Difference between revisions of "May 2016 Montreal WGM - Security"
Line 3: | Line 3: | ||
Return to: [[Security|Back to Security Work Group Main Page]] | Return to: [[Security|Back to Security Work Group Main Page]] | ||
− | + | Agenda: [http://wiki.hl7.org/index.php?title=May_2016_Montreal_WGM_-_Security_Agenda HL7 WGM MAY 2016 - Montreal Canada Security WG] - May 09 - 13, 2016 | |
− | + | Return to: [[Security|Back to Security Work Group Main Page]] | |
− | + | ==Overall Attendees== | |
+ | *Alexander Mense alexander.mense@hl7.at | ||
+ | *Andrew Torres andrew.torres@cerner.com | ||
+ | *Duane DeCouteau ddecouteau@edmondsci.com | ||
+ | *Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp | ||
+ | *Guillaume Rossignol guillaume.rossignol@almeris.com | ||
+ | *Mohammad Jafari mjafari@edmondsci.com | ||
+ | *Kathleen Connor kathleen.connor@comcast.net | ||
+ | *Pete Gilbert peter.gilbert@mhplan.com | ||
+ | *Pete Robinson pete@cedarbridge.com | ||
+ | *Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov | ||
+ | *Beth Pumo beth.pumo@kp.org | ||
− | + | ==Monday Q3 – Q4== | |
− | + | CBCC Joint with Security | |
− | + | See CBCC Montreal WGM Minutes | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | = | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Tuesday Q1 May 10== | == Tuesday Q1 May 10== | ||
Attendees: | Attendees: | ||
− | + | *Alexander Mense alexander.mense@hl7.at | |
− | * Alexander Mense alexander.mense@hl7.at | + | *Duane DeCouteau ddecouteau@edmondsci.com |
− | + | *Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp | |
− | * Duane DeCouteau ddecouteau@edmondsci.com | + | *Mohammad Jafari mjafari@edmondsci.com |
− | + | * Kathleen Connor kathleen.connor@comcast.net | |
− | * Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp | + | * Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov |
− | * Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov | + | * Beth Pumo beth.pumo@kp.org |
− | * Beth Pumo beth.pumo@kp.org | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | '''Opening Security WG Meeting ''' | |
− | '''Security | + | Chair: Kathleen Connor |
− | + | *Introductions by participants was minimal since the same people introduced themselves during the CBCC Opening Session. | |
− | Cochair: | + | * Approval of the agenda [http://wiki.hl7.org/index.php?title=May_2016_Montreal_WGM_-_Security_Agenda May 2016 Montreal WGM - Security Agenda after noting that several scheduled sessions are likely going to be cancelled or compressed.: |
+ | **Participation is light because many Security and CBCC WG members were unable to attend | ||
+ | **Suzanne will announce that the Security WG has finished its Vocabulary alignment effort with the EHR WG during Wed Q1 Joint, so the Wed Q3 session will likely be cancelled. FHIR-I has scheduled its Joint with Security on Thurs Q1 | ||
+ | KC proposed to keep any open sessions on the agenda for work sessions on FHIR documentation, and others agreed. | ||
+ | Updates: | ||
+ | * FHIR Cochair meeting: Kathleen discussed key FHIR STU3 timelines: | ||
+ | **Due by June 1st - Resource Proposals on website with WG approval; Connectathon Proposals for September WGM; and Feedback on gforge tool | ||
+ | **Sunday July 17 is Substantive content freeze for ballot | ||
+ | **In order for Mohammad and Duane to be granted commit rights to the FHIR build, they must be providing FHIR facilitation for WGs. Given the current amount of work that needs to be put in the build, some of which John hasn’t been able to get done, Kathleen proposed that both CBCC and Security name them as additional FHIR Facilitators. Mohammad submitted the commit request information to Lloyd. | ||
+ | *Steering Division and Cochair Dinner: | ||
+ | **Alex reported that the PASS Audit PSS was approved during FTSD Q6. He moved, and Grahame seconded. | ||
+ | **Project Services advises that all WGs sponsoring a PSS keep any co-sponsors apprised of the approval progress especially when they are in different steering divisions. | ||
+ | Security WG items: Kathleen proposed that the WG recognize Hideyuki Miyohara as a cochair during the Montreal WGM because neither Trisha nor John were able to attend. WG agreed to Hide being a temporary cochair if needed. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | International Report outs | ||
+ | Alex Mense presented on a number of EU health information privacy and security developments: | ||
+ | *He presented slides and walked us through the regulation, describing the politics that took place with large data controllers and processors. | ||
+ | *[http://gforge.hl7.org/gf/download/docmanfileversion/9211/14253/dp-day-pn-presentation-reform_gr1_adopted.pdf dp-day-pn-presentation-reform_gr1_adopted.pdf ] | ||
