Security Working Group Meeting

Back to Security Main Page

• Meeting Information

Attendees

• Bernd Blobel Security Co-chair, absent
• Steven Connolly
• Tom Davidson
• Mike Davis Security Co-chair
• Suzanne Gonzales-Webb CBCC Co-chair
• Rob Horn
• Glen Marshall Security Co-chair
• Rob McClure
• John Moehrke
• Pat Pyette
• Richard Thoreson CBCC Co-chair
• Ioana Singureanu
• Serafina Versaggi
• Tony Weida
• Allen Hobbs
• Pat Christensen

Agenda

1. (05 min) Roll Call, Approve Minutes & Accept Agenda
2. (05 min) Announcements
3. (75 min) Discuss two proposed use cases:
   • Security use case 1.10 Accounting for Disclosures use case – a new use case submitted by Harry Rhodes (AHIMA). Discussion postponed because Harry unavailable today. This use case may be important for the PASS Audit Service specification but would require some information modeling. Feel free to suggest changes/correction/additions to the summarization.
   • Security use case 1.9 Negotiate Privacy Policy – posted prior to the Atlanta meeting but was not discussed in joint Security/CBCC session. Topic for discussion today
4. (5 min) Other Business

• Security use cases can be found on the Security Wiki

Announcements

Mike: Outcome of today’s Steering Division Meeting

• Electronic Vote and vote in the meeting on the Scope Statement for Security DAM and the project is officially approved.
• Mike forwarded the notice from Lynn Laasko to Suzanne
• Security DAM is now a formal project. Goal is to develop a DSTU for the January cycle. Work needs to be focused on this January deadline.

Discussion

Accounting for Disclosures Use Case

Taken out of order. It was thought we would not go into the Accounting of Disclosures use case discussion due to Harry not being on the call, but Glen had concerns about the positioning and ownership of the Accounting of Disclosures use case.

• Accounting of Disclosures use case is really two use cases
  1. Audit Data Collection: which is within the Security Work Group’s purview
  2. Disclosure Accounting which has application aspects that are more properly expressed in the Patient Administration Work Group. This not a tool or building block.

• Mike: does this have anything to do with the use of Audit to support Accounting of Disclosures?
  • Glen: Yes, this is the Audit Data Collection part
  • Anything that hints of direct access to security (audit data) needs to be challenged.
  • We need to deal with some services that supply data to a filter or consolidation
  • PASS needs to focus on the Services required to record audit data and to obtain audit data and pass it to applications. It should not deal with the reporting
  • HL7 Audit Data Collection cannot fork from mature efforts concepts in HITSP TP15, IHE ATNA, RFC3881, and forthcoming standard out of ISO
• Ioana: What Harry is suggesting not a new standard but to support Accounting of Disclosure in a similar logging mechanism to log the disclosure of information
• Glen: You also need to deal with the transport associated with this
• Ioana: in the Security DAM analysis you’d specify what the Disclosure log entry would look like rather than the mechanism by which the disclosure is stored in a log file someplace
• Glen: there's zero reason for doing anything like this other than referring people to the existing documentation.
• Ioana: as long as the documentation includes things like purpose of disclosure as part of the log entry, this makes it easier. Want to check that the data elements required by HIPAA are supported
• Glen: Yes they are. See Link to HITSP TP15
• HITSP TP15 is a US domain. Should we be referencing a US-Only construct?
• Glen: All of the stuff that’s been done relative to the original RFC, by the various standards committees, has been internationalized. HITSP’s TP15 starts to get into the US domain and binding it to US policies. For global references, refer to IHE ATNA, DICOM, RFC3881 (Security Audit and Access Accountability Message XML). But anything that references HIPAA is US Domain, which is why TP15 was mentioned
• Pat: Many jurisdictions outside of the US require this accounting, so if this use case is generalized, it will be universal
• Mike: May be applicable to take the use case to PASS Audit group to ensure they have the constructs and capability to deal this particular interface with the Disclosure system

Action Items

Back to Security Main Page