This wiki has undergone a migration to Confluence found Here
HL7 FHIR security topics
Revision as of 22:09, 3 November 2015 by JohnMoehrke (talk | contribs)
Project ID 1209
- FHIR disposition link on gForge for review/discussion (ongoing weekly agenda item)
Export from Gforge Security Open
Wiki
- 3318 Clarify how to use RBAC and ABAC using FHIR ()
- 5525 Consent Directive does not appear to be aligned with the 80% ()
- 6303 Add Record Lifecycle Events to AuditEventObjectLifecycle Set ()
- 7563 2015May core #854 - Expand on how to use Provenance ()
- 7567 2015May core #858 - Provenance isn't sufficiently aligned with w3c spec ()
- 7568 2015May core #859 - How are agent and activity linked? ()
- 7569 2015May core #860 - Clarify relationship agents and entities used in activity ()
- 7570 2015May core #861 - Clarify relationship agents and entities used in activity ()
- 7597 2015May core #888 - This resource is missing any reference to the "action" performed on the entity. Is there a default "create" action or is it an omission? ()
- 7598 2015May core #889 - Can Provenance apply to a resource or just a data element ()
- 8638 how does Provenance work when deleting records ()
- 8731 Canonicalization for signatures ()
- 8738 Unapplied QA changes around security and services ()
- 8790 Give guidance on AuditEvent that codes don't need DisplayName populated ()
- 8803 Provenance for a subset of a resource ()
- 8827 Signature datatype does not include counter-signature type ()
Other
- Security pages
- Including guidance on Authentication and Authorization
- Security Labels Page
- including meta tag use for security labels
- Signature Data Type
Provenance Resource
- Address outstanding Provenance CPs from January 2015 FHIR Ballot mistakenly assigned to FHIR Infrastructure
- Including signature use within Provenance
- Provenance.activity value-set needs to be enlarged with existing vocabulary, and discussion around if it should be marked as Extensible.
- Provenance.entity.role unclear how each vocabulary item should be used.
- how is derivation to be used?
- how is revision to be used, other than the duplicate indication that would be in Provenance.activity.
- Provenance.reason binding only to the PurposeOfUse is not granular. Seems there should be a more clear distinction between reason and activity. question on why this is Extensible
- show how a resource and provenance would look as that resource transitions through lifecycle. In this way one would be able to find each step of the lifecycle, by way of version; and the provenance statement by way of the pointer to that version specific.
- Detailed work plan and notes HL7 FHIR Provenance Resource
AuditEvent Resource
- Address outstanding AuditEvent CPs from January 2015 FHIR Ballot mistakenly assigned to FHIR Infrastructure
- harmonize the structure, element names, and vocabulary as much as possible with Provenance.
- document use cases for interoperable FHIR AuditEvent - e.g., federated system with central AuditEvent Service - intra- and inter-enterprise.
- address the thought experiment of why do we have both Provenance and AuditEvent. (motivation vs consequence) (medical records vs security surveillance)
- See http://hl7-fhir.github.io/auditevent-mappings.html#w3c.prov
- See http://hl7-fhir.github.io/auditevent-mappings.html#fhirprovenance
- See http://hl7-fhir.github.io/provenance-mappings.html#w3c.prov
- See http://hl7-fhir.github.io/provenance-mappings.html#fhirauditevent
- See http://hl7-fhir.github.io/w5
- Who records Provenance vs AuditEvent; what are the various architectures. The important point is to assure that the architecture chosen doesn't miss information.
- and various other things concerning Security -- Risks to Confidentiality, Integrity, and Availability.
- also interested in
- W5
- Privacy Consent as a profile on Contract