This wiki has undergone a migration to Confluence found Here
Difference between revisions of "HL7 FHIR Security 2016-11-29"
Jump to navigation
Jump to search
JohnMoehrke (talk | contribs) (Created page with "==Call Logistics== Weekly: '''Tuesday at 05:00 EST''' (2 PM PST) Conference Audio: '''770-657-9270,''' Access: '''845692'' '''Join online meeting: https://global.gotomeetin...") |
JohnMoehrke (talk | contribs) |
||
| Line 70: | Line 70: | ||
==Minutes== | ==Minutes== | ||
* John Chair | * John Chair | ||
| − | * Agenda | + | * Agenda |
| + | * Discussion of improvement opportunity presented by the three existing security/privacy pages | ||
| + | * | ||
| + | * Outline for a FAQ improvement on the module page | ||
| + | * Access Control | ||
| + | ** Access Control diagram from Mike (Inputs – Decision – Enforcement – Outputs) | ||
| + | ** Using OAuth | ||
| + | *** Identity | ||
| + | **** Leverage OpenID Connect | ||
| + | **** Federate (cross-reference, mapping) to local identity descritions | ||
| + | ***** Informally, or Formally | ||
| + | ***Roles | ||
| + | ****Using Standard roles from HL7 | ||
| + | ****Using local codes | ||
| + | ****Clearance | ||
| + | ***Scopes | ||
| + | ****Using SMART scopes | ||
| + | *****Basic starter set | ||
| + | *****Supports Organizational use-cases with simple consent | ||
| + | *****Doesn’t support fine-grain | ||
| + | *****Doesn’t support complex consent | ||
| + | ****Using HEART – UMA | ||
| + | ***Using Cascading Authorization Servers | ||
| + | ****Bridging SMART and UMA and organizational requirements | ||
| + | **Using Security labels | ||
| + | ***HCS conformance | ||
| + | ****MUST have a _confidentiality value (1..1) | ||
| + | ****Use of persistence label | ||
| + | ****Bundle use of security_tags – high-water | ||
| + | ****Comprehensive security_tags on each resource communicated to a trusted peer | ||
| + | ****Using security lables from a consent directive (privacy policy) on goverened resources | ||
| + | ****Using Clearance with security labels | ||
| + | **Bring in stuff from the Privacy Consent Implementation Guide (Consent IG) | ||
| + | ***TODO | ||
| + | ** Should we create a new page, parellel with security.html -- privacy.html | ||
| + | *** Privacy Principles | ||
| + | *** Consent as a way to control Collection/Use/Disclosure | ||
| + | *** ISO four models (In, Out, In with exceptions, Out with exceptions) | ||
| + | **Trust Framework | ||
| + | ***impact on the Conformance resource published by partners. | ||
| + | ***Establishing trust Contracts between trading partners | ||
Revision as of 23:00, 29 November 2016
Call Logistics
Weekly: Tuesday at 05:00 EST (2 PM PST)
Conference Audio: 770-657-9270,' Access: 845692 Join online meeting: https://global.gotomeeting.com/join/520841173 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
| Member Name | Member Name | Member Name | ||||||
|---|---|---|---|---|---|---|---|---|
| x | John Moehrke Security Co-Chair | x | Kathleen Connor Security Co-Chair | x | Suzanne Gonzales-Webb CBCC Co-Chair | |||
| . | Gary Dickinson EHR Co-Chair | . | Johnathan ColemanCBCC Co-Chair | . | Mike Davis | |||
| . | Reed Gelzer RM-ES Lead | x | Glen Marshal | . | Galen Mulrooney | |||
| . | Dave Silver | . | Rob Horn | x | Judy Fincher | |||
| x | Diana Proud-Madruga | x | Beth Pumo | . | Oliver Lawless | |||
| . | Bob Dieterle | . | Mario Hyland | x | Joe Lamy | |||
| . | Rick Grow | . | [mailto: Richard Etterma] | . | [mailto: Wayne Kubic] |
Agenda
- Roll;
- approval of agenda
- approval of the HL7 FHIR Security 2016-11-08 Minutes
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- September Ballot items must address by November 20 -- see http://wiki.hl7.org/index.php?title=FHIR_Ballot_Prep
- Discuss Action items
- Kathleen
- 9042 Add RBAC as value set for AuditEvent.participant.role ()
- 9043 Add ABAC as alternative value set for AuditEvent.participant.role ()
- 9052 Add SNOMED Stuctural Roles as value set for AuditEvent.participant.role ()
- 11071 Improve security label guidance - 2016-09 core #90 ()
- 10343 Three additional Signature.type codes ()
- 10382 Provenance activity codes are insufficient/inappropriate ()
- John
- Gary
- 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set ()
- New business?
FHIR Security block vote
Minutes
- John Chair
- Agenda
- Discussion of improvement opportunity presented by the three existing security/privacy pages
- Outline for a FAQ improvement on the module page
- Access Control
- Access Control diagram from Mike (Inputs – Decision – Enforcement – Outputs)
- Using OAuth
- Identity
- Leverage OpenID Connect
- Federate (cross-reference, mapping) to local identity descritions
- Informally, or Formally
- Roles
- Using Standard roles from HL7
- Using local codes
- Clearance
- Scopes
- Using SMART scopes
- Basic starter set
- Supports Organizational use-cases with simple consent
- Doesn’t support fine-grain
- Doesn’t support complex consent
- Using HEART – UMA
- Using SMART scopes
- Using Cascading Authorization Servers
- Bridging SMART and UMA and organizational requirements
- Identity
- Using Security labels
- HCS conformance
- MUST have a _confidentiality value (1..1)
- Use of persistence label
- Bundle use of security_tags – high-water
- Comprehensive security_tags on each resource communicated to a trusted peer
- Using security lables from a consent directive (privacy policy) on goverened resources
- Using Clearance with security labels
- HCS conformance
- Bring in stuff from the Privacy Consent Implementation Guide (Consent IG)
- TODO
- Should we create a new page, parellel with security.html -- privacy.html
- Privacy Principles
- Consent as a way to control Collection/Use/Disclosure
- ISO four models (In, Out, In with exceptions, Out with exceptions)
- Trust Framework
- impact on the Conformance resource published by partners.
- Establishing trust Contracts between trading partners
