HL7 FHIR Security 2016-2-16

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692

Join online meeting: https://meet.RTC.VA.GOV/suzanne.gonzales-webb/67LLFDYV

If you are having difficulty joining, please try:

https://global.gotomeeting.com/join/520841173

Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes

Back to HL7 FHIR security topics

Attendees

Agenda

• [1]
• Security CP 9570 Change AuditEvent.agent Definition and Comment

To align with Provenance, Contract and ConsentDirective agent definition updates [Contract/CD CP 9566], revise current AuditEvent.agent definition as follows: "Several agents may be associated (i.e. has some responsibility for an activity) with an activity and vice-versa. For example, in cases of actions initiated by one user for other users, or in events that involve more than one user, hardware device, software, or system process. However, only one user may be the initiator/requestor for the event." Need documentation or modeling approach to tell which of possibly several AuditEvent.agent(s) is the initiator/requestor

Revision to above to include both an update to definition and comment Change Definition to:  "An actor taking a role in an activity  for which it can be assigned some degree of responsibility for the activity taking place. Description: An agent can be a person, an organization, software, device, or other entities that may be ascribed responsibility." To align with Provenance, Contract and ConsentDirective agent definition updates [Contract/CD CP 9566], revise current AuditEvent.agent COMMENT as follows: "Several agents may be associated (i.e. has some responsibility for an activity) with an activity and vice-versa. For example, in cases of actions initiated by one user for other users, or in events that involve more than one user, hardware device, software, or system process. However, only one user may be the initiator/requestor for the event." Need documentation or modeling approach to tell which of possibly several AuditEvent.agent(s) is the initiator/requestor.

Implement the following changes per 2 new CPs

• CP 1: Align AuditEvent and Provenance action/activity element name and definition. Recommend changing to "activity".

AuditEvent.action [Change to AuditEvent.activity

Question: What to do with the definitional differences - e.g., possibly combine. Current AuditEven.action Definition: Indicator for type of action [Change to "activity".] performed during the event that generated the audit. Control 0..1 Binding AuditEventAction: Indicator for type of action[Change to "activity".] performed during the event that generated the audit. (Required) Type code Requirements This broadly indicates what kind of action [Change to "activity".] was done on the AuditEvent.entity by the AuditEvent.agent.

• Provenance.activity

Definition: An activity is something that occurs over a period of time and acts upon or with entities; it may include consuming, processing, transforming, modifying, relocating, using, or generating entities. Control 0..1 Binding ProvenanceEventCurrentState: The activity that took place. (Extensible) Type Coding

• CP #: Add to Provenance Resource a new Provenance.entity.lifecycle element to align with Audit.entity.lifecycle.

Current Audit.entity.lifecycle Definition Identifier for the data life-cycle stage for the entity. Control 0..1 Binding AuditEventObjectLifecycle: Identifier for the data life-cycle stage for the object. (Extensible) Type Coding Requirements Institutional policies for privacy and security may optionally fall under different accountability rules based on data life cycle. This provides a differentiating value for those cases. Comments This can be used to provide an audit trail for data, over time, as it passes through the system." Possible Provenance.entity.lifecycle would be the same as the Audit.entity.lifecycle.

Minutes