This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "October 19, 2010 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
Line 39: Line 39:
 
''Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences''
 
''Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences''
  
1. Richard brief conversation occurred at the HL7 meeting in Cambridge.  Richard hopes to have something circulated in a week (paper also distributed at WG meeting)’’
+
Richard had a brief conversation that occurred at the HL7 meeting in Cambridge.  ''Richard hopes to have something circulated in a week (paper also distributed at WG meeting)''
 
Question:  (Mike) Is this an ongoing effort?
 
Question:  (Mike) Is this an ongoing effort?
 
Answer: This is basically, a white paper to suggest different kinds of ways how (CBCC) attempts to conceptualize; how we might measure (i.e. each US state or any other place) the quality of the performance of data being shared.  How we effectively share and do not share our data—how we share as in ‘’community based collaborative care.
 
Answer: This is basically, a white paper to suggest different kinds of ways how (CBCC) attempts to conceptualize; how we might measure (i.e. each US state or any other place) the quality of the performance of data being shared.  How we effectively share and do not share our data—how we share as in ‘’community based collaborative care.
Line 52: Line 52:
 
''Steve Connolly had started a mapping of [http://gforge.hl7.org/gf/download/docmanfileversion/5921/7656/HarmonizedDAMXSPA20100507.xlsx DAM Attributes to Standards] Using Steve’s spreadsheet as an example, I (Mike) would like to propose as an activity to the Information Model and Domain Analysis Model project:''
 
''Steve Connolly had started a mapping of [http://gforge.hl7.org/gf/download/docmanfileversion/5921/7656/HarmonizedDAMXSPA20100507.xlsx DAM Attributes to Standards] Using Steve’s spreadsheet as an example, I (Mike) would like to propose as an activity to the Information Model and Domain Analysis Model project:''
 
* To continue the work that Steve had started in this WG to map US-realm standard to the IM
 
* To continue the work that Steve had started in this WG to map US-realm standard to the IM
** Create a US realm profile of the IM – ANSI, OASIS, HL7 standards – carry those as a US profile
+
** Create a US realm profile of the Information Model (DAM) – ANSI, OASIS, HL7 standards – carry those as a US profile
 
** Create more of an international profile where we focus more on ISO standards where we map into the IM in order to provide standardized vocabulary
 
** Create more of an international profile where we focus more on ISO standards where we map into the IM in order to provide standardized vocabulary
  
 
The purpose of this activity is to verify the attributes in the Information Model-- that we’ve completed is backed up by a standard. We provide US and International realms (general purpose) to create mapping/vocabulary.   
 
The purpose of this activity is to verify the attributes in the Information Model-- that we’ve completed is backed up by a standard. We provide US and International realms (general purpose) to create mapping/vocabulary.   
 
* Identify gaps during this activity and where we can, close those gaps.   
 
* Identify gaps during this activity and where we can, close those gaps.   
This is a continuation of activities CBCC and Security have already been engaged in. View this as more maintenance of the information model and the result will be useful to the ontology work—''mapped standards and values set.''  When we start getting into other classes, (we are working on RBAC now), we are using primarily HL7 work.  We then apply ASTM standards work which is purely representational because ASTM is only a US-realm standards organization.  This proposal would continue to prepare our ontology work by bringing the focus in.  As a group we need to look at other standards in this activity, we need to look at the Information Model classes and use our subject-matter expertise to say ''this standard probably belongs here.''
+
This is a continuation of activities CBCC and Security have already been engaged in. View this as more maintenance of the information model and the result will be useful to the ontology work—''mapped standards and values set.''  When we start getting into other classes, (we are working on RBAC now), we are using primarily HL7 work.  We then apply ASTM standards work which is purely representational because ASTM is only a US-realm standards organization.  This proposal would continue to prepare our ontology work by bringing the focus in.   
 +
 
 +
As a group we need to look at other standards in this activity, we need to look at the Information Model classes and use our subject-matter expertise to say ''this standard probably belongs here.''
  
