July 11, 2017 Security Conference Call
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | . | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| x | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Mohammed Jafari | |||
| x | Glen Marshall, SRS | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Galen Mulrooney | |||
| . | Duane DeCouteau | . | Chris Clark | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | . | Christopher D Brown TX | . | Gary Dickinson | x | Dave Silver | |||
| x | Rick Grow | . | William Kinsley | . | Paul Knapp | x | Mayada Abdulmannan | |||
| . | Kamalini Vaidya | . | Bill Kleinebecker | x | Christopher Shawn | . | Grahame Grieve | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (2 min) Roll Call, Agenda Approval
- (4 min) Review and Approval of Security WG Call Minutes June 20,72017
- (20 min) July Harmonization Final Proposals Submitted - Kathleen
- #(10 min) Review News and Reminders - See below.
- (5 min) FHIR Security call this week
News and Reminders
- FHIR Security Block Vote today - John has sent out reminders to the list a couple of times. Please review, attend, and vote, or send John your vote on the block.
- Direct Trust, and FHIR: A Value PropositionThis paper is short with great insights – explains why Smart on FHIR is not adequate for FHIR Trust Framework, and a description of how DirectTrust trust anchor bundles and PKI trust authority could be used for that capability.
- Excerpt - Using Direct Trust Certificates with the FHIR RESTful API
As discussed above, the FHIR API itself specifies no particular security arrangement. The focus of the existing implementation work on the SMART-on-FHIR is around authorization mediated by a human as part of the interaction (C2B context). In this context, the authentication of the user is delegated to the authorizing server. The existing work in the FHIR eco-system does not deal with establishing trust between systems. To authenticate system to system communication, some trust framework will be needed – either point to point agreement about certificates and other security tokens, or some mediated trust community will need to provide a framework in which these are managed.
- The DirectTrust community could serve this role – this would enable the 94,000+ existing DirectTrust enabled institutions and 1.5 million identity proofed addressees at those institutions to allow connections between each other without the need for point-to-point agreements. Such an arrangement would also potentially save the FHIR community from the financial requirement to build a new trust framework by using one already proven to scale high identity assurance.
Enabling this requires both technical and policy agreements. A separate specification “Using Direct Trust Certificates with the RESTful API” (still under development) describes how appropriate DirectTrust certificates can be acquired and used to secure RESTful APIs, and lays out a basic policy framework to allow any DirectTrust participant to automatically accept and process requests from data from any other participant.
- Harmonization Proposal Submission e-Vote results: Based on the number of participants at the June 27th call, which was 10, the number of e-votes needed for approval = 4 or more. Per Security WG DMP, the email vote was open for one week from June 29th through July 6th. I received 7 affirmative votes from Trish Williams, Jim Kretz, Ken Salyards, David Pyke, Johnathan Coleman, Mike Davis, and Chris Shawn. Proposals submitted were: Add Competency ActReason Code; Add Five Security Compartment Label Codes; and Add Purpose of Use codes. Harmonization meeting is scheduled for July 11 - 12 Each Day, at Noon Eastern Time(12:00PM) GoToMeeting: https://global.gotomeeting.com/join/204365989 Meeting ID: 204365989 Audio Line: 1-770-657-9270 pc 598745#
- ONC 21st Century Cures Act Trusted Exchange Framework and Common Agreement Kick-Off Meeting June 24, 2017. As part of the July 24, 2017 meeting, ONC will share the results of a recent analysis of existing frameworks that support the interoperable flow of health information across disparate networks and supportive principles related to enabling trusted exchange nationally. The meeting also will provide an opportunity for stakeholders to comment on existing national trust infrastructures used to exchange health information electronically and on electronic data sharing best practices.
- RSVP for Webmeeting to maxwell.souder@hhs.gov
Agenda
