September 29, 2015 Security WG Conference Call

Attendees

Back to Security Main Page

Agenda DRAFT

1. ( 5 min) Roll Call, Agenda Approval
2. ( 5 min) Approve September 22 Meeting Minutes
3. ( 5 min) PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson, Mike, Dave
4. ( 5 min) Joint Vocabulary Alignment Update - Diana
5. ( 35 min) FHIR Security report out - John/Lloyd/Kathleen
   • FHIR ProvenanceEvent Value Set - Kathleen
6. ( 5 min) PSAF Update - Kathleen

Meeting Minutes DRAFT

Approval of September 22 meeting minutes

Motion: Diana/Glen

0 Opposed/Abstain; 7 Approve

PASS Access Control Conceptual Model (SOA) Update

• Negative ballot comments received which will be undergoing the reconciliation process
• The ballot did not pass, but quorum was achieved (Note: 24 affirmatives are needed for the ballot to pass)
• Reconciliation will begin at the WGM, including discussion; time will be allotted at WGM

• Four ballot reconciliation comment sheets returned
  • Bernd Blobel
  • VA via Greg Staudenmaier
  • DoD via Krystol Shaw
  • Lorraine Doo, HHS CMS
• John has been assigned to follow up with Keith Boone regarding negative vote

Joint Vocabulary Alignment Update

• Several definitions have been submitted for the group to review (avoiding the detailed semantics); currently at 80% definitions submitted for the ISO 21089 standard, "Trusted End to End Information Flows"
• Vocabulary for the HL7 as well as the function definitions are of interest and intended to be part of the discussion at WGM (time is allotted)
• The SOA information is still being used by the "old Wiki" but the information has been transferred to the Security Wiki
  • Concern of loss of intellectual property of a non-HL7 site.

FHIR

No update

SOA - New item

Requesting Security to be a co-sponsor (as well as FMG and ITS)

HL7 Cloud Implementation Blueprint informative document (although may be shy of an implementation guide which may be planned in the future)

• To develop an informative document establishing an HL7 point-of-view as to how and where HL7 standards can and should be applied as organizations are considering migration of their HIT into cloud environments. The expectation is that there is a broad spectrum of possibilities, several alternatives of which will be included in the white paper.
• The paper will include:
  • Overview, including an introduction to cloud terms and principles.
  • Identify relevant HL7 standards and the context where they may be applied into cloud settings. This will be exemplary and not authoritative, with the hope of including as many HL7 standards as possible that have direct relevance.
  • Introduce the concept of Cloud Blueprints, each of which is an implementation pattern leveraging HL7 standards and putting them into context of broad solution categories. These are intended to be selected, modified, and then implemented. Each blueprint will be targeted to specific situational needs, identify implementation considerations, risks, trade-offs, etc. associated with that pattern.
  • A discussion of security and privacy considerations associated with cloud, with particular focus on the blueprints.
  • A maturity model to allow for the objective evaluation and assessment of organizations to determine their ability to effect cloud solutions, and potential steps that could be taken to improve their posture to embrace cloud. This section will include a self-assessment guide.
  • A section discussing emerging capabilities and “next steps," with a highlight on the opportunities that are created through the use of cloud implementation.
  • Finally, the white paper will include reference documentation and knowledge sources for further study.

• Idea is not to reinvent; looking specifically at how HL7 and SOA standards intersect with the cloud.
• Currently, many of our standards are broadly distributed.

The go/no-go is: What standards do we specifically need for cloud?

• But let's look at the HL7 standards (existing) through a cloud view

Meeting adjourned at 1303 PDT