HL7 May 2018 WGM MINUTES - Cologne, Germany
Contents
Monday Q3
Joint CBCP - Security
See CBCC Minutes
Monday Q4
Joint CBCP - Security
See CBCC Minutes
Tuesday Q1
Opening Security WG Meeting
Attendees:
- Trish Williams trish.williams@flinders.edu.au
- John Moehrke John.Moehrke@gmail.com
- Alexander Mense alexander.mense@hl7.at
- Kathleen Connor Kathleen.connor@comcast.net
- Hideyuki Miyohara HL7 Japan Miyohara.Hideyuki@ap.MitsubishiElectric.co
- David Pyke david.pyke@readycomputing.com
Chaired by Alex
1. Introductions
2. Approval of agenda
- Discussion on content in relation to Blockchain and its potential impact. This will be included in the agenda and discussion of the potential use cases.
Proposed - Kathleen Seconded - John Approved: 5:0:0
3. International Report outs (given at meeting with CBCP Monday Q3)
- Japan: In 2020, Japan will have a full patient national ID.
- EU: * EU NIS (cybersecurity) directive deadline for national transposition into law was last week. Many countries (Austria) have missed the deadline. There for in Austria only critical infrastructure is applicable.
- Australia: Privacy breaches reporting has begun in Australia, 25% were healthcare providers
- Canada has begun requiring statistics collection of Privacy breaches, the privacy commissioner will report out nationally
- In the US, ransomware is a breach
- Switzerland: Launched a working model for a national HIE based on an upcoming new restricted national ID and IHE profiles. Double opt-in (clinicians and patients may) should be live by 2022. Privacy restrictions will be patient based. Documentation will be sent to the CBCP list
4. Liaison Reports: ISO, IHE, ONC
- ISO (Hide): ISO: Audit trail discussions (27789 Audit Trail for EHR) Change proposal to keep conformance with ATNA, etc. Some vocabulary, such as purpose of use, is not harmonized among SDOs. ISO will harmonize/constrain/map these vocabularies as part of their process. Presentation on recent ISO Meeting in Brazil. Presentation on SEC WG Homepage (Documents and Presentations).
- OASIS : No report
- IHE: AS4 Security has been mandated and IHE is setting up a new Document Sharing set of options based on AS4 requirements.
5. FHIR Security Report out - John Moehrke
6. HL7 Project status and updates:
- Trust Framework for Federated Authorization (TF4FA) Ballot outcomes and reconciliation plans - Kathleen for Mike Davis and Chris Shawn
- Trust Framework for Federated Authorization (TF4FA) Ballot outcomes and reconciliation plans - Kathleen for Mike Davis and Chris Shawn
- TF4FA Volume 3 for Audit, Provenance, and Blockchain Development Plans - Kathleen for Mike Davis and Chris Shawn
- TF4FA Volume 3 for Audit, Provenance, and Blockchain Development Plans - Kathleen for Mike Davis and Chris Shawn
- Is Privacy Obsolete Study Group -Kathleen for Mike Davis
- DAM Need to progress to publication, was not completed from last meeting as new information in form was required. Alex and Trish to progress.
- Status of PASS Audit
- At the request of SOA, the status of PASS Audit has been requested as this is still sitting at reconciliation for the normative publication. SEC WG will request Mike to clarify what content for PSAF is in relation to PASS Audit.
- All PASS projects need to be with SEC not SOA. This was historical but it now makes more sense for the PASS work to sit with SEC. Trish and Alex to talk to Dave Hamill and SOA about making this happen.
- Status of PASS Audit
Tuesday Q2
Joint with CBCP - FHIR Connectathon Report Out/July Harmonization
Attendees:
- Trish Williams trish.williams@flinders.edu.au
- John Moehrke John.Moehrke@gmail.com
- Alexander Mense alexander.mense@hl7.at
- Kathleen Connor Kathleen.connor@comcast.net
- Hideyuki Miyohara HL7 Japan Miyohara.Hideyuki@ap.MitsubishiElectric.co
- David Pyke david.pyke@readycomputing.com
1.FHIR support of GDPR - See GDPR SEC special wiki page http://wiki.hl7.org/index.php?title=201805_GDPR
2. July Harmonization Focus
- Sharing with Protections - TEFCA Minimum Necessary given expanded Purposes of Use and need to establish Legitimate Relationships - Provisioning with ABAC Clearances & Security Labels
- Possible GDPR Security Label vocabulary - Kathleen
2. Findings from Cologne GDPR and Blockchain Connectathon Tracks
3. EU Security Items - TBD
Tuesday Q3
Joint CBCP, Hosting Security
- Brian Postlethwaite regarding new PSS - Proposal for new VerficationResult resource: http://wiki.hl7.org/index.php?title=VerificationResult_FHIR_Resource_Proposal
- The VerificationResult resource records the details and results of a resource that needs to be, or has been verified by multiple parties. It does not represent the workflows or tasks related, but does cover the who did what when, why, and when it needs to be done again.
- This is in contrast to the AuditEvent which could record that a resource was received from someone, and the Provenance that records who it came from.
- It was considered to be implemented as a profile on Provenance, however this seems to be different in scope in that its includes details of the verification.
- Brian Postlethwaite regarding new PSS - Proposal for new VerficationResult resource: http://wiki.hl7.org/index.php?title=VerificationResult_FHIR_Resource_Proposal
Discussion about whether this is too similar to Provenance as to make this inappropriate. This would stretch the meaning of Provenance resource. The outcomes was that Provenance is not a suitable substitute or resource for the intent of the use for VerificationResult. This new resource is about metadata of the process not exactly the same content as for Provenance - which omits how, when and why future verification is done. The question is that if there is confusion over the resource, because of similarity, this would need to be made clear so it was not misused in place of Provenance.
Where the scope, content and boundaries require, the Provence resource will point to the VerificationResult resource, and the Security webpages will be updated to reflect this. There was consensus in the Sec WG that this is an appropriate resource.
- Report out on FHIR Privacy and Security ballot outcomes - Dave and John
- Discussion on consent versus general purpose data access rules resource.
- There were no comments on Consent for the ballot. (Dave).
- Report out on FHIR Privacy and Security ballot outcomes - Dave and John
Tuesday Q4
Security TF4FA Ballot Reconciliation Work Session
Attendees:
Chaired by
Wednesday Q1
Joint with EHR, CBCP, FHIR, SOA, Security(EHR hosting)
See EHR Minutes
Includes discussion about:
- Standards support for key GDPR Policies - Rene Spronk
- TF4FA Ballot Outcome and Next Steps - Kathleen for Mike Davis and Chris Shawn
Wednesday Q2
No meeting
Wednesday Q3
Security WG deep FHIR topics
Attendees:
Chaired by
Wednesday Q4
Security WG European Privacy and Security Issues Meeting
Attendees:
Chaired by
Thursday Q1
Security hosting CBCP, FHIR-I Joint
Attendees:
Chaired by
1. FHIR Security Agenda TBD
Thursday Q1
Security WG Admin Meeting
Attendees:
Chaired by
- Workgroup Health Update - Cochairs
- See PBS Metrics 2018May Interim Report Need to publish S&P DAM May 2014 Informative Ballot
- S&P DAM May 2014 - still needs publication request to complete this missing WG Health Item
- Governance Documents - Cochairs
- 3 Year Plan Refresh - Cochairs
- WGM Minutes Drafting - Cochairs
- Conference Call Scheduling - Cochairs
