working Group Meeting, Bernd spoke on integration on systems (more on an academic level) and how this information '''should''' be shared. The information briefed was not the usual ''how to protect/security'' information that we have shared here in the past. It’s a theory of security-privacy (or the theory of ''everything''). Portions of Bernd’s briefing Richard feels are relevant, as the integration on systems is more inclusive beyond healthcare which is where he (Richard) is trying to feed in to. (Not limiting the data sharing to just healthcare) There are other domains where security and privacy also are involved in and we shouldn’t avoid them. | ||
+ | |||
+ | '''Action Item 2''' | ||
+ | ''Mike will reach out to the SOA Health Care Services Ontology project to see if they can attend the Security and Privacy Ontology report out portion of the joint session.'' | ||
+ | |||
+ | Action Item has not been done. Members of the Security Working Group are attending/contributing to their Monday call. (Suzanne attended their Monday call this week.) Security will work with them and continue to share calls for the purpose of not wanting to get cross-threaded with SOA on basic things. Note: Steve Connolly has also been attending their meetings. | ||
+ | |||
+ | |||
+ | '''Generalized Attributes for Cross-Domain Communication''' (Ed Coyne, Mike Davis) | ||
+ | ''Steve Connolly had started a mapping of [http://gforge.hl7.org/gf/download/docmanfileversion/5921/7656/HarmonizedDAMXSPA20100507.xlsx DAM Attributes to Standards] Using Steve’s spreadsheet as an example, I (Mike) would like to propose as an activity to the Information Model and Domain Analysis Model project:'' | ||
+ | |||
+ | * To continue the work that Steve had started in this WG to map US-realm standard to the IM | ||
+ | |||
+ | * Create a US realm profile of the Information Model (DAM) – ANSI, OASIS, HL7 standards – carry those as a US profile | ||
+ | |||
+ | * Create more of an international profile where we focus more on ISO standards where we map into the IM in order to provide standardized vocabulary | ||
+ | |||
+ | The purpose of this activity is to verify the attributes in the Information Model-- that we’ve completed is backed up by a standard. We provide US and International realms (general purpose) to create mapping/vocabulary. | ||
+ | |||
+ | * Identify gaps during this activity and where we can, close those gaps. | ||
+ | This is a continuation of activities CBCC and Security have already been engaged in. View this as more maintenance of the information model and the result will be useful to the ontology work—''mapped standards and values set.'' When we start getting into other classes, (we are working on RBAC now), we are using primarily HL7 work. We then apply ASTM standards work which is purely representational because ASTM is only a US-realm standards organization. This proposal would continue to prepare our ontology work by bringing the focus in. | ||
+ | |||
+ | As a group we need to look at other standards in this activity, we need to look at the Information Model classes and use our subject-matter expertise to say ''this standard probably belongs here.'' | ||
+ | |||
+ | Within the US-realm we can take this model (which has already been provided to HHS, FHIMS group. Note: They do not have a US-realm vocabulary, so this vocabulary work will be within HL7). If we create these 2 profiles (US- and International-) we may want to make them official vocabulary profiles for (output) and possibly go through the ballot process. | ||
+ | |||
+ | Question: ''How are domain specific vocabularies done? In HL7 are vocabularies just indicated or are they balloted?'' (We do not know that answer) | ||
+ | |||
+ | (Richard) In doing this activity, we may be going outside of healthcare realm. | ||
+ | |||
+ | (Mike) Yes, so if vocabulary is outside healthcare domain we would have to identify that. | ||
+ | |||
+ | (Richard) In order to facilitate exchange across the silos it’s useful to have these standards harmonized. | ||
+ | |||
+ | (Mike) As we go through the activity, that may be a consequence which might happen. The activity would map the current work to the standards as two different things realms: US and International. We may find that there are gaps or not, or more than one standard that could be used—if there is more than one standards, then that’s where we need to harmonize. | ||
+ | |||
+ | (Serafina) Who has the latest version of Steve’s work? | ||
+ | |||