+ | *[http://gforge.hl7.org/gf/download/docmanfileversion/9212/14254/European_directive_oj_en.pdf European_directive_oj_en.pdf] | ||
+ | *[http://gforge.hl7.org/gf/download/docmanfileversion/9213/14255/European_regulation_oj_en.pdf European_regulation_oj_en.pdf] | ||
+ | *[http://gforge.hl7.org/gf/download/docmanfileversion/9214/14256/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf Radical changes to European data protection legislation.pdf] | ||
− | + | Code of Conduct on mHealth apps: The code is being developed by the industry for app developers in order to safeguard privacy of data collected by mHealth apps. App certification is being considered. The minutes, presentation slides and participant list are available [https://ec.europa.eu/digital-single-market/en/news/meeting-privacy-code-conduct-mhealth-apps here]. | |
− | |||
− | |||
+ | Alex referenced a related EU mHealth activity: https://ec.europa.eu/digital-single-market/en/news/meeting-privacy-code-conduct-mhealth-apps | ||
+ | Beth suggested sharing EU Directive material with mHealth WG | ||
− | + | Liaison Reports: ISO, IHE, ONC (HEART) | |
− | + | *IHE Report – no representative available | |
+ | *ISO Report – Hide summarized what he’d reported on in the CBCC Opening Session. He announced that he is now the ISO TC215 WG4 Convener. He updated the Security WG on the 25th meeting of ISO TC215 in Amsterdam NL, May 6, 2016 on Privacy, Security, and Safety, and provided us with the [http://gforge.hl7.org/gf/download/docmanfileversion/9257/14343/WG4_Closing_Plenary_Presentation_Amsterdam_Netherland_v2.pdf WG4 Closing Plenary Presentation]. | ||
+ | *IDESG - Beth Discussed the [http://gforge.hl7.org/gf/download/docmanfileversion/9258/14344/IDESG-Glossary-formatted-v0.6-20160429-clean.docx IDESG new Glossary] and that IDEF is focusing on Healthcare. | ||
+ | *HEART – Kathleen reported on their current standards and the ONC HEART challenge. | ||
+ | * UMA – Kathleen reported on recent activities including mitigating a risk in the current UMA profile, use case development, uptake of HL7 FHIR Contract concepts such as grantor, grantee, subject, contract and consent directives to describe the agreements among UMA actors, which are not currently addressed by UMA standards and OAUTH profile. | ||
− | + | The input to this development come from the UMA Legal group, which is working with ABA and CommonAccord to develop standardized, modular, and compose-able contract provisions and core contract content such as recitals. In addition, there is some interest in developing OAuth Scopes using HL7 security labels and the HL7 ABAC to encode clearances. | |
− | |||
− | |||
+ | This would be an alternative to the current HEART [http://openid.bitbucket.org/HEART/openid-heart-fhir-oauth2.html Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes] use of pre-coordinated strings, such as the following, which are not scalable if additional attributes beyond simple CRUDE Operations/Object permissions are required for e.g., ABAC. | ||
− | == | + | *Read and write access to a single patient's complete records. |
− | ''' | + | patient/*.* Full access to a single patient's complete records. |
+ | *user/Patient.read - Read access to all authorized demographic information. | ||
+ | *user/Patient.write - Read and write access to all authorized demographic information. | ||
+ | *user/Patient.* - Full access to all authorized demographic information. | ||
+ | *user/MedicationOrder.read - Read access to all authorized orders for medications. | ||
+ | *user/MedicationOrder.write - Read and write access to all authorized orders for medications. | ||
+ | *user/MedicationOrder.* Full access to all authorized orders for medications. | ||
+ | *HL7 Project status and updates: | ||
+ | **Privacy Impact Assessment and Privacy and Security by Design – Suzanne updated the WG about progress on the PIA, and deferral of the P&SbD. | ||
+ | *FHIR Security - AuditEvent, Provenance, Security Labels – Kathleen gave an update on recent work and the WG need to review the solution to the security label versioning issue that Lloyd proposed. | ||
+ | **FHIR Consent Directive work (with CBCC) – Kathleen noted that the WGs have about 8 weeks to complete all the documentation and load the value sets and model spreadsheets into the build, have these QA’d etc. | ||
+ | **Security/EHR Vocabulary Alignment – Suzanne gave a summary of recent changes in this project, and the decision to finalize the Vocabulary definitions and models developed by Mike and Diana to close out the project. | ||
+ | * Workgroup Health Update – Kathleen congratulated the much missed Princess Trish for getting the Security WG its first gold star. She the presented the statistics and discussed the need to clear out old projects from Project Insight and to send Dave Hamill an updated Security WG 3 year plan. | ||
