This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 22, 2016 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
Line 79: Line 79:
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
Note that there will be a FHIR Security call at 2pm PT/5pm ET
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 
See agenda at [http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2016-26-05 FHIR Security Agenda]
 +
  
 
= Minutes =
 
= Minutes =
#Agenda and Minutes -Chaired by John
+
# John chaired. Agenda and Minutes approved
#Rick discussed updated P&SbD PSS, Risk Section, FHIR test scripts based on [http://hl7-fhir.github.io/testscript.htmlFHIR TestScript Resource]
+
# Rick discussed updated P&SbD PSS, Risk Section, FHIR test scripts based on TestScript Resource<http://hl7-fhir.github.io/testscript.htmlFHIR>
#Approved Security WG March 15 Minutes
+
# Review updated P&SbD PSS, Discussion, Rick:
 
 
-Review updated P&SbD PSS, Discussion, Rick:  
 
 
*Reviewed the scope statement
 
*Reviewed the scope statement
 
*Added bullet to show impact on FHIR
 
*Added bullet to show impact on FHIR
 
*Area's that were changed have been highlighted
 
*Area's that were changed have been highlighted
 
*FMG has been added as interested party
 
*FMG has been added as interested party
*Test Scripts were added  
+
* Test Scripts were added
 
+
===P&SbD PSS Project Risk and Issues:===
 
 
 
 
*Project Risk and Issues:  
 
 
*(John & Kathleen) FHIR test scripts not sufficient, need more detail to Privacy and Security
 
*(John & Kathleen) FHIR test scripts not sufficient, need more detail to Privacy and Security
* what requirements are we exercising the test scripts that are approved by FHIR Management Group
+
*What requirements are we exercising the test scripts that are approved by FHIR Management Group?
 
*Possible issue of validating test scripts
 
*Possible issue of validating test scripts
*Recourse availability
+
*Need to ensure developer and SME resource availability to develop the scripts
*Subject Matter Expert availability
+
*Policy must be declared for test scripts, which will follow from use cases that make sense for Connectathons, but the use case policies are not binding on the spec.
*Policy must be declared for test scripts
+
*The threat environment is extremely dynamic, may need to pick unrealistic set of threats as example if that’s what’s being tested.  However, these test scripts are not intended be  bound to any particular “risk assessment”
*The threat Environment is extremely dynamic, may need to pick unrealistic set of threats as example
 
 
*Note: HL7 risk is internal (Rick)
 
*Note: HL7 risk is internal (Rick)
*Note: Test scripts are not being balloted, they are being exercised (Kathleen)
+
*Note: Test scripts are not being balloted, they are being exercised (Kathleen)
 
+
===Comments/Question:===
 
+
* John needed more clarity on the last portion of Presentation, why test scripts are attached to PSS?
*comments/Question:  
+
*Answer: Kathleen approached the Standards Governance Board (SGB) they did not want a Guide
*John needed more clarity on the last portion of Presentation, why test scripts are attached to PSS?  
+
*SGB requested the Guide to be exercised by creating FHIR test Scripts.
*Answer:  
+
*CBCC and Security would start creating test script profiles in order to be available for Connectathon use
*Kathleen approached the Standards Governance Board (SGB) they did not want a Guide
+
*Next Step: Obtain Standards Governance Board feedback and CBCC and interest parties
*SGB requested the Guide to be exercised by creating FHIR test Scripts.
+
*Motion approved (Kathleen, John, Suzanne) 3/0/0 :
*CBCC and Security would start creating test script profiles in order to be available for connectathon use
+
*Motion to approve if there any substantive changes Security WKG would be able to weigh in on decision
 
+
Rick invited member to attend joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invites have been sent to the list and available on HL7 conference site.
*Next Step: Obtain Standards Governance Board feedback and CBCC and interest parties  
+
===PASS, Joint Vocabulary, and FHIR Security Report Outs===
 
+
*PASS Access Control Services Conceptual Model Diana: NTR Waiting to hear back from Alex on Bernd’s comments
*Motion approved (Kathleen, John, Suzanne)3/0/0 :
+
*Joint Vocabulary Alignment Update Diana NTRVocab Alignment meeting was cancelled
* Motion to approve if there any substantive changes Security WKG would be able to weigh in on decision
+
*PASS Audit Conceptual Model – Diana – NTR
 
+
*FHIR Security report out JohnContinued work on signature and harmonization. No issues to report.
 