+ | (Suzanne) It’s posted in GForge: [http://gforge.hl7.org/gf/download/docmanfileversion/5926/7674/OntologyLayeringArchitectureandReviewGrid_v12010.10.19.docx under ‘’Ontology Layering Architecture and Review Grid’’] dated 5/7/2010. It’s in the form of a spreadsheet. We should probably rearrange the spreadsheet so that the elements of the Information Model and the standard are next to each other. | ||
+ | |||
+ | (Serafina) Are you expecting an annotation to the model, i.e. being added to the Domain Anaylsis Model? | ||
+ | |||
+ | (Mike) No, we are not updating the DAM with this (maybe). I’m proposing we create 2 new artifacts, which may be vocabulary updates, new things we ballot—more like ''profiles of the information model,'' the output is two profiles. | ||
+ | 1. US and | ||
+ | 2. International model | ||
+ | |||
+ | For the ontology general effort—similar to using the ISO profile –it should be more general (as in ISO) and not so specific. Do you see that differently? | ||
+ | |||
+ | (Serafina) No, that sounds logical. | ||
+ | |||
+ | (Mike) I’m bringing this to Working Group as a suggestion, not as a proposal. We need to pick up the work to see it and continue to talk about this as ongoing discussion as we progress forward. I’d propose we take a look at the Information Model and think about this spreadsheet. It requires knowledge of the standards-- a number of standards. The ''I think this standard is relevant'' portion, I’d like to have input from the members. Send input to Suzanne, Mike or Richard—contact information is on the list---maybe we should look at this stand, what we are looking for now knowledge of a us realm or other standard that will apply to the information model and if you are aware, it would save us time using this group as acknowledge base…take this on as a group activity. | ||
+ | |||
+ | |||
+ | ''' ''END Joint Security-CBCC WG meeting– start CBCC WG Meeting'' ''' | ||
+ | |||
+ | CBCC Agenda | ||
+ | No meeting minutes were approved; attendees are in agreement to allow Tony (and Jon) to continue their presentation into the CBCC meeting as noted in the agenda. | ||
+ | |||
+ | ''(Meeting attendees are in agreement to allow Tony to continue with ontology process.)'' | ||
+ | |||
+ | Live Meeting Presentation of updated Security and Privacy Ontology | ||
+ | '''Ontology update''' | ||
+ | [http://gforge.hl7.org/gf/download/docmanfileversion/5866/7571/Ontologies2010-09-24.zip Updated draft of the Security-Privacy Ontology expressed in OWL 2 and suitable for viewing with the Protégé 4.1 OWL Editor] | ||
+ | Draft sent for review on 10/18/2010 | ||
+ | |||
+ | ''(Note: Meeting minutes are sparse, w/ missing information)'' | ||
+ | |||
+ | One unified artifact: In the nomenclature of OWL you can relate to multiple ontologies (maintenance and use) our first base level address HL7 RBAC, security and privacy in general. | ||
+ | |||
+ | A second ontology adds VHA structural and a third builds on that an example of a local security and privacy setting where we have classes of individual that are related to each other. You can think of it as unified but composed of separable pieces. In addition, Jon took a look at the ontology and created a ''tabular view'' | ||
+ | |||
+ | (Jon) Presenting Ontology in ''tabular view – there are a lot of moving parts (actually 3 ontologies) | ||
+ | |||
+ | ''(Note: Meeting minutes are sparse, w/ missing information)'' | ||
+ | *[http://gforge.hl7.org/gf/download/docmanfileversion/5867/7572/HL7SecurityandPrivacyOntologyUpdate-2010-09-24.docx Updated Word document with screenshots and other information for those not using Protégé] | ||
+ | |||
+ | (Jon) It may be useful to look at the baseline ontology in a columnar form – VHA is the 2nd column | ||
+ | Local ontology that extends the first 2 columns (3rd column) | ||
+ | |||
+ | *Two tables – one compares and contrast the knowledge at each level, calls out the benefits. | ||
+ | |||
+ | *Second page shows that even though our 3 ontologies illustrate the layering mechanics in the real world there will be a foundational ontology. Stacked on that may be an arbitrary depth that providers of various providers or jurisdictions and multiple locals of a provider , by wiring these together in sequence can build on each other--points to the ontology it’s subject to. Multiple ontology prospects are shown here in perspective. This is a high abstraction of the model. | ||
+ | |||