 
Within the US-realm we can take this model (which has already been provided to HHS, FHIMS group.  Note: They do not have a US-realm vocabulary, so this vocabulary work will be within HL7).  If we create these 2 profiles (US- and International-) we may want to make them official vocabulary profiles for (output) and possibly go through the ballot process.  
 
Within the US-realm we can take this model (which has already been provided to HHS, FHIMS group.  Note: They do not have a US-realm vocabulary, so this vocabulary work will be within HL7).  If we create these 2 profiles (US- and International-) we may want to make them official vocabulary profiles for (output) and possibly go through the ballot process.  
Question:  ‘’How are domain specific vocabularies done? In HL7 are vocabularies just indicated or are they balloted?’’ (We do not know that answer)   
+
Question:  ''How are domain specific vocabularies done? In HL7 are vocabularies just indicated or are they balloted?'' (We do not know that answer)   
 
(Richard) In doing this activity, we may be going outside of healthcare realm.
 
(Richard) In doing this activity, we may be going outside of healthcare realm.
(Mike)  yes, so if vocabulary is outside healthcare domain we would have to identify that.
+
(Mike)  Yes, so if vocabulary is outside healthcare domain we would have to identify that.
(Richard)  In order to facilitate exchange across the silos it’s useful to have these standards harmonized
+
(Richard)  In order to facilitate exchange across the silos it’s useful to have these standards harmonized.
 
(Mike) As we go through the activity, that may be a  consequence which might happen.  The activity would map the current work to the standards as two different things realms: US and International.  We may find that there are gaps or not, or more than one standard that could be used—if there is more than one standards, then that’s where we need to harmonize.   
 
(Mike) As we go through the activity, that may be a  consequence which might happen.  The activity would map the current work to the standards as two different things realms: US and International.  We may find that there are gaps or not, or more than one standard that could be used—if there is more than one standards, then that’s where we need to harmonize.   
  
(Serafina)  Who has the latest version of Steve’s work;
+
(Serafina)  Who has the latest version of Steve’s work?
(Suzanne)  it’s posted in GForge:  [http://gforge.hl7.org/gf/download/docmanfileversion/5926/7674/OntologyLayeringArchitectureandReviewGrid_v12010.10.19.docx under ‘’Ontology Layering Architecture and Review Grid’’] dated 5/7/2010.
+
(Suzanne)  It’s posted in GForge:  [http://gforge.hl7.org/gf/download/docmanfileversion/5926/7674/OntologyLayeringArchitectureandReviewGrid_v12010.10.19.docx under ‘’Ontology Layering Architecture and Review Grid’’] dated 5/7/2010. It’s in the form of a spreadsheet.  We should probably rearrange the spreadsheet so that the elements of the Information Model and the standard are next to each other.  
It’s in the form of a spreadsheet.  We should probably rearrange the spreadsheet so that the elements of the Information Model and the standard are next to each other.  
 
  
 
(Serafina) Are you expecting an annotation to the model, i.e. being added to the Domain Anaylsis Model?
 
(Serafina) Are you expecting an annotation to the model, i.e. being added to the Domain Anaylsis Model?
Line 77: Line 78:
  
 
(Serafina) No, that sounds logical.
 
