Minutes from Security WG Links

Return to: WGM Minutes > 2016 > January Orlando

Return to: Back to Security Work Group Main Page

Overall Attendees

• Mike Davis mike.davis@va.gov
• John Moehrke john.moehrke@med.ge.com
• Alexander Mense alexander.mense@hl7.at
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Kathleen Connor Kathleen.connor@comcast.net
• Diana Proud-Madruga diana.proud-madruga@va.gov
• Dennis Patterson dennis.patterson@cerner.com
• Michael Donnelly michael.donnelly@epic.com
• Kevin Riley kevin.riley@infor.com
• Prareen Ekkati Praveen.Ekkati@infor.com
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov
• Joshua Mendel childlens.harvard.edu
• Graham Grieve grahame@healthintersections.com.au
• Paul Knapp Pknapp@Pknapp.com
• Nancy Orvis nancy.j.orvis.civ@mail.mil
• Chris Shawn christopher.shawn2@va.gov
• Beth Pumo beth.pumo@kp.org
• Johnathan Coleman jc@securityrs.com

Tuesday Q1

Attendees:

• Mike Davis mike.davis@va.gov
• John Moehrke john.moehrke@med.ge.com
• Alexander Mense alexander.mense@hl7.at
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Kathleen Connor Kathleen.connor@comcast.net
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov
• Chris Shawn christopher.shawn2@va.gov
• Beth Pumo beth.pumo@kp.org
• Johnathan Coleman jc@securityrs.com

Notes: Opening Security WG Meeting Introductions

• Agenda HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG
  • John/Trish: 10/0/0
• IHE Report
  • Advanced Patient Privacy Consents Profile -- will leverage CDA Consent Directive
  • Internet User Assertion (IUA) -- will leverage HEART OAuth profiles
• ISO Report
  • ???
• ONC - API taskforce
• HEART http://openid.bitbucket.org/HEART/
  • UMA
  • OAuth Scopes
  • Consent Receipt
• Healthcare Access Control Catalog
  • ballot reconcilliation done, just waiting on agreement
• FHIR Consent -- see us in Q3 at CBCC
• Workgroup responsibilities
  • Future work items (Trish action item)

Tuesday Q2

Attendees:

• Mike Davis mike.davis@va.gov
• John Moehrke john.moehrke@med.ge.com
• Alexander Mense alexander.mense@hl7.at
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Chris Shawn christopher.shawn2@va.gov
• Beth Pumo beth.pumo@kp.org

Notes:

• Security/EHR Verb/Provenance/Lifecycle Vocabulary
  • Work space Record Lifecycle, Security, Privacy, and Provenance Vocabulary Alignment
  • Struggling greatly
  • three months have produced 4 terms
  • Principle to find a good-enough definition, focus on describing the functionality,
  • Note IHE has published a White Paper on "Health Information Management". Written primarily by AHIMA individuals working within IHE. http://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_WP_HITStdsforHIMPratices_Rev1.1_2015-09-18.pdf
• Worked on 3 year plan for Security WG

Tuesday Q3

Attendees:

• Mike Davis mike.davis@va.gov
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Kathleen Connor Kathleen.connor@comcast.net
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Chris Shawn christopher.shawn2@va.gov
• Diana Proud-Madruga diana.proud-madruga@va.gov

Security WG Project Meeting - Notes

• SOA Audit
  • Diana started PSS. Group worked on formulation of PSS in preparation for joint meeting with SOA Q2 Wed.

• Discussion on Future work items
  • Future security tutorials (free or paid) future planning?
    • New topic for tutorial would be to cover the security aspects of FHIR. This could cover the different resources:
    • Questionnaire, contract and C-CDA composition, security vocabularies supporting the labeling. To be considered for HL7 WGM Sept 2016 or May if possible. This would be a free tutorial. Kathleen will inquire about opportunities to deliver such tutorial close the the FHIR Connectathon.

• Workgroup Health
  • Email communication with TSC revealed that the WG is penalized for missing TSC election last year. This penalty applied to the workgroup health for the following 3 meetings.
  • Three-Year Plan last updated Sept 2012. To be updated at this meeting.
    • Trish updated Three-Year Plan in preparation for approval by WG.
  • Mission and Charter last updated May 2015
  • SWOT last updated May 2015
  • Decision Making Processes last updated Sept 2014
  • Post WGM Effectiveness Survey completed by Trish 13/01/2016
  • Room bookings for next WGM in May completed by Trish 13/01/2016

• Actions:
  • New Facilitator Publishing needs to be selected with the retirement of Mike Davis as Co-Chair. The HL7 Security Leadership page will need to be updated.
  • New Three-Year Plan to be circulated and approved by WG.
  • Next WGM (May) agenda to be posted to Wiki by 01 April 2016

Tuesday Q4

Attendees:

• Mike Davis mike.davis@va.gov
• Alexander Mense alexander.mense@hl7.at
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Kathleen Connor Kathleen.connor@comcast.net
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Chris Shawn christopher.shawn2@va.gov
• Beth Pumo beth.pumo@kp.org
• Don Jorgenson

Security WG Project Meeting Notes:

• Trust Framework
  • Establishing a level that exchange between two or more entities can communicate.
  • The current methods of common contract is inflexible and often technology specific. How this architecture applies to FHIR is (as yet) undetermined.
  • The negotiation of the policies can happen at run-time, but these are computer negotiated contract that drives the policy.
  • Using Trust Frameworks allows run time flexibility (and technology independent).
  • Possible future project for Sec WG. Kathleen to advise on drafted initial material previously presented to assess possible directions.
  • It is in the Security Labeling Service (SLS) but is not fully defined.