+ | When you get into protégé, there are hundreds already (thousands of classes of rules, relationships and classes)—how can one evaluate all that stuff and know where you are in that process? As I set out to pilot this, it occurred to me it might be nice to have a grid in which to record comments. A second grid with classes on the left and layers (ontology) on across the top, then if I am doing that review—any time I have a comment, say if comment only applies to layer and not the class I can apply the note to that layer. | ||
+ | |||
+ | If my comment is specific, then I can apply the comment to a cell. I’m proposing a grid model that for reviewing the architecture from the 5000 feet as well as capture comments at the 50 foot level. | ||
+ | |||
+ | Any comments or questions? | ||
+ | |||
+ | Comment: (Tony), one nice thing about this is in MS word if multiple people provide comments, the document merging works--you can bring all the comments together fairly quickly and automatically by merging all the documents with comments. (This will be nice for those who have to do the processing.) | ||
+ | |||
+ | (Jon) As we annotate, I will do that in blue text. That heads off a certain amount of confusion, especially if someone opens protégé and is not familiar with it. | ||
+ | |||
+ | (Tony) In terms of planning, I’m getting close to being satisfied with the first pass of RBAC constructs in the ontology. It’s a good time to solicit feedback. I will not be on the call next week. I’m hoping that Jon and I can circulate our criteria very shortly, then later this week I can sent out the latest draft and resolve some of the review criteria and kick off the questions and concerns from the group---to submit the a new version of the ontology in GForge/wiki and be ready for people to review. | ||
==Action Items== | ==Action Items== | ||
+ | |||
+ | Tony--coordinate w/Suzanne, Serafina for notification) | ||
+ | # (Tony) I will address Mike’s comment on priority and roll up on criteria (critical and less critical) I will work with Jon. | ||
+ | # (Jon) complete updates to the ontology tabular view. | ||
+ | # (Tony) Get ontology out in a week (posted for review) and | ||
+ | # (Group) Allow people/attendees provide their comments on posted Ontology | ||
+ | # (Richard)Paper to start discussion | ||
+ | |||
[[Security|Back to Security Main Page]] | [[Security|Back to Security Main Page]] |
Latest revision as of 03:54, 4 November 2010
Security Working Group Meeting
Attendees
- Ed Coyne
- Mike Davis Security Co-chair
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair, scribe
- Michelle Johnston
- Milan Petkovic
- David Staggs
- Richard Thoreson CBCC Co-chair
- Serafina Versaggi
- Tony Weida
Agenda
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Review of September 28 – Action Items
- (50 min) Generalized Attributes for Cross-Domain Communication Ed Coyne, Mike Davis
- begin CBCC meeting hour
- (40 min) Security and Privacy Ontology Review Criteria - Tony Weida
- (10 min) HL7 Security and Privacy Ontology Architecture v0.1 Jon Farmer
Roll Call, Call for additional agenda items & Accept Agenda
Meeting Minutes reviewed. Motion made to approve meeting minutes, motion seconded.
Hearing no objections, meeting minutes were approved.
No additional agenda items added. Proposed Agenda accepted.
Review of September 28 – Action Items
Action Item 1 Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences
Richard had a brief conversation that occurred at the HL7 meeting in Cambridge. Richard hopes to have something circulated in a week (paper also distributed at WG meeting) Question: (Mike) Is this an ongoing effort? Answer: This is basically, a white paper to suggest different kinds of ways how (CBCC) attempts to conceptualize; how we might measure (i.e. each US state or any other place) the quality of the performance of data being shared. How we effectively share and do not share our data—how we share as in ‘’community based collaborative care. Result: Richard and CBCC will continue work on this area as a CBCC action item. As Security working group is unsure of the crossover (of Security) on this project. From the Cambridge Working Group Meeting, Bernd spoke on integration on systems (more on an academic level) and how this information should be shared. The information briefed was not the usual how to protect/security information that we have shared here in the past. It’s a theory of security-privacy (or the theory of everything). Portions of Bernd’s briefing Richard feels are relevant, as the integration on systems is more inclusive beyond healthcare which is where he (Richard) is trying to feed in to. (Not limiting the data sharing to just healthcare) There are other domains where security and privacy also are involved in and we shouldn’t avoid them.