(Serafina) No, that sounds logical.
(Mike) I’m bringing this to Working Group as a suggestion, not as a proposal. We need to pick up the work to see it and continue to talk about this as ongoing discussion as we progress forward.  I’d propose we take a look at the Information Model and think about this spreadsheet. It requires knowledge of the standards-- a number of standards.  The ‘’I think this standard is relevant’’ portion, I’d like to have input from the members.  Send input to Suzanne, Mike or Richard—contact information is on the list---maybe we should look at this stand, what we are looking for now knowledge of a us realm or other standard that will apply to the information model and if you are aware, it would save us time using this group as acknowledge base…take this on as a group activity.
+
(Mike) I’m bringing this to Working Group as a suggestion, not as a proposal. We need to pick up the work to see it and continue to talk about this as ongoing discussion as we progress forward.  I’d propose we take a look at the Information Model and think about this spreadsheet. It requires knowledge of the standards-- a number of standards.  The ''I think this standard is relevant'' portion, I’d like to have input from the members.  Send input to Suzanne, Mike or Richard—contact information is on the list---maybe we should look at this stand, what we are looking for now knowledge of a us realm or other standard that will apply to the information model and if you are aware, it would save us time using this group as acknowledge base…take this on as a group activity.
  
‘’’ ‘’END Joint Security-CBCC WG meeting– start CBCC WG Meeting’’ ‘’’
+
''' ''END Joint Security-CBCC WG meeting– start CBCC WG Meeting'' '''
 
CBCC Agenda
 
CBCC Agenda
 
No meeting minutes were approved; attendees are in agreement to allow Tony (and Jon) to continue their presentation into the CBCC meeting as noted in the agenda.  
 
No meeting minutes were approved; attendees are in agreement to allow Tony (and Jon) to continue their presentation into the CBCC meeting as noted in the agenda.  
  
 
Live Meeting Presentation of updated Security and Privacy Ontology
 
Live Meeting Presentation of updated Security and Privacy Ontology
‘’’Ontology update’’’
+
'''Ontology update'''
 
[http://gforge.hl7.org/gf/download/docmanfileversion/5866/7571/Ontologies2010-09-24.zip  Updated draft of the Security-Privacy Ontology expressed in OWL 2 and suitable for viewing with the Protégé 4.1 OWL Editor]
 
[http://gforge.hl7.org/gf/download/docmanfileversion/5866/7571/Ontologies2010-09-24.zip  Updated draft of the Security-Privacy Ontology expressed in OWL 2 and suitable for viewing with the Protégé 4.1 OWL Editor]
 
Draft sent for review on 10/18/2010
 
Draft sent for review on 10/18/2010
  
 
(Note: Meeting minutes are sparse, w/ missing information)
 
(Note: Meeting minutes are sparse, w/ missing information)
One unified artifact: In the nomenclature of OWL you can relate to multiple ontologies (maintenance and use) our first base level address HL7 RBAC, security and privacy in general.  A second ontology adds VHA structural and a third builds on that an example of a local security and privacy setting where we have classes of individual that are related to each other.  You can think of it as unified but composed of separable pieces.  In addition, Jon took a look at the ontology and created a ‘’tabular view’’
+
One unified artifact: In the nomenclature of OWL you can relate to multiple ontologies (maintenance and use) our first base level address HL7 RBAC, security and privacy in general.  A second ontology adds VHA structural and a third builds on that an example of a local security and privacy setting where we have classes of individual that are related to each other.  You can think of it as unified but composed of separable pieces.  In addition, Jon took a look at the ontology and created a ''tabular view''
  
(Jon) Presenting Ontology in ‘’tabular view’’ – there are a lot of moving parts (actually 3 ontologies)
+
(Jon) Presenting Ontology in ''tabular view – there are a lot of moving parts (actually 3 ontologies)
 
(Note: Meeting minutes are sparse, w/ missing information)
 
(Note: Meeting minutes are sparse, w/ missing information)
 
#*[http://gforge.hl7.org/gf/download/docmanfileversion/5867/7572/HL7SecurityandPrivacyOntologyUpdate-2010-09-24.docx Updated Word document with screenshots and other information for those not using Protégé]
 
#*[http://gforge.hl7.org/gf/download/docmanfileversion/5867/7572/HL7SecurityandPrivacyOntologyUpdate-2010-09-24.docx Updated Word document with screenshots and other information for those not using Protégé]
Line 103: Line 104:
 
When you get into protégé, there are hundreds already (thousands of classes of rules, relationships and classes)—how can one evaluate all that stuff and know where you are in that process?  As I set out to pilot this, it occurred to me it might be nice to have a grid in which to record comments.  A second grid with classes on the left and layers (ontology) on across the top, then if I am doing that review—any time I have a comment, say if comment only applies to layer and not the class I can apply the note to that layer.  If my comment is specific, then I can apply the comment to a cell.  I’m proposing a grid model that for reviewing the architecture from the 5000 feet as well as capture comments at the 50 foot level.   
 
