Security Working Group Meeting

Attendees

Roll Call, Approve Minutes & Accept Agenda

Draft Work Plan - Security and Privacy Ontology

Please follow link:

HL7 EHRS FM Action--Verb Hierarchy

The attached HL7 EHR-S FM Action Verb hierarchy should be reviewed by Security and CBCC WGs.
- They do not map to the Security Operations (CRUDE or the data operations code system).
- They do not appear to align with the Security and Privacy Ontology.
Below are examples of potential issues:
- Why would encrypt/decrypt be under the category of “Store” when those could be required for use and exchange as well.
- The definition of TAG is “To UPDATE data by marking it for special use. For example, a nurse may TAG the previous week’s records for patients that presented with a severe cough and fever.” This might be useful for tagging for sensitivity, but needs to be thought through – why isn’t the data “tagged” when created rather than as an “update”?
- RENDER and EXTRACT may be a “Disclosure” but that’s not differentiated.
- AUDIT (revised) To TRACK system-initiated or user-initiated activities by analyzing logs based on policies or rules. For example, the system may automatically AUDIT the daily log for multiple-failed-logon-attempts. Another example is that an administrator may AUDIT the excessive use of extraordinary (i.e., “break-the-glass”) access to certain patient information in the Emergency Department. John already suggested that there should be a more general Event logging – and that Audit should be a specialization.

Item3