This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 8, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
m
Line 8: Line 8:
 
|-
 
|-
 
||  x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
 
||  x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
||||x|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
+
||||.|| [mailto:duane.decouteau@gmail.com Duane DeCouteau]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
||||.|| [mailto:Chris.R.Clark@wv.gov Chris Clark]
 
|-
 
|-
||  x|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
+
||  .|| [mailto:john.moehrke@med.ge.com John Moehrke]Security Co-chair
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
 
||||.|| [mailto:aaron.seib@2311.net Aaron Seib]
Line 49: Line 49:
 
||||x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
 
||||x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
 
|-
 
|-
||  x|| [mailto:oliver@lawless.co Oliver Lawless]
+
||  .|| [mailto:oliver@lawless.co Oliver Lawless]
 
||||.||  ...
 
||||.||  ...
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
Line 60: Line 60:
 
||||X|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
 
||||X|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
 
||||.|| [mailto: Stephanie Dyke ]
 
||||.|| [mailto: Stephanie Dyke ]
 +
||||X|| [mailto: Richard Grow ]
 
|-
 
|-
  
Line 83: Line 84:
 
# RE: Call for comments on ISO 21298 HI - Functional and structural roles:
 
# RE: Call for comments on ISO 21298 HI - Functional and structural roles:
 
Rick Grow led discussion about ISO 21298.   
 
Rick Grow led discussion about ISO 21298.   
 +
* IS0 21218-215 Committee has a call for comments and Ballot Vote Draft Standard, this is the third draft standard  due 03/24/2016
 
*Description of this draft standard: Defines a model for expressing functional and structural roles and populates it with a basic set of roles for international use in health applications. Roles are generally assigned to entities that are actors. This will focus on roles of persons (e.g. the roles of health professionals) and their roles in the context of the provision of care (e.g. subject of care).
 
*Description of this draft standard: Defines a model for expressing functional and structural roles and populates it with a basic set of roles for international use in health applications. Roles are generally assigned to entities that are actors. This will focus on roles of persons (e.g. the roles of health professionals) and their roles in the context of the provision of care (e.g. subject of care).
 
*Possible comment areas: This draft standard references ISO 22600 in several areas, including the area of access control policy. To sufficiently cover policy, it should also reference the recently balloted HL7 PASS Access Control Services Conceptual Model. Additionally, this draft standard references the RBAC Healthcare Permission Catalog. The Catalog was recently updated and balloted in HL7 and is now known as the HL7 Healthcare (Security and Privacy) Access Control Catalog. ISO 21298 should reference the updated Catalog and make the appropriate adjustments in its discussion of RBAC and other access control methods.
 
*Possible comment areas: This draft standard references ISO 22600 in several areas, including the area of access control policy. To sufficiently cover policy, it should also reference the recently balloted HL7 PASS Access Control Services Conceptual Model. Additionally, this draft standard references the RBAC Healthcare Permission Catalog. The Catalog was recently updated and balloted in HL7 and is now known as the HL7 Healthcare (Security and Privacy) Access Control Catalog. ISO 21298 should reference the updated Catalog and make the appropriate adjustments in its discussion of RBAC and other access control methods.
# RE:PASS Access Control Services Conceptual Model:
+
 
 +
 
 +
Possible Comment:
 +
 
 +
# RE:PASS Access Control Services Conceptual Model: (Diana)
 +
* Waiting to hear from Alex on his discussion with Berns for confirmation
 +
* Imputing changes to VA and DoD comments that have been accepted and negative votes that were withdrawn
 +
Action Item: Will forward email to Mike Davis on discussion with Alex
 
