This wiki has undergone a migration to Confluence found Here
Difference between revisions of "HL7 FHIR Security 2018-06-05"
Jump to navigation
Jump to search
JohnMoehrke (talk | contribs) (Created page with "==Call Logistics== Weekly: '''Tuesday at 02:00 pm EST''' Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 ...") |
JohnMoehrke (talk | contribs) |
||
| Line 15: | Line 15: | ||
|- | |- | ||
|| x||[mailto:john.moehrke@ge.med.com John Moehrke] Security Co-Chair | || x||[mailto:john.moehrke@ge.med.com John Moehrke] Security Co-Chair | ||
| − | |||| | + | ||||.||[mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair |
||||.||[mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair | ||||.||[mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair | ||
|- | |- | ||
| Line 23: | Line 23: | ||
|- | |- | ||
|| x||[mailto:jim.kretz@samhsa.hhs.gov Jim Kretz] | || x||[mailto:jim.kretz@samhsa.hhs.gov Jim Kretz] | ||
| − | |||| | + | ||||.||[mailto:kenneth.salyards@samhsa.hhs.gov Kenneth Salyards] |
||||.||[mailto:nathanbotts@westat.com Nathan Botts] Mobile co-chair | ||||.||[mailto:nathanbotts@westat.com Nathan Botts] Mobile co-chair | ||
|- | |- | ||
| Line 39: | Line 39: | ||
|- | |- | ||
|| x||[mailto:lcmaas@emrdirect.com Luis Maas EMR Direct] | || x||[mailto:lcmaas@emrdirect.com Luis Maas EMR Direct] | ||
| − | |||| | + | ||||x||[mailto:dave.silver@electrosoft-inc.com Dave Silver] |
||||x||[mailto:fjauregui@electrosoft-inc.com Francisco Jauregui] | ||||x||[mailto:fjauregui@electrosoft-inc.com Francisco Jauregui] | ||
|- | |- | ||
| Line 104: | Line 104: | ||
==Minutes== | ==Minutes== | ||
* John Chaired | * John Chaired | ||
| + | * Agenda reviewed and approved | ||
| + | * approval of [[HL7 FHIR Security 2018-05-29]] Minutes -- Johnathan Coleman/Suzanne: 8-0-0 | ||
| + | * Update on GDPR | ||
| + | ** Alex is leading | ||
| + | ** Alex has the start of a spreadsheet that starts with GDPR Articles and explains FHIR capability. Tis has not yet been shared | ||
| + | ** John is working to get Confluence functional for this. Seems some authorization issues. Working with HL7 leadership | ||
| + | * ONC whitepaper | ||
| + | **Wrote and approved two new items | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=17312 17312] Emphasis+on+security+considerations+for+servers+returning+errors+to+clients (John Moehrke) Persuasive | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=17313 17313] Add+DNSSec+recommendation+to+Communication+section+on+security.html+page (John Moehrke) Persuasive | ||
| + | **Started review --- Johnathan will work with John to get these ready for approval | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=16527 16527] Access+Controls+-+Identity+Proofing (John Moehrke) None | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=16530 16530] Access+Controls+-+Protect+authenticators (John Moehrke) None | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=16532 16532] Access+Control+-+Authentication (John Moehrke) None | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=16534 16534] Access+Controls+-+Authorization (John Moehrke) None | ||
| + | **Previously approved | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=15907 15907] increase+recommendation+for+TLS+to+1.2 (John Moehrke) Persuasive | ||
| + | ***[http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=15909 15909] Input+Validation+as+a+recommendation (John Moehrke) Persuasive | ||
| + | * Reminder to look at others as we will be working through them | ||
Latest revision as of 21:46, 5 June 2018
Contents
Call Logistics
Weekly: Tuesday at 02:00 pm EST
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 Phone: +1 515-604-9567, Participant Code: 880898 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
| Member Name | Member Name | Member Name | ||||||
|---|---|---|---|---|---|---|---|---|
| x | John Moehrke Security Co-Chair | . | Kathleen Connor Security Co-Chair | . | Alexander Mense Security Co-chair | |||
