March 29, 2016 Security Conference Call
Back to Security Work Group Main Page
Attendees
x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|
. | Kathleen ConnorSecurity Co-chair | . | Duane DeCouteau | . | Chris Clark | |||
. | John MoehrkeSecurity Co-chair | . | Johnathan Coleman | . | Aaron Seib | |||
x | Alexander Mense Security Co-chair | . | Ken Salyards | . | Christopher D Brown TX | |||
. | Trish WilliamsSecurity Co-chair | . | Gary Dickinson | x | Dave Silver | |||
x | Mike Davis | . | Ioana Singureanu | . | Mohammed Jafari | |||
x | Suzanne Gonzales-Webb | . | Rob Horn | . | Galen Mulrooney | |||
x | Diana Proud-Madruga | . | Ken Rubin | . | William Kinsley | |||
x | Rick Grow | . | Paul Knapp | x | Mayada Abdulmannan | |||
. | Glen Marshall, SRS | . | Bill Kleinebecker | . | Christopher Shawn | |||
. | Oliver Lawless | . | [mailto | . | Serafina Versaggi | |||
. | Beth Pumo | . | Russell McDonell | . | Paul Petronelli , Mobile Health | |||
. | Christopher Doss | . | Kamalini Vaidya | . | [mailto: TBD ] |
Agenda DRAFT
- ( 5 min) Roll Call, Agenda Approval
- ( 5 min) Approve Security WG March 22, 2016 Minutes
- (10 min) Privacy & Security by Design - update - Rick
- Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. Meeting information and invite
- ( 5 min) PASS Access Control Services Conceptual Model - Diana
- ( 5 min) Joint Vocabulary Alignment Update - Diana
- ( 5 min) PASS Audit Conceptual Model – Diana
- ( 5 min) FHIR Security report out - John
Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda
Minutes
- Chaired by Alex
- Minutes Approved (Diana, Suzanne ) 2/0/0
- Privacy & Security by Design - update - Rick
- Second meeting held with Project Team with ERB, CBCC, and Security
- Produce Class Diagrams using UML Modeling
- Started with the first term consent Privacy term that will be interval for the design of the implementation guide
- privacy Ensured Privacy was captured in the implementation Guide
- Work continues, trading comments and feedback through email
- Second Meeting will be held at 5 p.m., link provided below:
- Joint project meetings (ARB, CBCC, Security) held Tuesdays at 5 p.m. Eastern. Meeting information and invite
- Reached to Ann Wizower with HL7 Standard Governance board to confirm the items and scope with the PSS are within the boundaries and expected scope per Kathleen's recommendation last week
- Once feedback and evote is received from the Governance Board the PSS will then be delivered back to CBCC they will then take a vote on being sponsor of the project
- Project work is ongoing
- PASS Access Control Services Conceptual Model - Diana
- Received commands from Burke
- Mike Davis, Kathleen Connor, Dave Silver and Diana met last week to come up with possible solutions to open issues.
- Eight open issues remain
- First comment recommendation to change disposition to persuasive and the clarification to identify and Check that all references are accurate.
- Second comment recommendation to only reference ISOIC 10746, per Mike Davis recommendation Diana will present it to SOA to see how strongly they feel that Safe is referenced in the Standard.
- Third comment is to delete the section as it is not necessary per suggestion of Burt. per Burt suggested standards be referenced as in his original comments.
- Comment 15 we accepted Burt's proposed wording
- Comment 19 it was confirmed the definition was wrong as in the original objection, the statement will be replacing the definition from ISO 22600-2 which addressed first issue of Original comment. Second comment required that Burt needed a refrained policy scenario added. Possible solution for the second comment recommended by Kathleen during the meeting is to consider the Obligation scenario covers refrained policy and mandates. Mike Davis requested more time to review possible recommendations.
- Per a conversation with Dave Silver the article that covers theTHEWS Trusted eHealth and eWelfare Space Principles principal, the ACS and the document are loosely related and may not be mapped. However, it maybe possible to reference capabilities in the functional model at a high level and reference documentation.
Question (Alex): Do we need a predefined trust model? Answer (Mike Davis): We have a predefined policy where everyone is in the security domain. The VA worked with PSS for Trust envisioned that has not matured to PSS. The plan was to establish a trust framework that supports FHIR. The idea was to have two separate domains, and a negotiable trust and at run time they would establish the policy by a particular interaction that would have by exchange a FHIR contact. It would not completely be unconstrained, and more similar to a VPN giving an assurance level.
Comment (Diana): Generalized access control model was used for the basis of this document, it appears there is an assumption of trust with several references that indicate an assumption of Trust that has already been established within use case AC1-Enforced access control decision. Comment (Alex): We do not need a framework to establish Trust, and can use the use case method as part of the specification. Comment (Diana): We can add a footnote on how Trust Relationship can Exist, and what is involved in establishing Trust. Concurrence on Next Step (Mike, Alex): To obtain further clarity from Burt on his comment. Alex will reach out to Burt.
- Joint Vocabulary Alignment Update - Diana
- NTR
- Reed is calling to have a meeting next week and requested proposed Agenda items.
- PASS Audit Conceptual Model – Diana
- NTR
- Continued work on functional model that would go into the the functional model
- Working on finalizing the PSS
-FHIR Security report out - John
- not on call