This wiki has undergone a migration to Confluence found Here
January 24th, 2012 Security Working Group Conference Call
Revision as of 05:00, 24 January 2012 by Suzannegw (talk | contribs) (Created page with "=Security Working Group Meeting= * Meeting Information Back to Security Main Page ==Attendees== * [mailto:Kathleen_Connor@comcast.net Kathleen Connor...")
Contents
Security Working Group Meeting
Attendees
- Kathleen Connor
- Ed Coyne
- Mike Davis Security Co-chair
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair
- Jim Kretz
- Glen Marshall
- John Moehrke Security Co-chair
- Milan Petkovic
- Ken Salyards
- Richard Thoreson CBCC Co-chair
- Tony Weida
Agenda
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Draft Work Plan - Security and Privacy Ontology
- (15 min) HL7 EHRS FM Action--Verb Hierarchy ppt
- (15 min) Item3
- (5 min) Other Business
Meeting Minutes - DRAFT
Roll Call, Approve Minutes & Accept Agenda
Draft Work Plan - Security and Privacy Ontology
Please follow link:
HL7 EHRS FM Action--Verb Hierarchy
- The attached HL7 EHR-S FM Action Verb hierarchy should be reviewed by Security and CBCC WGs.
- They do not map to the Security Operations (CRUDE or the data operations code system).
- They do not appear to align with the Security and Privacy Ontology.
- Below are examples of potential issues:
- Why would encrypt/decrypt be under the category of “Store” when those could be required for use and exchange as well.
- The definition of TAG is “To UPDATE data by marking it for special use. For example, a nurse may TAG the previous week’s records for patients that presented with a severe cough and fever.” This might be useful for tagging for sensitivity, but needs to be thought through – why isn’t the data “tagged” when created rather than as an “update”?
- RENDER and EXTRACT may be a “Disclosure” but that’s not differentiated.
- AUDIT (revised) To TRACK system-initiated or user-initiated activities by analyzing logs based on policies or rules. For example, the system may automatically AUDIT the daily log for multiple-failed-logon-attempts. Another example is that an administrator may AUDIT the excessive use of extraordinary (i.e., “break-the-glass”) access to certain patient information in the Emergency Department. John already suggested that there should be a more general Event logging – and that Audit should be a specialization.
Item3
- (5 min) Other Business