HL7 FHIR Security 2016-3-1

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692

Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV

If you are having difficulty joining, please try:

https://global.gotomeeting.com/join/520841173

Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes

Back to HL7 FHIR security topics

Attendees

Agenda

• Roll; approval of agenda and February 23 minutes
• Block vote
• Check on block items that have been requested to be pulled - e.g., Kathleen requests that CP 9417 be pulled. Reason: she's revised 9417 based on last call's discussion proposing both a Provenance.lifecycle element for lifecycle state of the target, and a Provenance.entity.lifecycle element for the lifecycle of any entity that is an input to the activity that generated the of the target. This supports lifecycle management and traceability, which is a core prinicple to ONC and HL7 Data Provenance work
  • 9593 Improve advice for Access Denied response (John Moehrke) Persuasive
  • 9417 Add a new Provenance.entity.lifecycle element to align with Audit.entity.lifecycle. Align definitions. (Kathleen Connor) Persuasive with Mod
  • 9562 Change Signature Datatype - make blob 0..1 (Kathleen Connor) Persuasive with Mod
  • 9570 Change AuditEvent.agent definitions (Kathleen Connor) Persuasive with Mod
  • 9571 Change Provenance.agent definition (Kathleen Connor) Persuasive with Mod
• Next set of discussion
  • 7568 2015May core #859 - How are agent and activity linked? (Kathleen Connor) None
  • 9407 Align AuditEvent and Provenance action/activity element. Recommend "Provenance.activity". (Kathleen Connor) None
  • 9150 Provenance TODO section cleanup (John Moehrke) None
  • 9151 AuditEvent has TODO section to be removed (John Moehrke) None
  • 9166 Break-Glass method defined doesn't include AuditEvent effect. (John Moehrke) None
  • 9167 AuditEvent needs to make more obvious how to record a break-glass event (John Moehrke) None
  • 9176 Security-Labels page for _confidentialiy points at all "Confidentiality" codes, not just _confidentiality. (John Moehrke) None
  • 9563 Add onBehalfOf to Signature datatype (Kathleen Connor) None
  • 9564 Should FHIR AuditEvent resource include DICOM extension of ATNA Audit log message ? (Madhusudana B Shivalinge Gowda) None

Minutes

• 9417 pulled per Kathleen's request and update to the CP from block for further discussion in Security WG about whether predecessor lifecycle status of input entities should be included along with Provenance.target lifecycle, which there was concensus about on 2/23 FHIR Security call.
• RE CP 9570 Change AuditEvent.agent definitions Rob objected to the term "some degree of responsibility" proposed a change to the AuditEvent.agent definition: An actor taking a role in an activity for which it can be assigned some degree of responsibility for the activity taking place." In discussion, Kathleen and Diana did not think that "some degree of responsibility" as too strong, e.g., a storm can be said to be "responsible for the tree falling through the roof". However, the group agreed to modify the definition to "An actor taking an active role in the activity that is logged."
• John discussed Grahame's suggested changes to CP 9593 Improved advice for Access Denied response, which entails limiting return of empty Bundle to a response to a query.
• The block vote: CP 9593, 9562, 9570, and 9571 were moved by Glen, seconded by Kathleen, and approved with the amendments described above 0-0-5.