HL7 FHIR security topics

Project ID 1209

• FHIR disposition link on gForge for review/discussion (ongoing weekly agenda item)
• Security pages
  • Including guidance on Authentication and Authorization
  • Security Labels Page
    • including meta tag use for security labels
• Signature Data Type
• Provenance Resource
  • Including signature use within Provenance
  • Provenance.activity value-set needs to be enlarged with existing vocabulary, and discussion around if it should be marked as Extensible.
  • Provenance.entity.role unclear how each vocabulary item should be used.
    • how is derivation to be used?
    • how is revision to be used, other than the duplicate indication that would be in Provenance.activity.
  • Provenance.reason binding only to the PurposeOfUse is not granular. Seems there should be a more clear distinction between reason and activity. question on why this is Extensible
  • show how a resource and provenance would look as that resource transitions through lifecycle. In this way one would be able to find each step of the lifecycle, by way of version; and the provenance statement by way of the pointer to that version specific.
  • Detailed work plan and notes HL7 FHIR Provenance Resource
• AuditEvent Resource
  • harmonize the structure, element names, and vocabulary as much as possible with Provenance.
  • address the thought experiment of why do we have both Provenance and AuditEvent. (motivation vs consequence) (medical records vs security surveillance)
    • See http://hl7-fhir.github.io/auditevent-mappings.html#w3c.prov
    • See http://hl7-fhir.github.io/auditevent-mappings.html#fhirprovenance
    • See http://hl7-fhir.github.io/provenance-mappings.html#w3c.prov
    • See http://hl7-fhir.github.io/provenance-mappings.html#fhirauditevent
    • See http://hl7-fhir.github.io/w5
• and various other things concerning Security -- Risks to Confidentiality, Integrity, and Availability.
• also interested in
  • W5
  • Privacy Consent as a profile on Contract