When you get into protégé, there are hundreds already (thousands of classes of rules, relationships and classes)—how can one evaluate all that stuff and know where you are in that process?  As I set out to pilot this, it occurred to me it might be nice to have a grid in which to record comments.  A second grid with classes on the left and layers (ontology) on across the top, then if I am doing that review—any time I have a comment, say if comment only applies to layer and not the class I can apply the note to that layer.  If my comment is specific, then I can apply the comment to a cell.  I’m proposing a grid model that for reviewing the architecture from the 5000 feet as well as capture comments at the 50 foot level.   
  
Any comments or question?
+
Any comments or questions?
  
Comment (Tony), one nice thing about this is in MS word if multiple people provide comments, the document merging works--you can bring all the comments together fairly quickly and automatically by merging all the documents with comments.  (This will be nice for those who have to do the processing.)
+
Comment: (Tony), one nice thing about this is in MS word if multiple people provide comments, the document merging works--you can bring all the comments together fairly quickly and automatically by merging all the documents with comments.  (This will be nice for those who have to do the processing.)
  
 
(Jon) As we annotate, I will do that in blue text.  That heads off a certain amount of confusion, especially if someone opens protégé and is not familiar with it.
 
(Jon) As we annotate, I will do that in blue text.  That heads off a certain amount of confusion, especially if someone opens protégé and is not familiar with it.

Revision as of 03:48, 4 November 2010

Security Working Group Meeting

Back to Security Main Page

Attendees


Back to Security Main Page

Agenda

  1. (05 min) Roll Call, Approve Minutes & Accept Agenda
  2. (15 min) Review of September 28 – Action Items
  3. (50 min) Generalized Attributes for Cross-Domain Communication Ed Coyne, Mike Davis
  • begin CBCC meeting hour
  1. (40 min) Security and Privacy Ontology Review Criteria - Tony Weida
  2. (10 min) HL7 Security and Privacy Ontology Architecture v0.1 Jon Farmer


Roll Call, Call for additional agenda items & Accept Agenda Meeting Minutes reviewed. Motion made to approve meeting minutes, motion seconded. Hearing no objections, meeting minutes were approved.

No additional agenda items added. Proposed Agenda accepted.

Review of September 28 – Action Items

Action Item 1 Richard will contact international members asking them if they can provide a brief report out during Monday Q3/Q4 joint Security and CBCC session related to their country's efforts to ensure consumers will trust that health care providers and the various entities with which providers share protected health information will protect consumer's privacy preferences

Richard had a brief conversation that occurred at the HL7 meeting in Cambridge. Richard hopes to have something circulated in a week (paper also distributed at WG meeting) Question: (Mike) Is this an ongoing effort? Answer: This is basically, a white paper to suggest different kinds of ways how (CBCC) attempts to conceptualize; how we might measure (i.e. each US state or any other place) the quality of the performance of data being shared. How we effectively share and do not share our data—how we share as in ‘’community based collaborative care. Result: Richard and CBCC will continue work on this area as a CBCC action item. As Security working group is unsure of the crossover (of Security) on this project. From the Cambridge Working Group Meeting, Bernd spoke on integration on systems (more on an academic level) and how this information should be shared. The information briefed was not the usual how to protect/security information that we have shared here in the past. It’s a theory of security-privacy (or the theory of everything). Portions of Bernd’s briefing Richard feels are relevant, as the integration on systems is more inclusive beyond healthcare which is where he (Richard) is trying to feed in to. (Not limiting the data sharing to just healthcare) There are other domains where security and privacy also are involved in and we shouldn’t avoid them.