+ | **Kathleen to check with Trish about where that plan is and have the WG review for any needed updates during the interim. | ||
+ | **She asked Dave Hamill to send Security WG cochairs the WG’s Project Insight logon and password. | ||
+ | |||
+ | ==Tuesday Q2== | ||
+ | '''Trust Framework Work Session''' | ||
Attendees: | Attendees: | ||
− | + | *Alexander Mense alexander.mense@hl7.at | |
+ | *Andrew Torres andrew.torres@cerner.com | ||
+ | *Duane DeCouteau ddecouteau@edmondsci.com | ||
+ | *Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp | ||
+ | *Guillaume Rossignol guillaume.rossignol@almeris.com | ||
+ | *Mohammad Jafari mjafari@edmondsci.com | ||
+ | *Kathleen Connor kathleen.connor@comcast.net | ||
+ | *Pete Gilbert peter.gilbert@mhplan.com | ||
+ | *Pete Robinson pete@cedarbridge.com | ||
+ | *Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov | ||
+ | *Beth Pumo beth.pumo@kp.org | ||
− | + | Cochair: Alex Mense | |
− | + | Review of Current Trust Framework Efforts | |
− | + | Kathleen referred WG to the [http://wiki.hl7.org/index.php?title=Trust_Label Security Trust Library] where she has uploaded material related to: | |
− | + | • Trust Framework Governance initiatives discussed included: | |
− | + | o DirectTrust and its accreditation program for Direct Trust Bundles | |
− | + | o Nate and its accreditation program for PHRs | |
+ | o IDESG Trust Framework and Trust Marks, which are being developed by GTRI [Georgia Tech Research Institute] with support from NSTIC for self-assessment and establishing “Trust Federations” among stakeholder communities’ identity and service providers. Each Trust Federation licenses the Trust Marks developed by GTRI in accordance with IDESG privacy, security, trust, standards, and other requirements. | ||
+ | • Trust Framework established and emerging standards discussed included description of how [http://gforge.hl7.org/gf/download/docmanfileversion/9174/14186/GTRI-Trustmark GTRI trust marks] were developed and how they work. | ||
+ | • Trust Framework requirements from various jurisdictions including the THEWS and Privacy Architecture for Ubiquitous Health work that Bernd Blobel has authored. Alexander provided more detail on this work and its uptake in EU. | ||
+ | • Health applications for Block Chaining. Guillaume described some possible applications for health care financial transactions and how vendors are able to provide block chaining services at a low price to consumers and businesses, such as http://proofofexistence.com | ||
+ | Kathleen discussed the how the HL7 Trust Labels can be used as Access Control Information in the HL7 Security Labeling Service, Trust model in the HL7 PASS Access Control Functional Model, and planned work on Trust Framework models in the Privacy and Security Architecture Framework [PSAF]. | ||
− | + | She also discussed initial work on a FHIR Trust Framework profile on Contract that could use the HL7 Trust Labels, possibly leverage the GTRI Trust Mark approach for developing FHIR Trust Marks, which could be referenced by a FHIR Trust Framework instance to stipulate the Trust Marks to which the parties agree to comply. | |
− | + | See [http://wiki.hl7.org/index.php?title=September_2016_CBCC_Working_Group_Meeting_-_Baltimore,_Maryland CBCC Montreal WGM Minutes] | |
− | |||
− | |||
− | |||
− | |||
− | = | ||
− | |||
− | |||
− |
Revision as of 05:38, 28 May 2016
Agenda: HL7 WGM MAY 2016 - Montreal Canada Security WG - May 09 - 13, 2016
Return to: Back to Security Work Group Main Page
Agenda: HL7 WGM MAY 2016 - Montreal Canada Security WG - May 09 - 13, 2016
Return to: Back to Security Work Group Main Page
Overall Attendees
- Alexander Mense alexander.mense@hl7.at
- Andrew Torres andrew.torres@cerner.com
- Duane DeCouteau ddecouteau@edmondsci.com
- Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
- Guillaume Rossignol guillaume.rossignol@almeris.com
- Mohammad Jafari mjafari@edmondsci.com
- Kathleen Connor kathleen.connor@comcast.net
- Pete Gilbert peter.gilbert@mhplan.com
- Pete Robinson pete@cedarbridge.com
- Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov
- Beth Pumo beth.pumo@kp.org
Monday Q3 – Q4
CBCC Joint with Security See CBCC Montreal WGM Minutes
Tuesday Q1 May 10
Attendees:
- Alexander Mense alexander.mense@hl7.at
- Duane DeCouteau ddecouteau@edmondsci.com
- Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
- Mohammad Jafari mjafari@edmondsci.com
- Kathleen Connor kathleen.connor@comcast.net
- Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov
- Beth Pumo beth.pumo@kp.org
Opening Security WG Meeting
Chair: Kathleen Connor
- Introductions by participants was minimal since the same people introduced themselves during the CBCC Opening Session.