| x | Suzanne Gonzales-Webb CBCC Co-Chair | x | Johnathan Coleman CBCC co-chair | . | Chris Shawn Security co-chair | |||
| x | Jim Kretz | . | Kenneth Salyards | . | Nathan Botts Mobile co-chair | |||
| x | Diana Proud-Madruga | x | Joe Lamy AEGIS | . | Beth Pumo | |||
| . | Irina Connelly | . | Matt Blackman Sequoia | . | Mark Underwood NIST | |||
| . | Peter Bachman | . | Grahame Greve FHIR Program Director | . | Kevin Shekleton (Cerner, CDS Hooks) | |||
| x | Luis Maas EMR Direct | x | Dave Silver | x | Francisco Jauregui |
Agenda
- Roll;
- approval of agenda
- approval of HL7 FHIR Security 2018-05-29 Minutes
- Announcements
- GDPR (General Data Protection Regulation) whitepaper
- Johnathan specific guidance given a paper from ONC that might guide improvements to the security guidance
- Johnathan provided a report to review
- KEY PRIVACY AND SECURITY CONSIDERATIONS FOR HEALTHCARE APPLICATION PROGRAMMING INTERFACES (APIS)
- Review Access Control section for improvement opportunities
- Action: everyone
- Continuous security testing and remediation
- Using off-the-shelf and open-source tools to simulate attacks, code inspection, and in other ways probe for vulnerabilities, and remediation of those vulnerabilities following Risk-Management methodology.
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- Improvement beyond SMART scopes
- Patient Directed backend communication
- Oauth App Registration
- Certificate Management
- New business
ACTIONS
references
- stream for Security and Privacy discussions. Specification development, and Implementation.
- stream for Patient Empowerment. Discussions about empowering patients. Focus on deployment and advocacy.
- Proposed FHIR Connectathon track for Cologne -- GDPR
- Blockchain FHIR Connectathon
- Grahame is trying to find a community wanting to 'play' with blockchain. He is willing to standup the infrastructure.
- See blockchain zulip stream https://chat.fhir.org/#narrow/stream/blockchain
Current Open issues in gForge
- 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke) Considered for Future Use
- 10343 Three+additional+Signature.type+codes (Kathleen Connor) Considered for Future Use
- 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor) None
- 12660 HCS+use+clarification (John Moehrke) None
- 14678 Implementation+guide+for+signatures+-+2018-Jan+Core+%231 (Brian Pech) None
- 15659 Provenance+still+has+both+identifier+and+reference+elements (Simone Heckmann) None
- 16171 Observation.category+needs+test%2Fdemo%2Fcalibration+codes+to+distinguish+%27fake%27+data (Brian Reinhold) None
- 16345 Link+to+obsoleted+version+of+HTTP+specification (Luis Maas) None
- 16527 Access+Controls+-+Identity+Proofing (John Moehrke) None
- 16530 Access+Controls+-+Protect+authenticators (John Moehrke) None
- 16532 Access+Control+-+Authentication (John Moehrke) None
- 16534 Access+Controls+-+Authorization (John Moehrke) None
- 17192 Verification+of+given+resource+without+changing+the+content (Thomas Johansen) None
- 17242 Recommend+that+IETF+BCP+195+be+used+when+TLS+is+used (John Moehrke) None
- 17299 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke) None
- 17300 Break-Glass+description+needs+clarifications (John Moehrke) None
- 14027 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke) Not Related
Minutes
- John Chaired
- Agenda reviewed and approved
- approval of HL7 FHIR Security 2018-05-29 Minutes -- Johnathan Coleman/Suzanne: 8-0-0
- Update on GDPR
- Alex is leading
- Alex has the start of a spreadsheet that starts with GDPR Articles and explains FHIR capability. Tis has not yet been shared
- John is working to get Confluence functional for this. Seems some authorization issues. Working with HL7 leadership
- ONC whitepaper
- Wrote and approved two new items
- Started review --- Johnathan will work with John to get these ready for approval
- Previously approved
- Reminder to look at others as we will be working through them
