This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 FHIR Security 2018-08-21"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "==Call Logistics== Weekly: '''Tuesday at 02:00 pm EST''' Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 ...")
 
Line 70: Line 70:
 
** All resources can contain sensitive information, these groups are only general expectations based on the Resource intended use-case
 
** All resources can contain sensitive information, these groups are only general expectations based on the Resource intended use-case
 
** Public/Infrastructure, --- Should be Public and not sensitive themselves, but care as inappropriate use might put sensitive information within
 
** Public/Infrastructure, --- Should be Public and not sensitive themselves, but care as inappropriate use might put sensitive information within
*** Bundle, Linage, MessageHeader, OperationOutcome, Parameters, Subscription, CapabilityStatement, StructureDefinition, ImplementationGuide, SearchParameters, MessageDefinition, OperationDefinition, CompartmentDefinition, StrucureMap, GraphDefinition, ExampleScenario, CodeSystem, ValueSet, ConceptMap, NamingSystem, TermininologyCapability, Library, Questioniare, ActivityDefinition, DeviceDefinition, EntryDefinition, EventDefinition, ObservationDefinition, PlanDefinition, SpecimenDefinition
+
*** Bundle, Linage, MessageHeader, OperationOutcome, Parameters, Subscription, CapabilityStatement, StructureDefinition, ImplementationGuide, SearchParameters, MessageDefinition, OperationDefinition, CompartmentDefinition, StrucureMap, GraphDefinition, ExampleScenario, CodeSystem, ValueSet, ConceptMap, NamingSystem, TermininologyCapability, Library, Questioniare, ActivityDefinition, DeviceDefinition, EntryDefinition, EventDefinition, ObservationDefinition, PlanDefinition, SpecimenDefinition, TestScript, TestReport
 
** Business-Sensitive,  --- Mostly Public and not sensitive, but care as they may contain business sensitive  
 
** Business-Sensitive,  --- Mostly Public and not sensitive, but care as they may contain business sensitive  
 
*** Organization, OrganizationAlliliation, HealthcareServices, Endpoint, Location, Substance, BiologicallyDerivedProduct, Device, DeviceMetric, Task,  PractitionerRole, Schedule, Slot, ProcessRequest, ProcessResponse,
 
*** Organization, OrganizationAlliliation, HealthcareServices, Endpoint, Location, Substance, BiologicallyDerivedProduct, Device, DeviceMetric, Task,  PractitionerRole, Schedule, Slot, ProcessRequest, ProcessResponse,
 
*** all of the Financial ????
 
*** all of the Financial ????
 +
*** all of the Medication Definition ???
 
** Provider-Sensitive, --- Provider identified data, may be appropriate to release for specific use-cases, but does expose the provider individual
 
** Provider-Sensitive, --- Provider identified data, may be appropriate to release for specific use-cases, but does expose the provider individual
 
*** Appointment, AppointmentResponse, Practitioner, PractitionerRole, Person, CareTeam
 
*** Appointment, AppointmentResponse, Practitioner, PractitionerRole, Person, CareTeam

Revision as of 15:00, 21 August 2018

Call Logistics

Weekly: Tuesday at 02:00 pm EST

Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 
Online Meeting ID: security36
Phone: +1 515-604-9567, Participant Code: 880898
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
x John Moehrke Security Co-Chair . Kathleen Connor Security Co-Chair . Alexander Mense Security Co-chair
x Suzanne Gonzales-Webb CBCC Co-Chair . Johnathan Coleman CBCC co-chair . Chris Shawn Security co-chair
x Jim Kretz . Kenneth Salyards . Nathan Botts Mobile co-chair
. Diana Proud-Madruga . Joe Lamy AEGIS x Beth Pumo
. Irina Connelly . Matt Blackman Sequoia . Mark Underwood NIST
. Peter Bachman . Grahame Greve FHIR Program Director . Kevin Shekleton (Cerner, CDS Hooks)
x Luis Maas . Julie Maas . Francisco Jauregui
. Gary Dickinson . Dave Silver . Foo Bar

Agenda


ACTIONS

  • Kathleen - update her proposal for safety checklist
  • John - propose next steps on "Security Considerations" on each FHIR page

Security Considerations on each page

  • General sensitivity:
    • All resources can contain sensitive information, these groups are only general expectations based on the Resource intended use-case
    • Public/Infrastructure, --- Should be Public and not sensitive themselves, but care as inappropriate use might put sensitive information within
      • Bundle, Linage, MessageHeader, OperationOutcome, Parameters, Subscription, CapabilityStatement, StructureDefinition, ImplementationGuide, SearchParameters, MessageDefinition, OperationDefinition, CompartmentDefinition, StrucureMap, GraphDefinition, ExampleScenario, CodeSystem, ValueSet, ConceptMap, NamingSystem, TermininologyCapability, Library, Questioniare, ActivityDefinition, DeviceDefinition, EntryDefinition, EventDefinition, ObservationDefinition, PlanDefinition, SpecimenDefinition, TestScript, TestReport
    • Business-Sensitive, --- Mostly Public and not sensitive, but care as they may contain business sensitive
      • Organization, OrganizationAlliliation, HealthcareServices, Endpoint, Location, Substance, BiologicallyDerivedProduct, Device, DeviceMetric, Task, PractitionerRole, Schedule, Slot, ProcessRequest, ProcessResponse,
      • all of the Financial ????
      • all of the Medication Definition ???
    • Provider-Sensitive, --- Provider identified data, may be appropriate to release for specific use-cases, but does expose the provider individual
      • Appointment, AppointmentResponse, Practitioner, PractitionerRole, Person, CareTeam
      • all Patient-Sensitive
      • all of the Financial
    • Patient-Sensitive
      • Patient, RelatedPerson, Person, Encounter, EpisodeOfCare, Flag
      • all of the Clinical
      • all of the Financial
    • Unknowable -- Could contain anything, thus might be public or might be highly sensitive
      • Binary, List, Group, QuestionaireResponse

resources

references


Current Open issues in gForge

  • 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke) Considered for Future Use
  • 10343 Three+additional+Signature.type+codes (Kathleen Connor) Considered for Future Use
  • 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor) None
  • 12660 HCS+use+clarification (John Moehrke) None
  • 17192 Verification+of+given+resource+without+changing+the+content (Thomas Johansen) None
  • 17299 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke) None
  • 17300 Break-Glass+description+needs+clarifications (John Moehrke) None
  • 14678 Implementation+guide+for+signatures+-+2018-Jan+Core+%231 (Brian Pech) Not Persuasive

Minutes

  • Roll;