Action Item 2 Mike will reach out to the SOA Health Care Services Ontology project to see if they can attend the Security and Privacy Ontology report out portion of the joint session.

Action Item has not been done. Members of the Security Working Group are attending/contributing to their Monday call. (Suzanne attended their Monday call this week.) Security will work with them and continue to share calls for the purpose of not wanting to get cross-threaded with SOA on basic things. Note: Steve Connolly has also been attending their meetings.

Generalized Attributes for Cross-Domain Communication (Ed Coyne, Mike Davis) Steve Connolly had started a mapping of DAM Attributes to Standards Using Steve’s spreadsheet as an example, I (Mike) would like to propose as an activity to the Information Model and Domain Analysis Model project:

  • To continue the work that Steve had started in this WG to map US-realm standard to the IM
    • Create a US realm profile of the Information Model (DAM) – ANSI, OASIS, HL7 standards – carry those as a US profile
    • Create more of an international profile where we focus more on ISO standards where we map into the IM in order to provide standardized vocabulary

The purpose of this activity is to verify the attributes in the Information Model-- that we’ve completed is backed up by a standard. We provide US and International realms (general purpose) to create mapping/vocabulary.

  • Identify gaps during this activity and where we can, close those gaps.

This is a continuation of activities CBCC and Security have already been engaged in. View this as more maintenance of the information model and the result will be useful to the ontology work—mapped standards and values set. When we start getting into other classes, (we are working on RBAC now), we are using primarily HL7 work. We then apply ASTM standards work which is purely representational because ASTM is only a US-realm standards organization. This proposal would continue to prepare our ontology work by bringing the focus in.

As a group we need to look at other standards in this activity, we need to look at the Information Model classes and use our subject-matter expertise to say this standard probably belongs here.

Within the US-realm we can take this model (which has already been provided to HHS, FHIMS group. Note: They do not have a US-realm vocabulary, so this vocabulary work will be within HL7). If we create these 2 profiles (US- and International-) we may want to make them official vocabulary profiles for (output) and possibly go through the ballot process. Question: How are domain specific vocabularies done? In HL7 are vocabularies just indicated or are they balloted? (We do not know that answer) (Richard) In doing this activity, we may be going outside of healthcare realm. (Mike) Yes, so if vocabulary is outside healthcare domain we would have to identify that. (Richard) In order to facilitate exchange across the silos it’s useful to have these standards harmonized. (Mike) As we go through the activity, that may be a consequence which might happen. The activity would map the current work to the standards as two different things realms: US and International. We may find that there are gaps or not, or more than one standard that could be used—if there is more than one standards, then that’s where we need to harmonize.

(Serafina) Who has the latest version of Steve’s work? (Suzanne) It’s posted in GForge: under ‘’Ontology Layering Architecture and Review Grid’’ dated 5/7/2010. It’s in the form of a spreadsheet. We should probably rearrange the spreadsheet so that the elements of the Information Model and the standard are next to each other.

(Serafina) Are you expecting an annotation to the model, i.e. being added to the Domain Anaylsis Model? (Mike) No, we are not updating the DAM with this (maybe). I’m proposing we create 2 new artifacts, which may be vocabulary updates, new things we ballot—more like ‘’profiles of the information model, ‘’ the output is two profiles. 1. US and 2. International model For the ontology general effort—similar to using the ISO profile –it should be more general (as in ISO) and not so specific. Do you see that differently?

