January 9, 2018 Security Conference Call
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John Moehrke Security Co-chair | x | Kathleen Connor Security Co-chair | x | Alexander Mense Security Co-chair | . | Trish Williams Security Co-chair | |||
| x | Christopher Shawn Security Co-chair | x | Suzanne Gonzales-Webb | x | Mike Davis | x | David Staggs | |||
| x | Mohammed Jafari | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Greg Linden | |||
| . | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | . | Jim Kretz | . | Gary Dickinson | x | Dave Silver | |||
| . | Oliver Lawless | . | Lisa Nelson | . | David Tao | . | Nathan Botts | |||
| . | Francisco Jauregui] | . | [ | . | [ | . | [ |
Agenda
- (2 min) Roll Call, Agenda Approval
- (3 min) Review and Approval of December 19, 2017 minutes
- (10 min) TF4FA and Domain Modeling update- Mike Davis
- (5 min) ONC Draft Trusted Exchange for Common Agreement released Please review and help the WG prepare PAC comments. - Kathleen
- (10 min) Update on Consumer Centered Data Exchange Connectathon track - Kathleen and Mohammad
- (5 min) PSAF call report out - Chris Shawn
- (5 min) Is Privacy Obsolete? Study Group wiki page has the "Is Privacy Obsolete?" Listserve link. Update on project - Mike Davis
- (3 min) Security Jan 2018 WG Health is excellent!
- (5 min) Draft New Orleans Security WGM Agenda
- (1 min) FHIR Security update Call cancelled - John Moehrke
Meeting Minutes (DRAFT)
Christopher Shawn chair
Roll taken
Meeting minutes reviewed (Kathleen/Alex)9-0-0
Security and Privacy DAM - Mike
- report out
- We're still planning to go ahead with the May ballot
TF4FA
- with updates to chapter 2 - trust framework / behavior model
- will also be balloting the DAM which is starting work
- plan to ballot as informative standard chapter 3 - audit (provenance, smart contracts, block chain)
- iEHR security working group - vocabulary harmonization information to go into there (regarding provenance, audit) if possible
Presentation given on where we are with the DM itself (HL7 Healthcare Domain Model)-Mike
- DRAFT floating around, PPT high level view to incorporate the ideas
- examples
- discussion on the vocabulary
Slide deck highlights
- Normal Domain – Privacy metadata indicating that the information is typical, non-stigmatizing health information which presents typical risk of harm if disclosed without authorization
- Restricted Domain - privacy metadata indicating highly sensitive, potentially stigmatizing information, which presents a high risk to the information subject if disclosed without authorization
- may have policies associated with the domain
- intended to be clear; at bottom is a representation description of this type of domain
- Very Restricted Domain 0 privacy metadata indicating extremely sensitive, like stigmatizing information which presents a very high risk if disclosed without authorization.
- representative of domains, single confidentiality code associated with them
- Multi-domain information object
- problem list is more likely than a single instance; no longer a simple domain, containing several domain objects
Dealing with the simplest possible domain - to reach of the classifications there is series of classifications where we have data which we are giving a category and classification.
Definitions: already in trust framework
Poster format available for Domain Model
TEFCA - Kathleen DRAFT Trusted Exchange Framework and Common Agreement
- requesting comments
Please take a look, it’s very important to security work
- included on the page is a quick-start
- building off MU data comments
- first part - governance
- second - rules of the road, note that consent and privacy is not mentioned (same as in xx except in the context of research)
- section 6 also has information for identity proofing
VERY SHORT TURNAROUND for comments
- this is an opportunity to advance our privacy with protections idea; it’s not clear
[https://gforge.hl7.org/gf/project/security/docman/Security%20FHIR/FHIR%20Security%20Connectathon/HL7%20FHIR%20Consumer%20Centered%20Data%20Exchange%20Privacy%20Preserving%20On%20Behalf%20On%20Right%20of%20Access%20v6.pdf FHIR Consumer Centered Data Exchange - Kathleen
- Interest in leveraging MiHIN eConsent Portal
- Aaron Seib (lead) also has other scenarios with other folks), interactions with EHRs
- Consumer Centric Choice - one stop app shopping
- solving multiple portal problem - privacy presenting OAuth
- granular choice
Alice Recruit being used as their personal
- issues include PTSD related MH conditions, among others
Privacy Preserving Right of Access - Alice's Preferences (Description of approach given) Opportunities to show granular consent during the
Variation on Sync for Science Architecture;
- Privacy Preserving OAuth Right of Access - Alice's Preferences
PSAF Call - Report Out
- Spent the call doing reconciliation of Bernd Blobel's comments
- Hoping to complete at next week's call
Privacy Obsolete - Study Group
- Mike will presenting the study group information at the Q3/Q4 joint meeting face-to-face
- this is a global approach US, Japan, Australia, UK, EU, China
- how to get to a conclusions; looking at law, recent changes
- law
- USA Freedom Act (built in expiration date of 2020?)
- privacy breaches
- standards activities - types
- including SC27
- enforcement activities
- governmental organizations, US, ONC, etc.
- Facebook, google, big data impacts
- law
- several links on privacy is dead
DRAFT - Judge Sonia Sotomayor - in the US , the law is not keeping up with the technology
No call for FHIR Security this afternoon
Meeting adjourned at 1404 Arizona time