- Approval of the agenda [http://wiki.hl7.org/index.php?title=May_2016_Montreal_WGM_-_Security_Agenda May 2016 Montreal WGM - Security Agenda after noting that several scheduled sessions are likely going to be cancelled or compressed.:
- Participation is light because many Security and CBCC WG members were unable to attend
- Suzanne will announce that the Security WG has finished its Vocabulary alignment effort with the EHR WG during Wed Q1 Joint, so the Wed Q3 session will likely be cancelled. FHIR-I has scheduled its Joint with Security on Thurs Q1
KC proposed to keep any open sessions on the agenda for work sessions on FHIR documentation, and others agreed. Updates:
- FHIR Cochair meeting: Kathleen discussed key FHIR STU3 timelines:
- Due by June 1st - Resource Proposals on website with WG approval; Connectathon Proposals for September WGM; and Feedback on gforge tool
- Sunday July 17 is Substantive content freeze for ballot
- In order for Mohammad and Duane to be granted commit rights to the FHIR build, they must be providing FHIR facilitation for WGs. Given the current amount of work that needs to be put in the build, some of which John hasn’t been able to get done, Kathleen proposed that both CBCC and Security name them as additional FHIR Facilitators. Mohammad submitted the commit request information to Lloyd.
- Steering Division and Cochair Dinner:
- Alex reported that the PASS Audit PSS was approved during FTSD Q6. He moved, and Grahame seconded.
- Project Services advises that all WGs sponsoring a PSS keep any co-sponsors apprised of the approval progress especially when they are in different steering divisions.
Security WG items: Kathleen proposed that the WG recognize Hideyuki Miyohara as a cochair during the Montreal WGM because neither Trisha nor John were able to attend. WG agreed to Hide being a temporary cochair if needed.
International Report outs
Alex Mense presented on a number of EU health information privacy and security developments:
- He presented slides and walked us through the regulation, describing the politics that took place with large data controllers and processors.
- dp-day-pn-presentation-reform_gr1_adopted.pdf
- European_directive_oj_en.pdf
- European_regulation_oj_en.pdf
- Radical changes to European data protection legislation.pdf
Code of Conduct on mHealth apps: The code is being developed by the industry for app developers in order to safeguard privacy of data collected by mHealth apps. App certification is being considered. The minutes, presentation slides and participant list are available here.
Alex referenced a related EU mHealth activity: https://ec.europa.eu/digital-single-market/en/news/meeting-privacy-code-conduct-mhealth-apps
Beth suggested sharing EU Directive material with mHealth WG
Liaison Reports: ISO, IHE, ONC (HEART)
- IHE Report – no representative available
- ISO Report – Hide summarized what he’d reported on in the CBCC Opening Session. He announced that he is now the ISO TC215 WG4 Convener. He updated the Security WG on the 25th meeting of ISO TC215 in Amsterdam NL, May 6, 2016 on Privacy, Security, and Safety, and provided us with the WG4 Closing Plenary Presentation.
- IDESG - Beth Discussed the IDESG new Glossary and that IDEF is focusing on Healthcare.
- HEART – Kathleen reported on their current standards and the ONC HEART challenge.
- UMA – Kathleen reported on recent activities including mitigating a risk in the current UMA profile, use case development, uptake of HL7 FHIR Contract concepts such as grantor, grantee, subject, contract and consent directives to describe the agreements among UMA actors, which are not currently addressed by UMA standards and OAUTH profile.