Action Item 2 Mike will reach out to the SOA Health Care Services Ontology project to see if they can attend the Security and Privacy Ontology report out portion of the joint session.
Action Item has not been done. Members of the Security Working Group are attending/contributing to their Monday call. (Suzanne attended their Monday call this week.) Security will work with them and continue to share calls for the purpose of not wanting to get cross-threaded with SOA on basic things. Note: Steve Connolly has also been attending their meetings.
Generalized Attributes for Cross-Domain Communication (Ed Coyne, Mike Davis)
Steve Connolly had started a mapping of DAM Attributes to Standards Using Steve’s spreadsheet as an example, I (Mike) would like to propose as an activity to the Information Model and Domain Analysis Model project:
- To continue the work that Steve had started in this WG to map US-realm standard to the IM
- Create a US realm profile of the Information Model (DAM) – ANSI, OASIS, HL7 standards – carry those as a US profile
- Create more of an international profile where we focus more on ISO standards where we map into the IM in order to provide standardized vocabulary
The purpose of this activity is to verify the attributes in the Information Model-- that we’ve completed is backed up by a standard. We provide US and International realms (general purpose) to create mapping/vocabulary.
- Identify gaps during this activity and where we can, close those gaps.
This is a continuation of activities CBCC and Security have already been engaged in. View this as more maintenance of the information model and the result will be useful to the ontology work—mapped standards and values set. When we start getting into other classes, (we are working on RBAC now), we are using primarily HL7 work. We then apply ASTM standards work which is purely representational because ASTM is only a US-realm standards organization. This proposal would continue to prepare our ontology work by bringing the focus in.
As a group we need to look at other standards in this activity, we need to look at the Information Model classes and use our subject-matter expertise to say this standard probably belongs here.
Within the US-realm we can take this model (which has already been provided to HHS, FHIMS group. Note: They do not have a US-realm vocabulary, so this vocabulary work will be within HL7). If we create these 2 profiles (US- and International-) we may want to make them official vocabulary profiles for (output) and possibly go through the ballot process.
Question: How are domain specific vocabularies done? In HL7 are vocabularies just indicated or are they balloted? (We do not know that answer)
(Richard) In doing this activity, we may be going outside of healthcare realm.
(Mike) Yes, so if vocabulary is outside healthcare domain we would have to identify that.
(Richard) In order to facilitate exchange across the silos it’s useful to have these standards harmonized.
(Mike) As we go through the activity, that may be a consequence which might happen. The activity would map the current work to the standards as two different things realms: US and International. We may find that there are gaps or not, or more than one standard that could be used—if there is more than one standards, then that’s where we need to harmonize.
(Serafina) Who has the latest version of Steve’s work?
(Suzanne) It’s posted in GForge: under ‘’Ontology Layering Architecture and Review Grid’’ dated 5/7/2010. It’s in the form of a spreadsheet. We should probably rearrange the spreadsheet so that the elements of the Information Model and the standard are next to each other.
(Serafina) Are you expecting an annotation to the model, i.e. being added to the Domain Anaylsis Model?
(Mike) No, we are not updating the DAM with this (maybe). I’m proposing we create 2 new artifacts, which may be vocabulary updates, new things we ballot—more like profiles of the information model, the output is two profiles. 1. US and 2. International model
For the ontology general effort—similar to using the ISO profile –it should be more general (as in ISO) and not so specific. Do you see that differently?
(Serafina) No, that sounds logical.
