This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

April 18, 2017 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis . Suzanne Gonzales-Webb x David Staggs . Mohammed Jafari
. Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
. Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes April 11, 2017
  3. (5 min) TF4FA Ballot Report - Kathleen
  4. (20 min) Consumer Oriented TF4FA - Mike Davis
  5. (10 min) FHIR Security Call - Please review front matter - John Moehrke

==Consumer Oriented TF4FA

Current Trust Frameworks are static; once established, these are very hard to change. Static Trust Frameworks are typically oriented to those who control information and value flows. Consumers seem to have little or no voice in these Trust Framework Trust Policy, or the resulting Trust Recipient or Trust Relying Party Agreements.

Should the HL7 TF4FA be more encompassing of healthcare consumers as parties in the negotiation of Trust Frameworks for Federated Authorization with counterparties with which they can share health information on terms that consumers find more attractive in some way - e.g., for more control of their information's privacy and security, or even for compensation for use of their health information?

Enabling healthcare consumers to negotiate more equitable trust framework will require changing the balance of power where custodians "own" the consumer's health information. Patient Right of Access is disrupting that paradigm. It may be that providers and EHR vendors will see an advantage in supporting PRA as a means to off-load breach liability and consent management, and by simply duplicating patient information in a server accessible to patients for view, download, and transmit, they are able to avoid EHR security issues, although they still have responsibility for the security of a PRA store.

At the same time as custodians are seeing advantages, so are secondary users of patient information. PRA is attractive in that it reduces friction resulting from meeting data sharing requirements of custodians. At this juncture however, these secondary users seem somewhat inclined to negotiate with the consumers that are now supplying them with patient information.

As this new mode of sharing health information scales, healthcare consumers' market place clout to demand more control will increase. With user friendly trust negotiation technologies, we can imagine many healthcare consumers with 0..* trust domains, and 0..* privacy preferences, and security and trust risk tolerances having more and more health information consumers with which to bargain for their best trust contract deal.

HL7 TF4FA could serve as the conceptual model for the healthcare consumer trust negotiation technologies needed to enable this emerging market.


Minutes

Chaired by Kathleen

  • Agenda Approved
  • April 4th Security WG Call Meeting Minutes Reviewed and Approved
  • WG Calls to Be Canceled Due to Madrid:
    • Security: May 2nd, May 9th, May 16th
    • FHIR: potentially May 2nd, May 9th, May 16th
      • Mobile Health team will not be in attendance
      • Josh could be available
      • EHR WG’s discussion will be specific to their performance testing, not Security’s.
      • Aegis requested test case
        • Discussions with Mario, Gary and FHIR-I re specific performance tests for Privacy, Security, Provenance, Security Labels and possibly Digital Ledger Technology
          • Kathleen: OAuth for Patient Right of Access
          • Josh: SMART on FHIR and Sync for Science have API’s
          • VA: FHIR Audit Consent has been tested
          • VA: FHIR Consent Resource and FHIR Consent Profile
          • VA: Tested Provenance and Audit at HIMSS
        • Kathleen had mtg with Standards Governance Board; very interested in Privacy and Security by Design
        • CBCC created Standards Privacy Assessment
        • Cookbook
        • John: EHR, CBCC, FHIR, SOA and Security re test scenarios:
          • What are the test scenarios and within each one of them, what are the various actors and steps and within those steps, what are the critical resources that get touched, labels that get touched. Those scenarios can declare a policy toward that particular test scenario.
      • Kathleen encouraged people to look at agenda for Wed Q3
        • Josh to discuss progress on SMART on FHIR; timeline; CDS Hook
      • Wed Q4: Continue TF4FA; could be made available to continue Q3
      • Bernd presentation only allocated 20 minutes; will likely need an additional quarter; meant to be a full session
  • Call ended.