The input to this development come from the UMA Legal group, which is working with ABA and CommonAccord to develop standardized, modular, and compose-able contract provisions and core contract content such as recitals. In addition, there is some interest in developing OAuth Scopes using HL7 security labels and the HL7 ABAC to encode clearances.
This would be an alternative to the current HEART Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes use of pre-coordinated strings, such as the following, which are not scalable if additional attributes beyond simple CRUDE Operations/Object permissions are required for e.g., ABAC.
- Read and write access to a single patient's complete records.
patient/*.* Full access to a single patient's complete records.
- user/Patient.read - Read access to all authorized demographic information.
- user/Patient.write - Read and write access to all authorized demographic information.
- user/Patient.* - Full access to all authorized demographic information.
- user/MedicationOrder.read - Read access to all authorized orders for medications.
- user/MedicationOrder.write - Read and write access to all authorized orders for medications.
- user/MedicationOrder.* Full access to all authorized orders for medications.
- HL7 Project status and updates:
- Privacy Impact Assessment and Privacy and Security by Design – Suzanne updated the WG about progress on the PIA, and deferral of the P&SbD.
- FHIR Security - AuditEvent, Provenance, Security Labels – Kathleen gave an update on recent work and the WG need to review the solution to the security label versioning issue that Lloyd proposed.
- FHIR Consent Directive work (with CBCC) – Kathleen noted that the WGs have about 8 weeks to complete all the documentation and load the value sets and model spreadsheets into the build, have these QA’d etc.
- Security/EHR Vocabulary Alignment – Suzanne gave a summary of recent changes in this project, and the decision to finalize the Vocabulary definitions and models developed by Mike and Diana to close out the project.
- Workgroup Health Update – Kathleen congratulated the much missed Princess Trish for getting the Security WG its first gold star. She the presented the statistics and discussed the need to clear out old projects from Project Insight and to send Dave Hamill an updated Security WG 3 year plan.
- Kathleen to check with Trish about where that plan is and have the WG review for any needed updates during the interim.
- She asked Dave Hamill to send Security WG cochairs the WG’s Project Insight logon and password.
Tuesday Q2
Trust Framework Work Session Attendees:
- Alexander Mense alexander.mense@hl7.at
- Andrew Torres andrew.torres@cerner.com
- Duane DeCouteau ddecouteau@edmondsci.com
- Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
- Guillaume Rossignol guillaume.rossignol@almeris.com
- Mohammad Jafari mjafari@edmondsci.com
- Kathleen Connor kathleen.connor@comcast.net
- Pete Gilbert peter.gilbert@mhplan.com
- Pete Robinson pete@cedarbridge.com
- Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov
- Beth Pumo beth.pumo@kp.org
Cochair: Alex Mense Review of Current Trust Framework Efforts Kathleen referred WG to the Security Trust Library where she has uploaded material related to: • Trust Framework Governance initiatives discussed included: o DirectTrust and its accreditation program for Direct Trust Bundles o Nate and its accreditation program for PHRs o IDESG Trust Framework and Trust Marks, which are being developed by GTRI [Georgia Tech Research Institute] with support from NSTIC for self-assessment and establishing “Trust Federations” among stakeholder communities’ identity and service providers. Each Trust Federation licenses the Trust Marks developed by GTRI in accordance with IDESG privacy, security, trust, standards, and other requirements. • Trust Framework established and emerging standards discussed included description of how GTRI trust marks were developed and how they work. • Trust Framework requirements from various jurisdictions including the THEWS and Privacy Architecture for Ubiquitous Health work that Bernd Blobel has authored. Alexander provided more detail on this work and its uptake in EU. • Health applications for Block Chaining. Guillaume described some possible applications for health care financial transactions and how vendors are able to provide block chaining services at a low price to consumers and businesses, such as http://proofofexistence.com Kathleen discussed the how the HL7 Trust Labels can be used as Access Control Information in the HL7 Security Labeling Service, Trust model in the HL7 PASS Access Control Functional Model, and planned work on Trust Framework models in the Privacy and Security Architecture Framework [PSAF].
She also discussed initial work on a FHIR Trust Framework profile on Contract that could use the HL7 Trust Labels, possibly leverage the GTRI Trust Mark approach for developing FHIR Trust Marks, which could be referenced by a FHIR Trust Framework instance to stipulate the Trust Marks to which the parties agree to comply. See CBCC Montreal WGM Minutes