Difference between revisions of "August 28, 2018 Security Conference Call"
Line 54: | Line 54: | ||
#* [http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF)#Trust_Framework_for_Federated_Authorization_.28TF4FA.29 TF4FA Ballot Reconciliation (wiki)] | #* [http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF)#Trust_Framework_for_Federated_Authorization_.28TF4FA.29 TF4FA Ballot Reconciliation (wiki)] | ||
#* https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot | #* https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot | ||
− | #** Comments | + | #** Comments 51 - 57 up for vote (review if necessary) ''' |
#** next week: Comments 58-72 (not including comment #66) | #** next week: Comments 58-72 (not including comment #66) | ||
#''(10 min)'' '''PASS Audit ''' document update - Mike | #''(10 min)'' '''PASS Audit ''' document update - Mike | ||
Line 75: | Line 75: | ||
− | '''GDPR | + | '''GDPR''' |
− | Baltimore GDPR chat-a-thon sometime during the WGM | + | Baltimore GDPR chat-a-thon sometime during the WGM on Sunday |
− | |||
− | |||
− | |||
− | |||
'''TF4FA''' Ballot Reconciliation | '''TF4FA''' Ballot Reconciliation | ||
* Met this AM to review; link sent out earlier | * Met this AM to review; link sent out earlier | ||
− | * Motion made to approve comments as shown (Suzanne / MikeD); comments | + | * Motion made to approve comments as shown (Suzanne / MikeD); comments 51-57 |
* Vote: approve 8; no abstentions, no opposed | * Vote: approve 8; no abstentions, no opposed | ||
Revision as of 20:50, 28 August 2018
Attendees
x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
x | John Moehrke Security Co-chair | x | Kathleen Connor Security Co-chair | . | Alexander Mense Security Co-chair | . | Trish Williams Security Co-chair | |||
x | Christopher Shawn Security Co-chair | x | Suzanne Gonzales-Webb | x | Mike Davis | . | David Staggs | |||
x | Diana Proud-Madruga | . | Johnathan Coleman | . | Francisco Jauregui | x | Joe Lamy | |||
. | Rhonna Clark | . | Greg Linden | . | Grahame Grieve | x | Dave Silver | |||
. | Mohammed Jafari | . | Jim Kretz | . | Peter Bachman | . | [mailto: ] | |||
. | Beth Pumo | . | Bo Dagnall | . | [mailto: ] | . | [mailto: ] |
Agenda
Meeting Recording: (temporary)
- (2 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of Minutes for August 21, 2018 Security Conference Call
- (5 min) GDPR whitepaper on FHIR update - Alex, John, Kathleen
- (5 min) TF4FA Normative Ballot reconciliation (formerly PSAF) - Mike, Chris
- Meetings: Tuesdays, 11:00 AM Eastern; freeconference.com same as Security call
- TF4FA Ballot Reconciliation (wiki)
- https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot
- Comments 51 - 57 up for vote (review if necessary)
- next week: Comments 58-72 (not including comment #66)
- (10 min) PASS Audit document update - Mike
- (05 min) TF4FA Trust Framework Volume 3 - Mike, Chris
- (10 min) Review of the Proposed Restructuring and Additions to FHIR Implementer’s Safety Check List developed in FHIR Security calls. - John and Kathleen
- (05 min) Security Working Group - upcoming HL7 Working Group Meeting, Baltimore Maryland
- Additional Agenda items?
- DRAFT Agenda Link: http://wiki.hl7.org/index.php?title=September_2018_Security_Working_Group_Meeting_-_Baltimore,_Maryland_USA
Meeting Minutes DRAFT
Chair, Kathleen Connor
Suzanne, Kathleen, Dave silver, mike, chrisS, diana, Francisco, david stagg
Meeting Minutes
- Approve Meeting Minutes from August 21, 2018 (Suzanne / ChrisS)
- Vote: approve 8; no abstentions, no opposed
- Suzanne to update comment ballot spreadsheet
GDPR
Baltimore GDPR chat-a-thon sometime during the WGM on Sunday
TF4FA Ballot Reconciliation
- Met this AM to review; link sent out earlier
- Motion made to approve comments as shown (Suzanne / MikeD); comments 51-57
- Vote: approve 8; no abstentions, no opposed
Trust Framework, Volume 3
- Chris does not have much to say about the update
- continue to work on the figures/diagrams (completed--shared on clal previously)
- attempting to complete the descriptions and remaining content of the doc
- some volunteers may be assisting
PASS Audit Document update
- TF4FA has been the priority
- not much happening with the document update
Review of the Poporsed Restructuring and Additions to FHIr Impement Safety Check List
- the FHIR spec has a couple of different informational pages, security page is one that we own (signatures we owne, etc)
- ther eis a safety page that hasn't received a lto of visibility until now; if you knew the propoer incantation you were able to get ther
- its starting to mature and gain more visibility
- it was devoid of security items that should rise to the occasion
- Kathleen brought this into a document format inorder to do updates/mark-up
- not made to be 100% complete, education--its a checkless for someone who already understands and wants to make sure they didn't miss anything
- needs reminders of BIG things (in the security realm)
- see 20 security 'top important things' - shouldn't be exhaustive
- what is shown is the word document - for editing sake they are numbered
- needs reminders of BIG things (in the security realm)
- PROPOSAL from FHIR -Security WG
- break this checklist down into big buckets
- PRIVACY, SECURITY, etc and other sub-cateorires in security (authentication, audit, etc)
- and the #NEW as a proposed new checklist item distinct i.e #9 (9 is already there but new information added)
- our hopes are that the NEW items add value; ultimately left many descriptions open--because the SAFETY page is owend by FHIR-I (not by security); you change the concenuse group you change the concensus
- some items may no longer appear (not part of the 80%)
Break down and re-sort under headers: time-keeping, communctions and the like
- the wording of the new items, the sentence papern in the safety checklist, is to write it as a 'security-checklist'
- LINK: in agenda
- for review; as a proposal to FHIR-I, we can vote on it next week or today; enhancements/review/comments are welcome
Baltimore Agenda John approached by PA that thought the person resource might benefit by having a security considerations section - hey reader who is going to use person resource...here are some security considerations with that thought--if eVERY group brought this question forward---everyone---POINT everyone to the security page...
