September 25, 2012 Security Working Group Conference Call
Security Working Group Meeting
Attendees
- Bill Braithwaite
- Kathleen Connor
- Mike Davis Security Cochair
- Suzanne Gonzales-Webb CBCC Cochair
- John Moehrke Security Cochair
- Trish Williams Security Cochair
Agenda
- (10 min) Roll Call, Approve Sept 4, 2012 Security Working Group Conference Call Minutes & Accept Agenda
- (20 min) September WGM Debrief – Accomplished and Outstanding Action Items – Presiding Cochair
- (20 min) Proposed Confidentiality Code Definition Changes - Kathleen
- (10 min) Other Business, Agenda for Next call, Action Items, and Wrap Up – including 3 Year Plan
Minutes
- RE: Approval of Minutes and Agenda – Presiding Cochair, Mike Davis asked for approval of the minutes and agenda. Kathleen requested the deferral of discussion on the proposed changes to the ConfidentialityCode definition agenda item. Kathleen moved; Suzanne seconded. Minutes and amended agenda approved (0-0-4)
- RE: September WGM Debrief – Accomplished and Outstanding Action Items: Mike gave highlights of the WGM including:
- Healthcare Classification System (HCS) for comment ballot did not pass as expected. WG will focus on HCS core fundamentals and consult additional classification standards such as RFC 2634 ESS Security Labels specification; ISO/IEC 15816:2002 (E) A.3.4.3 SECURITY LABELS (identical to ITU X.841); and FIPS 188, Standard Security Label for Information Transfer. The resulting work will inform the ballot reconciliation of comments on the first draft. Mike plans on presenting the new work to the ONC DS4P project in early October.
- Bill Braithwaite presented on Levels of Assurance to inform the Security WG on requirements that would need to be met by contemplated additions to the HL7 Vocabulary for Integrity in support of the Security and Privacy DAM various integrity attributes. He will provide the presentation for posting in the HL7 Security Wiki Document Library.
- Security WG Joints with EHR FM and SOA WGs resulted in good communications about areas of shared interest and follow on activities to further:
- EHR FM Action Verb Glossary alignment with Security Standards definitions, including HL7 Data Operations code system, for EHR functions involving Security Operations
- Collaboration of key SOA SME with Security WG on development of the HL7 Security Service Oriented Architecture and Healthcare Classification System standards.
- Kevin Coonan proposed that the Security WG support his RIM Harmonization proposal to revert the cardinality of the Act.confidentialityCode attribute cardinality to [0…*] based on argument that the RIM attributes should be totally flexible and that the Security WG should develop a DMIM instructing standards developers about how to constrain in order to avoid unintended consequences. Kevin’s requirements are to support tuples of pre/post coordinated privacy and security concepts much like those used to create security labels.
Mike suggested that the Security WG may need to revisit this decision based on discussions with Modeling and Methodology WG on whether this proposal will address key Security standard requirements for access control and security labeling, or whether there is a better alternative based on suggestions from Woody Beeler, MnM cochair, given emerging understanding on the use of Security Labels for HCS.
- Woody Beeler presented on “isDocumentCharacteristic” RIM attribute property and its impact on how Confidentiality Codes are used on Acts and Roles.
Key take away is that the underlying purpose is to prevent negation of an attribute set to “isDocumentCharacteristic”=True. I.e., if a clinical observation such as a lab result for HIV has a “Restricted” confidentiality code, setting the Act.actionNegationInd to say that the lab result did not indicate HIV would not result in changing the confidentiality of the lab result confidentiality level to “not Restricted”. This is in keeping with Security WG requirement that the lab result for a sensitive condition (HIV) should remain confidential whether the results are positive or negative for the sensitive condition.
- John reported on the outcome of the WGM Wednesday Q3-4 Security Educational Session, which was well received by participants. He provided the HL7 Security WG wiki link where the Security and Privacy Tutorial presentations. John noted that this page has been accessed over 40 times, indicating continued interest in the tutorial.
- Mike reported that the Security and CBCC WGs jointly conducted the VA/SAMHSA DS4P pilot demonstration. The demonstrations were presented in two sessions, one of which was open to the general public. The demonstration was also run continuously at a kiosk in the main meeting area, and the public was also able to attend these.
The demonstration successfully passed the DS4P Implementation Guide Conformance Tests as reported by ONC on the VA/SAMHSA pilot brief wiki page, which also includes links to a Vimeo recording of VA/SAMHSA Pilot Presentation Review at DS4P All Hands Meeting 09/26/2012. Mike noted that a number of the ONC DS4P project staff as well as the National Privacy Officer, Joy Pritts, attended demo sessions. In addition, the demo received national press coverage including the Joe Conn interview in Modern Healthcare; Government Health IT VA, SAMHSA Test Exchange of Tagged Substance Abuse Data. HHS Says Test Was Successful; and similar coverage in Becker’s Hospital Review, iHealthBeat, and Health Data Management Phase 2 for the VA/SAMHSA Pilot is underway in preparations for HIMSS. RE: Other Business, Agenda for Next call, Action Items, and Wrap Up
- Mike reported that Tony Weida is back on board – hope is getting far enough in the ontology to be ready for ballot in January.
- Trish called in from Vienna where she is attending the ISO WG 4 with Bernd. She reported that Walter Suarez presented on Data Segmentation for Privacy project.
- Trish reported about discussions with Lisa Spellman about HL7 Security WG request for access to ISO standards. She noted that the decision on HL7 Security WG’s request must be made by higher levels of HL7/ISO management.
- The new Security WG call time has been updated with the HL7 Conference Call facility for automated reminders and calendar downloads. Suzanne edited the Security WG Wiki home page to reflect the new time.
- Trish and Kathleen will work off-line on the Security WG 3-Year plan. Draft documentation for this are at WG Health Metrics and Security 3YP spreadsheet
Meeting adjourned at 6:00 PM Eastern
Action Items
- RE: Finalize Sept WGM Draft Minutes – Kathleen with input from others
- RE: Prepare November Harmonization Proposals - Kathleen
- RE: Continued development of 3 Year Plan Draft – Trish and Kathleen