March 6, 2012 Security Working Group Conference Call
Security Working Group Meeting
Attendees
- Bill Braithwaite
- Kathleen Connor
- Ed Coyne
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Trish Williams
Agenda
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Cochair Discussion
- (02 min) Security WG_DMP - Bill Braithwaite
- (15min) Role of HL7 Security and Privacy Ontology in HL7 Artifacts - Kathleen Connor
- (15 min) Mobile Devices Security and Privacy Registration link. ONC coming event(f2f or web) on March 16: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__mobile_devices_roundtable/3815#registration
- (5 min) Other Business
Minutes
- Mike Davis, presiding cochair
Roll Call, Approve Minutes & Accept Agenda
Mike asked for review and approval of the February 28th Minutes. Suzanne moved to approve ; Trish seconded. Bill abstained. Minutes approved 3-1-0
Cochair Discussion Mike led Cochair Discussion: Security WG missed the deadline for requesting a fourth cochair. Mike said that the current cochairs decided it would be best to wait until Vancouver WGM. The possibility of announcing interested candidates prior to the Vancouver meeting was discussed. Mike will investigate approaches for nominating or appointing interim cochairs either by having cochairs appoint an interim cochair or wait till the WGM. Kathleen noted that she had previously nominated Trish Williams at the last WGM. Trish indicated her great interest in running for the fourth cochair position.
Role of HL7 Security and Privacy Ontology in HL7 Artifacts Kathleen Connor
PPT: Role of the HL& Security and Privacy Ontology in HL7 Artifacts Background: the notion of the ontology itself came out a few years ago and SOA also came out with that the ontology would be useful as a further dimension to an information model. The Bernd was instrumental in pulling this together. It would be considered an artifact under SAEF, it’s an extension of an IM, the codes sets define them (the classes) become artifacts in an ontology where the relationships are place in some hierarchal way. Our goal was to meet a demand from industry. OASIS was investigating whether or not an ontology would be useful in making decisions in access control as they were having problems to instantiation roles in a very complicated way in a rule engine. If you had an ontology as part of the decision process the hierarchy of importance of things would be known i.e. RBAC you can have permission for orders in general, an ontology can help decide whether you can make a decision by guiding it. The second important part is to move it over to SNOMED CT, no maintaining here in HL7. Creating and balloting it, we want to move away a DSTU approach and go to an normative approach in order to take it over to SNOMED CT, rather than the typical hl7 vocab process. We have some experience with that since the RBAC vocabulary is not tied to the RIM but conformant to ANSI-INCITs standards 359-. The most recent thing we went back to the steering division because we are not able to meet the May ballot date, changing the scope statement into an informative ballot in May then to normative ballot after that. The steering division asked if we can go normative or not…Kathleen presentation:
WE had an issue in the area of RBAC the NwHIN exchange folk specified roles from SNOMED CT but clearly that is not the intent the items for SNOMED CT to be used for RBAC, it was convenient to do so—had number associated with it, etc. but it was an inappropriate choice. At the time SNOMED CT was not a security standard. The ontology of the roles picked out were for clinical, but not related to security. In an attempt to fix, we went ASTM which has a standard E1986 that had a table for which RBAC roles are oriented and added a mapping to the SNOMED CT codes, added an OID and enumerated for use by groups needed by real world standards. E1986 has healthcare specific roles beyond which where they can find a matching term in SNOMED CT. This will fix the problem long term by creating a sub-ontology which is security and privacy oriented in nature. If it’s normative under HL7 other SDOs are looking at it for truth, relationship it makes a good basis for argument for making ontologies without a (vocabulary basis?)
'Other Business
Note: Difficulties with meeting link