(Serafina) No, that sounds logical. (Mike) I’m bringing this to Working Group as a suggestion, not as a proposal. We need to pick up the work to see it and continue to talk about this as ongoing discussion as we progress forward. I’d propose we take a look at the Information Model and think about this spreadsheet. It requires knowledge of the standards-- a number of standards. The I think this standard is relevant portion, I’d like to have input from the members. Send input to Suzanne, Mike or Richard—contact information is on the list---maybe we should look at this stand, what we are looking for now knowledge of a us realm or other standard that will apply to the information model and if you are aware, it would save us time using this group as acknowledge base…take this on as a group activity.

END Joint Security-CBCC WG meeting– start CBCC WG Meeting CBCC Agenda No meeting minutes were approved; attendees are in agreement to allow Tony (and Jon) to continue their presentation into the CBCC meeting as noted in the agenda.

Live Meeting Presentation of updated Security and Privacy Ontology Ontology update Updated draft of the Security-Privacy Ontology expressed in OWL 2 and suitable for viewing with the Protégé 4.1 OWL Editor Draft sent for review on 10/18/2010

(Note: Meeting minutes are sparse, w/ missing information) One unified artifact: In the nomenclature of OWL you can relate to multiple ontologies (maintenance and use) our first base level address HL7 RBAC, security and privacy in general. A second ontology adds VHA structural and a third builds on that an example of a local security and privacy setting where we have classes of individual that are related to each other. You can think of it as unified but composed of separable pieces. In addition, Jon took a look at the ontology and created a tabular view

(Jon) Presenting Ontology in tabular view – there are a lot of moving parts (actually 3 ontologies) (Note: Meeting minutes are sparse, w/ missing information)

(Jon) It may be useful to look at the baseline ontology in a columnar form – VHA is the 2nd column Local ontology that extends the first 2 columns (3rd column)

  • Two tables – one compares and contrast the knowledge at each level, calls out the benefits.
  • Second page shows that even though our 3 ontologies illustrate the layering mechanics in the real world there will be a foundational ontology. Stacked on that may be an arbitrary depth that providers of various providers or jurisdictions and multiple locals of a provider , by wiring these together in sequence can build on each other--points to the ontology it’s subject to. Multiple ontology prospects are shown here in perspective. This is a high abstraction of the model.

When you get into protégé, there are hundreds already (thousands of classes of rules, relationships and classes)—how can one evaluate all that stuff and know where you are in that process? As I set out to pilot this, it occurred to me it might be nice to have a grid in which to record comments. A second grid with classes on the left and layers (ontology) on across the top, then if I am doing that review—any time I have a comment, say if comment only applies to layer and not the class I can apply the note to that layer. If my comment is specific, then I can apply the comment to a cell. I’m proposing a grid model that for reviewing the architecture from the 5000 feet as well as capture comments at the 50 foot level.

Any comments or questions?

Comment: (Tony), one nice thing about this is in MS word if multiple people provide comments, the document merging works--you can bring all the comments together fairly quickly and automatically by merging all the documents with comments. (This will be nice for those who have to do the processing.)

(Jon) As we annotate, I will do that in blue text. That heads off a certain amount of confusion, especially if someone opens protégé and is not familiar with it.

(Meeting attendees are in agreement to allow tony to continue with ontology process.) (Tony) In terms of planning, I’m getting close to being satisfied with the first pass of RBAC constructs in the ontology. It’s a good time to solicit feedback. I will not be on the call next week. I’m hoping that Jon and I can circulate our criteria very shortly, then later this week I can sent out the latest draft and resolve some of the review criteria and kick off the questions and concerns from the group---to submit the a new version of the ontology in GForge/wiki and be ready for people to review.

Action Items

Tony--coordinate w/Suzanne, Serafina for notification)

  1. (Tony) I will address Mike’s comment on priority and roll up on criteria (critical and less critical) I will work with Jon.
  2. (Jon) complete updates to the ontology tabular view.
  3. (Tony) Get ontology out in a week (posted for review) and
  4. (Group) Allow people/attendees provide their comments on posted Ontology
  5. (Richard)Paper to start discussion


Back to Security Main Page