Difference between revisions of "HL7 FHIR Security 2016-11-29"

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692
Join online meeting:  https://global.gotomeeting.com/join/520841173  
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics

Attendees

Agenda

• Roll;
• approval of agenda
• approval of the HL7 FHIR Security 2016-11-08 Minutes
• All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
• September Ballot items must address by November 20 -- see http://wiki.hl7.org/index.php?title=FHIR_Ballot_Prep
• Discuss Action items
• Kathleen
  • 9042 Add RBAC as value set for AuditEvent.participant.role ()
  • 9043 Add ABAC as alternative value set for AuditEvent.participant.role ()
  • 9052 Add SNOMED Stuctural Roles as value set for AuditEvent.participant.role ()
  • 11071 Improve security label guidance - 2016-09 core #90 ()
  • 10343 Three additional Signature.type codes ()
  • 10382 Provenance activity codes are insufficient/inappropriate ()
• John
  • 9167 AuditEvent needs to make more obvious how to record a break-glass event ()
  • 10579 New Security and Privacy "Module" page needs content ()
  • 10580 How should test data be identified? ()
  • 10581 something should be said about de-identification ()
• Gary
  • 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set ()
• New business?

FHIR Security block vote

Minutes

• John Chair
• Agenda
• Discussion of improvement opportunity presented by the three existing security/privacy pages
• Outline for a FAQ improvement on the module page
• Access Control
  • Access Control diagram from Mike (Inputs – Decision – Enforcement – Outputs)
  • Using OAuth
    • Identity
      • Leverage OpenID Connect
      • Federate (cross-reference, mapping) to local identity descritions
        • Informally, or Formally
    • Roles
      • Using Standard roles from HL7
      • Using local codes
      • Clearance
    • Scopes
      • Using SMART scopes
        • Basic starter set
        • Supports Organizational use-cases with simple consent
        • Doesn’t support fine-grain
        • Doesn’t support complex consent
      • Using HEART – UMA
    • Using Cascading Authorization Servers
      • Bridging SMART and UMA and organizational requirements
  • Using Security labels
    • HCS conformance
      • MUST have a _confidentiality value (1..1)
      • Use of persistence label
      • Bundle use of security_tags – high-water
      • Comprehensive security_tags on each resource communicated to a trusted peer
      • Using security lables from a consent directive (privacy policy) on goverened resources
      • Using Clearance with security labels
  • Bring in stuff from the Privacy Consent Implementation Guide (Consent IG)
    • TODO
  • Should we create a new page, parellel with security.html -- privacy.html
    • Privacy Principles
    • Consent as a way to control Collection/Use/Disclosure
    • ISO four models (In, Out, In with exceptions, Out with exceptions)
  • Trust Framework
    • impact on the Conformance resource published by partners.
    • Establishing trust Contracts between trading partners