(Mike) I’m bringing this to Working Group as a suggestion, not as a proposal. We need to pick up the work to see it and continue to talk about this as ongoing discussion as we progress forward. I’d propose we take a look at the Information Model and think about this spreadsheet. It requires knowledge of the standards-- a number of standards. The I think this standard is relevant portion, I’d like to have input from the members. Send input to Suzanne, Mike or Richard—contact information is on the list---maybe we should look at this stand, what we are looking for now knowledge of a us realm or other standard that will apply to the information model and if you are aware, it would save us time using this group as acknowledge base…take this on as a group activity.
END Joint Security-CBCC WG meeting– start CBCC WG Meeting
CBCC Agenda No meeting minutes were approved; attendees are in agreement to allow Tony (and Jon) to continue their presentation into the CBCC meeting as noted in the agenda.
(Meeting attendees are in agreement to allow Tony to continue with ontology process.)
Live Meeting Presentation of updated Security and Privacy Ontology Ontology update Updated draft of the Security-Privacy Ontology expressed in OWL 2 and suitable for viewing with the Protégé 4.1 OWL Editor Draft sent for review on 10/18/2010
(Note: Meeting minutes are sparse, w/ missing information)
One unified artifact: In the nomenclature of OWL you can relate to multiple ontologies (maintenance and use) our first base level address HL7 RBAC, security and privacy in general.
A second ontology adds VHA structural and a third builds on that an example of a local security and privacy setting where we have classes of individual that are related to each other. You can think of it as unified but composed of separable pieces. In addition, Jon took a look at the ontology and created a tabular view
(Jon) Presenting Ontology in tabular view – there are a lot of moving parts (actually 3 ontologies)
(Note: Meeting minutes are sparse, w/ missing information)
(Jon) It may be useful to look at the baseline ontology in a columnar form – VHA is the 2nd column Local ontology that extends the first 2 columns (3rd column)
- Two tables – one compares and contrast the knowledge at each level, calls out the benefits.
- Second page shows that even though our 3 ontologies illustrate the layering mechanics in the real world there will be a foundational ontology. Stacked on that may be an arbitrary depth that providers of various providers or jurisdictions and multiple locals of a provider , by wiring these together in sequence can build on each other--points to the ontology it’s subject to. Multiple ontology prospects are shown here in perspective. This is a high abstraction of the model.
When you get into protégé, there are hundreds already (thousands of classes of rules, relationships and classes)—how can one evaluate all that stuff and know where you are in that process? As I set out to pilot this, it occurred to me it might be nice to have a grid in which to record comments. A second grid with classes on the left and layers (ontology) on across the top, then if I am doing that review—any time I have a comment, say if comment only applies to layer and not the class I can apply the note to that layer.
If my comment is specific, then I can apply the comment to a cell. I’m proposing a grid model that for reviewing the architecture from the 5000 feet as well as capture comments at the 50 foot level.
Any comments or questions?
Comment: (Tony), one nice thing about this is in MS word if multiple people provide comments, the document merging works--you can bring all the comments together fairly quickly and automatically by merging all the documents with comments. (This will be nice for those who have to do the processing.)
(Jon) As we annotate, I will do that in blue text. That heads off a certain amount of confusion, especially if someone opens protégé and is not familiar with it.
(Tony) In terms of planning, I’m getting close to being satisfied with the first pass of RBAC constructs in the ontology. It’s a good time to solicit feedback. I will not be on the call next week. I’m hoping that Jon and I can circulate our criteria very shortly, then later this week I can sent out the latest draft and resolve some of the review criteria and kick off the questions and concerns from the group---to submit the a new version of the ontology in GForge/wiki and be ready for people to review.
Action Items
Tony--coordinate w/Suzanne, Serafina for notification)
- (Tony) I will address Mike’s comment on priority and roll up on criteria (critical and less critical) I will work with Jon.
- (Jon) complete updates to the ontology tabular view.
- (Tony) Get ontology out in a week (posted for review) and
- (Group) Allow people/attendees provide their comments on posted Ontology
- (Richard)Paper to start discussion