# RE: Joint Vocabulary Alignment Update:
 
# RE: Joint Vocabulary Alignment Update:
 +
*NTR
 +
*Replying to emails, meeting did not occur
 
# RE: PASS Audit Conceptual Model:
 
# RE: PASS Audit Conceptual Model:
 +
*NTR
 
# RE: FHIR Security report out:
 
# RE: FHIR Security report out:
 +
*Passed a few CP's
 +
*FHIR Build will be frozen March 27, 2016 for the Connectathon
 +
*Next Step: To update the Build with revisions
 +
 +
#Hot Topic: Cloud Computing (Rick)
 +
 +
*A request was received from Alebrto Montristo WK from University of Trento. They expressed concern about putting Health Data in the Cloud, and are seeking assistance to design a secured system.
 +
*Rick responded to the request and pointed to HL7 specifications should be reviewed and applied, and once applied as a WK we would be able to assit. Also pointed them to the FHIR Security page to show examples of  HCS, Security Labeling, and Consent Management. Also provided info on SOA WG. 
 +
 +
* Recommendation: (Mike Davis)
 +
also provide them information on Fed Ramp which currently provide  Medium level certification to cloud providers. Government and Private Healthcare Partners need high certifications based on SVCS requirements and are seeking to change the Fed Ramp Medium Level Certifications. Th The Cloud Security Alliance is also a good resource for further information. NSA also has technology to create a secure cloud environment. 
 +
 +
*Request (Kathleen):
 +
#SOA:
 +
Requesting anyone who has HL7 Standards or cloud implementation Guides for healthcare to please forward the information to Kathleen Connor. This information will be shared with the HL7 Cloud Planning Guide Group. The objective is to create one document that reference all the HL7 document for those who are seeking cloud implementation.

Revision as of 18:06, 14 March 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
. John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
. Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson x Dave Silver
x Mike Davis . Ioana Singureanu . Mohammed Jafari
Suzanne Gonzales-Webb Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker x Christopher Shawn
. Oliver Lawless . ... . Serafina Versaggi
X Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss X Kamalini Vaidya . [mailto: Stephanie Dyke ] X [mailto: Richard Grow ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve March 1, 2016 Security WG Conference Call Minutes
  3. ( 5 min) Call for comments on ISO 21298 HI - Functional and structural roles - Rick G.
  4. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  5. ( 5 min) Joint Vocabulary Alignment Update - Diana
  6. ( 5 min) PASS Audit Conceptual Model – Diana
  7. ( 5 min) FHIR Security report out - John
    • Any changes expecting to be tested at the next FHIR Connectathon need to be submitted into the build by March 27th.

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda

Minutes

  1. TBD chaired. Agenda and Minutes [approved]
  2. RE: Call for comments on ISO 21298 HI - Functional and structural roles:

Rick Grow led discussion about ISO 21298.

  • IS0 21218-215 Committee has a call for comments and Ballot Vote Draft Standard, this is the third draft standard due 03/24/2016
  • Description of this draft standard: Defines a model for expressing functional and structural roles and populates it with a basic set of roles for international use in health applications. Roles are generally assigned to entities that are actors. This will focus on roles of persons (e.g. the roles of health professionals) and their roles in the context of the provision of care (e.g. subject of care).
  • Possible comment areas: This draft standard references ISO 22600 in several areas, including the area of access control policy. To sufficiently cover policy, it should also reference the recently balloted HL7 PASS Access Control Services Conceptual Model. Additionally, this draft standard references the RBAC Healthcare Permission Catalog. The Catalog was recently updated and balloted in HL7 and is now known as the HL7 Healthcare (Security and Privacy) Access Control Catalog. ISO 21298 should reference the updated Catalog and make the appropriate adjustments in its discussion of RBAC and other access control methods.


Possible Comment:

  1. RE:PASS Access Control Services Conceptual Model: (Diana)
  • Waiting to hear from Alex on his discussion with Berns for confirmation
  • Imputing changes to VA and DoD comments that have been accepted and negative votes that were withdrawn

Action Item: Will forward email to Mike Davis on discussion with Alex

  1. RE: Joint Vocabulary Alignment Update:
  • NTR
  • Replying to emails, meeting did not occur
  1. RE: PASS Audit Conceptual Model:
  • NTR
  1. RE: FHIR Security report out:
  • Passed a few CP's
  • FHIR Build will be frozen March 27, 2016 for the Connectathon
  • Next Step: To update the Build with revisions
  1. Hot Topic: Cloud Computing (Rick)
  • A request was received from Alebrto Montristo WK from University of Trento. They expressed concern about putting Health Data in the Cloud, and are seeking assistance to design a secured system.
  • Rick responded to the request and pointed to HL7 specifications should be reviewed and applied, and once applied as a WK we would be able to assit. Also pointed them to the FHIR Security page to show examples of HCS, Security Labeling, and Consent Management. Also provided info on SOA WG.
  • Recommendation: (Mike Davis)

also provide them information on Fed Ramp which currently provide Medium level certification to cloud providers. Government and Private Healthcare Partners need high certifications based on SVCS requirements and are seeking to change the Fed Ramp Medium Level Certifications. Th The Cloud Security Alliance is also a good resource for further information. NSA also has technology to create a secure cloud environment.

  • Request (Kathleen):
  1. SOA:

Requesting anyone who has HL7 Standards or cloud implementation Guides for healthcare to please forward the information to Kathleen Connor. This information will be shared with the HL7 Cloud Planning Guide Group. The objective is to create one document that reference all the HL7 document for those who are seeking cloud implementation.