This wiki has undergone a migration to Confluence found Here
October 24, 2017 Security Conference Call
Attendees
x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
. | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
x | Mike Davis | x | Suzanne Gonzales-Webb | . | David Staggs | x | Christopher Shawn | |||
. | Mohammed Jafari | . | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
. | Diana Proud-Madruga | . | Serafina Versaggi | . | Joe Lamy | . | Galen Mulrooney | |||
. | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
. | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
. | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Gallegos |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of October 17, 2017 minutes.
- (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (10 min) Updates on the PSAF Project- Mike Davis and Chris Shawn
- (10 min) IPO? Enforcing Sharing with Protections via Minimum Necessary per POU - Kathleen Connor
- Care Team Provisioning for LHS.pptx Care Team ABAC Provisioning
- Care Team ABAC Provisioning Table Example
- Healthcare Team Model Glossary
- (20 min)FHIR Accounting of Disclosure profile on AuditEvent Resource - continue work effort. - John Moehrke
- (2 min)FHIR Security Call later? - John Moehrke
Privacy
- information has been received on Privacy obsolete
- wiki initiated, not updated
- in data collection mode; folks on the call have been sending items
- a study group started in ISO around (similar type of effort), they are not very far along
- perhaps we should reach out and see if we can obtain a liaison
- Ann Kevorkian contact--will add to listerve (Mike will add)
- Ann is very well know in PbD, has a WG in OASIS (not very active)
- responded initially vehemently, privacy is not dead but it is being attacked
- let her know that this project is international scoped, EU is doing well but there are other activities
- there is a difference in how security is talking about privacy
- if all your privacy is released (disclosure of privacy) 'its a security problem'
- cannot have privacy unless security is supporting it
- inconsistency should be noted, and discussed
- IoT may have also been in that box (Mike is working with NIST of IoT)--they have 800-53, have come to a closer to where they have before...there is still a separation of security and privacy
- we are using security services, access services to control/protect privacy
- inconsistency should be noted, and discussed
We still need a project scope statement, or white paper our SD wants to have a PSS to cover this task
- in the PMRM call-they brought up the privacy is dead conversation--they see themselves as managing the xx of privacy. the GDPR qualifying for
- john sabo is also bring up SC 27, WG5 in Berlin--why arent' there more references to HL7 in this work? There are no good lists; list is available to ISO members (David can give to Mike)
- NIST pub 800-53
- Kathleen found an article: going forward what we need to be talking about is not protection, but mechanistm for accountability--tracking privacy. MIke is enthusiastic to this approach in relation to SLS, clearances for access the information (and accountability). if meaningful--would be more like GDPR where fines are involved for breach of trust.
PSAF balloting of the updated federated authorization and an update to the S&P DAM to fill someof the gaps found in the Trust Framework--also, a trust FHIR contract model which ould be used to negotiation across enterprises or HIE, to identify POU, etc. where they have a patient consent to tose three things will be added as part of the deliverables.
Evelyn Gallegos Care Team Provisioning for LHS on the Care Team side for prevising--enterprises (16:32)
- working with CDC (?) to develop a model
- where clinet is consenting to program for a certain
- David will follow up on LHS
- Care Team and Specially Authorized Access PPT <<add link>>
- Enabling Patient Trusted Care Teams
- Spheres of Teamness and Privacy Protective Information Sharing
- special compartmentalized information - idea where it goes beyond a clearance level i.e. top secret, you have to have a need/read to the program; have to be briefed ont h eprogram,e tc; after youre done, you need to be out-briefed ont he program as well.
- in the context of DoD SCI is highly controlled--only access in special computers, special environment--for healthcare--I don't believe we are going to that level
- organizational construct, where access is based on your compartment bucket rather than label individually you name everything int he bucket as that... if its the pharmacy pharmacy-access only
- understanding spheres of Teamness and Privacy Protective sharing
- Care Team Structural Roles - examples
- Example of Spheres and Associated Teams
- Care Team Models --> clinician need to know and sharing with protections
- Care Team Type Definitions