 
 
 
-Joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invite
 
*
 
-PASS Access Control Services Conceptual Model - Diana
 
* NTR
 
*Waiting to hear back from Alex
 
 
 
-Joint Vocabulary Alignment Update - Diana
 
*NTR
 
*Vocab Alignment meeting was cancelled
 
 
 
-PASS Audit Conceptual Model – Diana
 
*NTR
 
 
 
-FHIR Security report out - John
 
*Continued work on signature and harmonization
 
*No issues to report
 

Latest revision as of 19:12, 29 March 2016

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name
x Kathleen ConnorSecurity Co-chair . Duane DeCouteau . Chris Clark
x John MoehrkeSecurity Co-chair . Johnathan Coleman . Aaron Seib
. Alexander Mense Security Co-chair . Ken Salyards . Christopher D Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson x Dave Silver
Mike Davis . Ioana Singureanu . Mohammed Jafari
x Suzanne Gonzales-Webb . Rob Horn . Galen Mulrooney
x Diana Proud-Madruga . Ken Rubin . William Kinsley
x Rick Grow . Paul Knapp x Mayada Abdulmannan
x Glen Marshall, SRS . Bill Kleinebecker . Christopher Shawn
. Oliver Lawless . [mailto . Serafina Versaggi
x Beth Pumo . Russell McDonell . Paul Petronelli , Mobile Health
. Christopher Doss . Kamalini Vaidya . [mailto: TBD ]

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve Security WG March 15 Minutes
  3. (10 min) Review updated P&SbD PSS Rick
  4. ( 5 min) PASS Access Control Services Conceptual Model - Diana
  5. ( 5 min) Joint Vocabulary Alignment Update - Diana
  6. ( 5 min) PASS Audit Conceptual Model – Diana
  7. ( 5 min) FHIR Security report out - John
    • Any changes expecting to be tested at the next FHIR Connectathon need to be submitted into the build by March 27th.

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda


Minutes

  1. John chaired. Agenda and Minutes approved
  2. Rick discussed updated P&SbD PSS, Risk Section, FHIR test scripts based on TestScript Resource<http://hl7-fhir.github.io/testscript.htmlFHIR>
  3. Review updated P&SbD PSS, Discussion, Rick:
  • Reviewed the scope statement
  • Added bullet to show impact on FHIR
  • Area's that were changed have been highlighted
  • FMG has been added as interested party
  • Test Scripts were added

P&SbD PSS Project Risk and Issues:

  • (John & Kathleen) FHIR test scripts not sufficient, need more detail to Privacy and Security
  • What requirements are we exercising the test scripts that are approved by FHIR Management Group?
  • Possible issue of validating test scripts
  • Need to ensure developer and SME resource availability to develop the scripts
  • Policy must be declared for test scripts, which will follow from use cases that make sense for Connectathons, but the use case policies are not binding on the spec.
  • The threat environment is extremely dynamic, may need to pick unrealistic set of threats as example if that’s what’s being tested. However, these test scripts are not intended be bound to any particular “risk assessment”
  • Note: HL7 risk is internal (Rick)
  • Note: Test scripts are not being balloted, they are being exercised (Kathleen)

Comments/Question:

  • John needed more clarity on the last portion of Presentation, why test scripts are attached to PSS?
  • Answer: Kathleen approached the Standards Governance Board (SGB) they did not want a Guide
  • SGB requested the Guide to be exercised by creating FHIR test Scripts.
  • CBCC and Security would start creating test script profiles in order to be available for Connectathon use
  • Next Step: Obtain Standards Governance Board feedback and CBCC and interest parties
  • Motion approved (Kathleen, John, Suzanne) 3/0/0 :
  • Motion to approve if there any substantive changes Security WKG would be able to weigh in on decision

Rick invited member to attend joint project meetings (ARB, CBCC, Security) held Wednesdays at 4 p.m. Eastern. Meeting information and invites have been sent to the list and available on HL7 conference site.

PASS, Joint Vocabulary, and FHIR Security Report Outs

  • PASS Access Control Services Conceptual Model – Diana: NTR Waiting to hear back from Alex on Bernd’s comments
  • Joint Vocabulary Alignment Update – Diana – NTR: Vocab Alignment meeting was cancelled
  • PASS Audit Conceptual Model – Diana – NTR
  • FHIR Security report out – John: Continued work on signature and harmonization. No issues to report.