This wiki has undergone a migration to Confluence found Here
HL7 FHIR Security 2017-11-28
Revision as of 23:00, 28 November 2017 by JohnMoehrke (talk | contribs)
Call Logistics
Weekly: Tuesday at 05:00 EST (2 PM PST)
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 Phone: +1 515-604-9567, Participant Code: 880898 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
Member Name | Member Name | Member Name | ||||||
---|---|---|---|---|---|---|---|---|
x | John Moehrke Security Co-Chair | x | Kathleen Connor Security Co-Chair | . | Alexander Mense Security Co-chair | |||
. | Suzanne Gonzales-Webb CBCC Co-Chair | . | Johnathan Coleman CBCC Co-Chair | . | Mike Davis | |||
. | Reed Gelzer RM-ES Lead | . | Glen Marshal | x | Joe Lamy AEGIS | |||
. | Diana Proud-Madruga | . | Rob Horn | . | Beth Pumo | |||
. | Irina Connelly | . | Mario Hyland AEGIS [1] | . | Firstname Lastname |
Agenda
- Roll;
- approval of agenda
- approval of the HL7 FHIR Security 2017-11-21, HL7 FHIR Security 2017-11-14, HL7 FHIR Security 2017-11-07, HL7 FHIR Security 2017-10-10, and HL7 FHIR Security 2017-10-03 Minutes
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- Is our current break-glass a proper thing for us to have said? Specifically it says that the indication of broken-glass is to place a tag into the http header
- See http://build.fhir.org/security-labels.html#break-the-glass
- Note that it also defines an example magic URI (Rather than using ETREAT)
- Word is there is ONC interest in Provenance use at connectathon
- Can we provide a Provenance pattern that would be added by a FHIR Server that has done a validation against StructureDefinitions and added tags of compliance to Resources?
- Discussion on chat around PurposeOfUse and how it should be conveyed. https://chat.fhir.org/#narrow/stream/implementers/topic/GDPR.20PurposeOfUse
- Plan resolution of CR (see below)
- SMART engagement
- reminder that we plan to ballot the SMART on FHIR App Launch Protocol in the upcoming cycle (voting in August, with reconciliation to begin at the September WGm). The content we intend to ballot has been prepared (and is being refined) at https://github.com/smart-on-fhir/smart-on-fhir.github.io/tree/into-hl7 and our list of open issues during this refinement period is at https://github.com/smart-on-fhir/smart-on-fhir.github.io/issues (Josh).
- Setting up Test Plans for Security / Privacy topic
- Connectathon scenario -- Pattern that shows how Provenance, AuditEvent, Consent, security-labels, and other can be overlaid on <any> other connectathon scenario
- TestScript resource based tests
- AuditEvent tests for well understood audit log
- Provenance tests for well understood provenance use
- Test bench?
- some automated environment that people can use to test their: ( a ) client, ( b ) server, or other? Can this be done?
- New business?
Future Block
- 12941 Security+Role+vocabulary+should+include+ISO+21298 (John Moehrke) Persuasive
- 13571 AuditEvent.entity.identifier+vs+resource+vs+URI+-+explain+why+each+should+be+used (John Moehrke) Not Persuasive
- 13570 Provenance+-+clarify+when+Provenance.entity.whatUri+and+whatIdentifier+are+to+be+used (John Moehrke) Persuasive with Mod
Current backlog
- 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke)
- 10343 Three+additional+Signature.type+codes (Kathleen Connor)
- 10580 How+should+test+data+be+identified%3F (John Moehrke)
- 12462 Security%2FPrivacy+Module+page+should+explain+W5+realty+that+provenance+elements+in+other+resources+vs+use+of+Provenance+as+a+resource (John Moehrke)
- 12463 explain+relationship+between+Provenance+and+AuditEvent.+ (John Moehrke)
- 10579 New+Security+and+Privacy+%22Module%22+page+needs+content (John Moehrke)
- 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor)
- 12660 HCS+use+clarification (John Moehrke)
- 13011 The+value+set+for+security-role-type+is+broken+for+Provenance (Lloyd McKenzie)
- 13013 Valueset+for+Provenance.activity+is+broken (Lloyd McKenzie)
- 13014 Provenance.agent.relatedAgentType+doesn%27t+make+sense (Lloyd McKenzie)
- 13822 S%26P+outlline+when+a+user+includes+query+parameters+they+don%27t+have+access+to++policy+issue (John Moehrke)
- 13841 Align+AuditEvent+with+Event+pattern (John Moehrke)
- 13842 Align+Provenance+with+new+Event+pattern (John Moehrke)
- 14027 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke)
- 14028 Explain+how+one+might+use+AuditEvent+to+inform+an+Accounting+of+Disclosures (Kathleen Connor)
- 14175 Signature datatype should support signature blobs per FHIR mime-type (John Moehrke)
Minutes
- John chaired
- approval of agenda - Kathleen Connor/Joe Lamy: 2-0-0
- approval of the HL7 FHIR Security 2017-11-21, HL7 FHIR Security 2017-11-14, HL7 FHIR Security 2017-11-07, HL7 FHIR Security 2017-10-10, and HL7 FHIR Security 2017-10-03 Minutes
- Motion to approve all of these minutes: Kathleen Connor/Joe Lamy: 2-0-0
- Discussed Event Pattern
- 13841 Align+AuditEvent+with+Event+pattern (John Moehrke)
- 13842 Align+Provenance+with+new+Event+pattern (John Moehrke)
- event.performer vs .agent
- Seems performer is an acceptable element name. Do need to keep description we have as it is specialized for Provenance and AuditEvent
- Action: John to apply event pattern and get error report from Lloyd