This wiki has undergone a migration to Confluence found Here
HL7 FHIR Security 2017-12-05
Revision as of 20:27, 5 December 2017 by JohnMoehrke (talk | contribs)
Call Logistics
Weekly: Tuesday at 05:00 EST (2 PM PST)
Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 Online Meeting ID: security36 Phone: +1 515-604-9567, Participant Code: 880898 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes
Back to HL7 FHIR security topics
Attendees
Member Name | Member Name | Member Name | ||||||
---|---|---|---|---|---|---|---|---|
x | John Moehrke Security Co-Chair | x | Kathleen Connor Security Co-Chair | . | Alexander Mense Security Co-chair | |||
. | Suzanne Gonzales-Webb CBCC Co-Chair | . | Johnathan Coleman CBCC Co-Chair | . | Mike Davis | |||
. | Reed Gelzer RM-ES Lead | . | Glen Marshal | x | Joe Lamy AEGIS | |||
. | Diana Proud-Madruga | . | Rob Horn | . | Beth Pumo | |||
. | Irina Connelly | . | Mario Hyland AEGIS [1] | . | Firstname Lastname |
Agenda
- Roll;
- approval of agenda
- approval of the HL7 FHIR Security 2017-11-28 Minutes
- All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
- Given deadline for Dec-Jan informative ballot deadline for substantive changes
- Review and approve these that would affect structure
Other business:
- Is our current break-glass a proper thing for us to have said? Specifically it says that the indication of broken-glass is to place a tag into the http header
- See http://build.fhir.org/security-labels.html#break-the-glass
- Note that it also defines an example magic URI (Rather than using ETREAT)
- Word is there is ONC interest in Provenance use at connectathon
- Can we provide a Provenance pattern that would be added by a FHIR Server that has done a validation against StructureDefinitions and added tags of compliance to Resources?
- Discussion on chat around PurposeOfUse and how it should be conveyed. https://chat.fhir.org/#narrow/stream/implementers/topic/GDPR.20PurposeOfUse
- Plan resolution of CR (see below)
- SMART engagement
- reminder that we plan to ballot the SMART on FHIR App Launch Protocol in the upcoming cycle (voting in August, with reconciliation to begin at the September WGm). The content we intend to ballot has been prepared (and is being refined) at https://github.com/smart-on-fhir/smart-on-fhir.github.io/tree/into-hl7 and our list of open issues during this refinement period is at https://github.com/smart-on-fhir/smart-on-fhir.github.io/issues (Josh).
- Setting up Test Plans for Security / Privacy topic
- Connectathon scenario -- Pattern that shows how Provenance, AuditEvent, Consent, security-labels, and other can be overlaid on <any> other connectathon scenario
- TestScript resource based tests
- AuditEvent tests for well understood audit log
- Provenance tests for well understood provenance use
- Test bench?
- some automated environment that people can use to test their: ( a ) client, ( b ) server, or other? Can this be done?
- Discussed Event Pattern
- 13841 Align+AuditEvent+with+Event+pattern (John Moehrke)
- 13842 Align+Provenance+with+new+Event+pattern (John Moehrke)
- event.performer vs .agent
- Seems performer is an acceptable element name. Do need to keep description we have as it is specialized for Provenance and AuditEvent
- Action: John to apply event pattern and get error report from Lloyd
- New business?
Future Block
- 12941 Security+Role+vocabulary+should+include+ISO+21298 (John Moehrke) Persuasive
- 13571 AuditEvent.entity.identifier+vs+resource+vs+URI+-+explain+why+each+should+be+used (John Moehrke) Not Persuasive
- 13570 Provenance+-+clarify+when+Provenance.entity.whatUri+and+whatIdentifier+are+to+be+used (John Moehrke) Persuasive with Mod
- 14175 Signature datatype should support signature blobs per FHIR mime-type (John Moehrke)
- 14193 signature description
Current backlog
- 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke)
- 10343 Three+additional+Signature.type+codes (Kathleen Connor)
- 10580 How+should+test+data+be+identified%3F (John Moehrke)
- 12462 Security%2FPrivacy+Module+page+should+explain+W5+realty+that+provenance+elements+in+other+resources+vs+use+of+Provenance+as+a+resource (John Moehrke)
- 12463 explain+relationship+between+Provenance+and+AuditEvent.+ (John Moehrke)
- 10579 New+Security+and+Privacy+%22Module%22+page+needs+content (John Moehrke)
- 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor)
- 12660 HCS+use+clarification (John Moehrke)
- 13011 The+value+set+for+security-role-type+is+broken+for+Provenance (Lloyd McKenzie)
- 13013 Valueset+for+Provenance.activity+is+broken (Lloyd McKenzie)
- 13014 Provenance.agent.relatedAgentType+doesn%27t+make+sense (Lloyd McKenzie)
- 13822 S%26P+outlline+when+a+user+includes+query+parameters+they+don%27t+have+access+to++policy+issue (John Moehrke)
- 13841 Align+AuditEvent+with+Event+pattern (John Moehrke)
- 13842 Align+Provenance+with+new+Event+pattern (John Moehrke)
- 14027 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke)
- 14028 Explain+how+one+might+use+AuditEvent+to+inform+an+Accounting+of+Disclosures (Kathleen Connor)
Minutes
- John chaired