This wiki has undergone a migration to Confluence found Here
HL7 FHIR Security 2018-04-17
Call Logistics
Weekly: Tuesday at 02:00 EST
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 Phone: +1 515-604-9567, Participant Code: 880898 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
| Member Name | Member Name | Member Name | ||||||
|---|---|---|---|---|---|---|---|---|
| x | John Moehrke Security Co-Chair | x | Kathleen Connor Security Co-Chair | . | Alexander Mense Security Co-chair | |||
| x | Suzanne Gonzales-Webb CBCC Co-Chair | . | Johnathan Coleman CBCC co-chair | . | Chris Shawn Security co-chair | |||
| . | Ali Massihi | . | Mike Davis | x | Nathan Botts Mobile co-chair | |||
| x | Diana Proud-Madruga | x | Joe Lamy AEGIS | . | Beth Pumo | |||
| . | Irina Connelly | x | Matt Blackman Sequoia | . | Mark Underwood NIST | |||
| . | Peter Bachman | . | Grahame Greve FHIR Program Director | . | Kevin Shekleton (Cerner, CDS Hooks) | |||
| x | Luis Maas EMR Direct | . | Dave Silver | x | Francisco Jauregui |
Agenda
- Roll;
- approval of agenda
- approval of HL7 FHIR Security 2018-04-03 Minutes
- Anouncements
- Johnathan specific guidance given a paper from ONC that might guide improvements to the security guidance
- Johnathan sends regrets
- KEY PRIVACY AND SECURITY CONSIDERATIONS FOR HEALTHCARE APPLICATION PROGRAMMING INTERFACES (APIS)
- Review Access Control section for improvement opportunities
- Action: everyone
- Continuous security testing and remediation
- Using off-the-shelf and open-source tools to simulate attacks, code inspection, and in other ways probe for vulnerabilities, and remediation of those vulnerabilities following Risk-Management methodology.
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- Improvement beyond SMART scopes
- Patient Directed backend communication
- Oauth App Registration
- Certificate Management
- New business
ACTIONS
references
- stream for Security and Privacy discussions. Specification development, and Implementation.
- stream for Patient Empowerment. Discussions about empowering patients. Focus on deployment and advocacy.
- Proposed FHIR Connectathon track for Cologne -- GDPR
- Blockchain FHIR Connectathon
- Grahame is trying to find a community wanting to 'play' with blockchain. He is willing to standup the infrastructure.
- See blockchain zulip stream https://chat.fhir.org/#narrow/stream/blockchain
Minutes
- John Chaired
- Minutes not reviewed
- Johnathan is out sick so will skip ONC work
- Reviewed FHIR Connectathon tracks
- 201805 GDPR
- A bit more discussion has happened on the zulip thread
- John, Alex, and Rene are working on pre-work details
- WIll hae cross-walk from FHIR security and privacy capabilities to the GDPR articles they support
- Will have gaps identified
- Some gaps will be useful experiments for participants
- Loui recognizes a need to have an auditEvent that records that one has followed up on a request by a patient that they needed to communicate to downstream partners that they had flowed that patient's data to. For example when the patient requests data be forgotten, this must be communicated to all that had previously received that data. Thus there needs to be an audit event showing that they tried
- also reviewed the disclosure example for how well it records enough details for the disclosure. It seems so, but the example is too limited
- 201805 Direct/Certificates Track
- Loui walked the group through this whole track in very nice details
- Last (D) scenario does need a bit more discussion. It was also not clear that D relies on C being used after D succeeds.
- This scenario should see more visibility. Possibly on zulip
- blockchain
- Seems no activity or stream has been created
- 201805 GDPR