Wednesday Q1

Hosted by EHR

Topics Discussed

• Patient Choice Project - Johnathan Coleman
  • ONC recently launch this project. Will look at basic choice offered to the individual to prevent their PHI from being available for electronic exchange. Project to run Sept 2015 to March 2020. Refer to presentation.

• Vocabulary Alignment
  • 30 terms to align.
  • Originateand Receive working definitions agreed. Verify and validate definitions not yet stable.
  • New PSS required as original PSS did not indicate that the work would go to ballot.

• Report on revisions for Harmonize provenance and audit event resource with the W3C in FHIR, from John Moehrke.

• Pain points in workflow project. FHIR W5 Report - Lloyd

Refer to EHR minutes for more detail

Wednesday Q2

Hosted by SOA

Wednesday Q3

Hosting FHIR

Attendees:

• John Moehrke john.moehrke@med.ge.com
• Alexander Mense alexander.mense@hl7.at
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Joshua Mandel Joshua.Mandel@childrens.harvard.edu
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Peter Jordan pkjordon@xtra.co.nz
• Yunwei Wang ywang@imo-online.com
• Amlan Dasgupta amlan@epic.com
• Steve Baumann steve.baumann@mckesson.com
• Kathleen Connor Kathleen.connor@comcast.net
• Chuck Gerlach chuck.gerlach@mckesson.com
• Kevin Shekleton kshekleton@cerner.com
• Chris Greni chris.greni@analysts.com

Notes: Comment resolution.

Wednesday Q4

Attendees:

• John Moehrke john.moehrke@med.ge.com
• Alexander Mense alexander.mense@hl7.at
• Princess Trish Williams trish.williams@ecu.edu.au
• Duane DeCouteau ddecouteau@edmondsci.com
• Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp
• Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov

Agenda

• Discussion - Privacy Protection for the Internet of Things
• HEART, emerging vocabularies
• Approval of Three-Year Plan. Proposed John Moerhke, Seconded Alex Mense. Approved unanimously.

Notes:

Participants present did not have information on the Agenda items

Duane -- How can we work toward better security testing at FHIR Connectathon

• John - Following the agreement from EHR Q1 today. We focus on helping DAF, SDC, and a new Document Sharing project to integrate security into their testing plans. They already include the security parts, they just don't have testing.
  • Request has been sent to Lloyd (SDC), Dragon (DAF), and John (DS)
• Discussed possible phasing, as requiring full implementation in one shot would not be good. So we bring this in in phases so that the community accept and implement it.
• First phase -- AuditEvent recording - Focus on testing that actors in those IGs produce the appropriate AuditEvent. This can be tested at the audit service
• Second phase -- Provenance is recorded - on all items created or updated
• Third phase -- automatic security labeling (e.g. declared policy that causes labeling that causes good spectrium of lables. for example label all observations that have a code with a "d" in the display name as "Restricted". This is not a useful policy except it is computable and produces a testable result. If systems can do this, they likely can do expected realistic policies).
• Fourth phase -- require authentication sent with all requests (contingent on having a model)
• Fifth phase -- support for patient Authorization (Privacy Consent Directive)
• Sixth phase -- privacy protecting services (e.g. redacting based on security labels and consent policy)
• Seventh phase -- attribute based access control (ABAC) across the full lifecycle (IG)

Thursday Q1

Hosting FHIR

Attendees

• MANY people present... Paper sent around, I didn't get it back...
• John Moehrke
• Mike Davis
• Suzanne
• Kathleen
• Alex
• Grahame
• Josh
• ???

Intended agenda

• Given CBCC didn't have a joint with FHIR, Security offered our second joint with FHIR
• Although this was agreed to, there was concern raised
• No decisions were made due to this concern.
• CBCC will request a Joint with FHIR at next WGM
• But CBCC likely will not be present at next WGM due to travel restrictions all co-chairs are under

Notes:

• Discussion recorded in gForge
• Overview of Privacy Consent Directive
• Current IG http://hl7-fhir.github.io/pcd/pcd.html
• Discussion around the inclusion of the word "Directive".
  • This is the word used in the legal space
  • This is the word used in the CDA Privacy Consent Directive work
  • Keep the title as is.
• Grahame asked that we walk through an example
  • Discussion on various parts. No decisions made
  • Observed that there is a lack of vocabulary,
  • Kathleen points out that there is vocabulary available.

Thursday Q2

All agenda items have been closed, so no meeting held.