- the first way to get there is to take an assessment of everything in FHIR i.e. capabilities statement (which si what a server capability is... parameters, etc) some of these resources are inherently intended to be public--certainly if they are marked sensisty, they can be marked that way. potentially pulic but can be ….(21:40)
- things that are purely business sensitive, provider sensisty and/or paitnet sensitive, etc
- doesn't take away from the need to have tagging and roles, compartments , etc... etc. just allows ther eader to start with the assumption that quite possibly the resource is indeed logical and not protected by any provider oruser authentication.
- one other item - there are people who when approach fhir security and look at our security apges come to the conclusion that absolutely everyhitng in FHIR (including test script) must have consent level control...e ven thought the item has no PII, patient reference, or the like. its putting a softer feel to inform the reader.
- if we have broader categories and we can explain what they mean--then each resource will have a security consideration if significatlny different in its category.
- we can reach out to PA and financial management and gather use cases (tasked to kathleen) to see if proposed will work
- this will help to see if this works and/or if additional buckets are needed for consideration. these are hot topics for us--risk around certain items; these are visually broad enough to cover most of the scenarios--if we can try out between now and the WGM we can provide comments
- that in mind: WGM AGenda, this item will fit:
- Mike - havenet' looked at the list - issue we have was data quality (DQ) of codes used in the system; the codes can be incorrect and the system may not work right. need to connect DQ with this and the labeling. not sure howmuch hou have in system testing but the idea is to have it as automated as possible
- john - i'm going a step back from system/system testing - this is at a broad brush to help distinguish the items that really should be public and why arent' they--vs patient sensistive and why aren't thye protected. in touch with folk with folks who had no idea of our security considerations. this is not intended to be documented enough.... further refine
- further refine in Seucirty and CBCP/Privacy... cthis is currently our crib notes
- the point brought up aking this system lvel automated, that type of system conformance testing for privacy and security SHULD happen (Kathleen) this may be a wy to flag which of the items in the checklist should be had … marked patient sensitive
Baltimore AGenda Finding a home for the topic JohnM just borught up
privacy obsoltel - final report out - will have PPT, document as deliverables; go though the findings
- reviewed in CBCP; recent activities this year that affected Privacy/CBCP
- need to shut the project down because its taing too much time, will present at minimum those three items
- cover in Monday Q3/Q4
- during regular Security Agenda
johnM topic
- work session AND topic briefing
- WED Q3 - add Security WG - FHIR topics; further refine new S&P considerations
- also add simplified view of the HCS (WED Q3);
- http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2018-08-28#Current_Open_Issues_in_gForge
- gForge items...
at the WGM before the meeting in germnay - we had discussed to formally publish the IM, take on the project work to update that model which my proposal--have we published it? or do we even have a project to update it?
- asked Trish; Alex is moving the publication forward..
- mike - how long will it take; this was not favoarate solution to IM; in addition to publishing to also add discussion of updating
- add: WED Q4 Restarting the PSAF work; (FHIM/Galen) that had several iterations of models... PSS in place, its a matter of negotiating resources and time again
- the FHIM has modefided the model as well--need to take fresh look at it; revise and updatae. in Mike's view the current is stale
- Break out session during Connectathon - to discuss the GDPR work (Alex/John); requested a breakout room for Sunday AM for a chatathon on GDPR and FHIR
- interesting - California is considering implementing GDPR
- Diana - actually there is a proposal that is supposed to show up in the November ballot (Kathleen says its sidelined, wealthy person sponsored, but went though legislature and a compromise is in place..
- moved to a flavor of regulation moved into the court language wherein it is less hard and fast.. .similiary to GDPR--sets its goals simililary to GDPR. redirected nefariously into a type of regulation/law
Katheen has put a lot of links out - has caused a ripple affect. the same folks (that JohnM described) have worked with Trump to develop the states to do the same thing) <<44:00>>
- a national … that would actually preserve privacy
During the oNC interoparetaibly forum a few weeks ago - john m led a panel discussion with 'our friends' at may (Walker Suarez, Ken-May, etc) pre-dcussion ther eis concern that a lot of wasted energy trying to understand 12-20 leels of privacy polcy on top of each other. if there is one national 'good' privacy ypolicy that would simplimfy a lto of work. these people were very clear that they not wanted to erode privacy but to make it fmore clear. An emancipated minor the transicion at idffernt time is different across tate boundaries. they have to cross tstate boundaries .. that use case is a nightmare to figure out what is it that they have to enforce. where the person requesting the data lives? where the dat lives... request resides, etc.? what is the right application to do. whent he patient says please do... what of the state location or the requester location? there is wasted energy becaue in US we hae no unification of regulation on privacy.
- this is a strength of GDPR its the entire nation and nation to nation. diana suggests adopting GDPR and being odne with it
TUES Q2 PSAF Refresh -
Motion to addjorn (Mike); meeting adjorned at 12:53 Arizona Time --Suzannegw (talk) 15:54, 28 August 2018 (EDT)