December 15, 2015 Security Conference Call
Attendees
x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|
x | Mike DavisSecurity Co-chair | Duane DeCouteau | . | Chris Clark | ||||
x | John MoehrkeSecurity Co-chair | Johnathan Coleman | . | Aaron Seib | ||||
x | Alexander Mense Security Co-chair | . | Ken Salyards | . | Christopher D Brown TX | |||
. | Trish WilliamsSecurity Co-chair | . | Gary Dickinson | x | Dave Silver | |||
x | Kathleen Connor | . | Ioana Singureanu | Mohammed Jafari | ||||
x | Suzanne Gonzales-Webb | x | Rob Horn | . | Galen Mulrooney | |||
x | Diana Proud-Madruga | Ken Rubin | William Kinsley | |||||
x | Rick Grow | Paul Knapp | x | Debbie Bucci | ||||
x | Glen Marshall, SRS | Bill Kleinebecker | x | Christopher Shawn | ||||
Oliver Lawless | x | Rob Horn | Serafina Versaggi | |||||
. | Beth Pumo | Russell McDonell | Paul Petronelli , Mobile Health | |||||
Christopher Doss | x | Kamalini Vaidya | [mailto: ] |
Agenda DRAFT
- ( 5 min) Roll Call, Agenda Approval
- ( 5 min) Approve December 08 Meeting Minutes
- ( 5 min) Healthcare Security and Privacy Access Control Catalog Update - Rick, Suzanne
- ( 5 min) Joint Vocabulary Alignment Update - Diana
- ( min) FHIR Security report out - John
- ( 5 min) PASS Access Control Conceptual Model (SOA) ballot reconciliation Update - Diana, Don, Mike, Dave
- Remaining meetings for 2015, beginning of 2016 - December 22, 29; January 5
- (10 min) Upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG - AGENDA ITEMS
- Update Preview of Audit Functional Model - Dave
- in future to update the PASS Audit
Meeting Minutes
Motion to Approve December 8 meeting minutes
Objections: none; meeting minutes approved: 12
Healthcare Security and Privacy Access Control Catalog
No update. No comments returned, no votes returned to date.
Joint Vocabulary Alignment update
- came to understanding on originate
- latest version is available for review on the Vocabulary Alignment wiki
- links added to CBCC and Security to access the wiki
- work is progressing, trying to find common ground/common process - we are getting there
- tried to build definition off a standard model of fairly simple functional/control systems as an alternative to definitions
- struggling on the first basic set of things (last 4-6 weeks), getting comfortable with the representation, artifacts, details of each of the articles--how we want them to be
- input, output, etc. will serve us to tackle the rest of the vocabulary
- would like to present in more detail to the Security group (it is in alignment w/security, provenance) now and going forward to retrieve feedback. Expect good reviews from the Security group
- add to agenda for Security WG as a follow-up - to review the items
FHIR Security
- resolved one CP last week - results are now in the current build (essentially renaming of audit events so they are the same as in provenance...preference for the W3C definition of entity and agency vs ATNA 'participant' and 'object')
PASS Access Control Conceptual Model
- comments returned from Alex (Bernd's comment)
- is there further ballot reconciliation to be done?
- only what Alex sent out
- request to withdraw sent to VA and DoD folks - votes have not been withdrawn
- suggesting to add a capability to our trust framework - along the lines to describe trusted attributes
- we believe that the response should be 'for future use' - we are moving in that direction (there is a gap); but at this time it is not
- Alex - maybe leave as an open issue and fix in a future build
ACTION: Alex to approach/confirm with Bernd on this resolution and ask if this resolution is okay.
- Diana will confirm that the resolutions are in the spreadsheet and notify Alex/Bernd when they are ready for Bernd to respond
remaining 2015, early 2016 meetings
- December 22 - meet; yes
- December 29 - no (Mike is not available)
- January 5 - ? just before WGM (Mike is not available)
- following week is the WGM
Proposal: (as above) (Glen/JohnM) - objections: none; abstentions: none; motion passed (meeting only on the 22nd)
- confirm quorum at the FHIR meeting this afternoon - TBD
- John M is available if meetings are held
Agenda items for upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG
Suzanne to update the calendar to be reviewed on the 12/22 meeting
- Wednesday Q2 - remove SOA Security, add PSS Audit Services
- ADD to Tuesday Q3 (joint); Privacy Protection for the Internet of Things - setting up a call with Helen - briefing on the background of the group; Steve Moeller and Kantara will also join; does the Security WG consider emerging technologies that have not been a topic of our work - HEART, privacy protective (what Helen has proposed) how they all fit together health Internet of Things - ADD
- would indicate whether or not the WGM is a place to host a meeting...presentation with Alex's students
- remove: Tuesday Q2 PASS AC Ballot reconciliation
Mapping of 800-53 security controls to the Functional Model
- displayed by Dave Silver
- we will publish the FM along with the text of the FM (description of the functions)
- The table with the mapping - we have not written up the logic of why they are mapped the way they are. this is our view at this point. the mapping to the 800-53 gives us a way of organizing the functions. some of the 800-53 controls are mappable to one or more of the FM functions. the FM is not canonical in this sense (one and only one); this is something to note.
- provide FM in a word document
- asking for comments on what we have so far - a precursor to our Audit standard (w/SOA); will be going into more detail at the January WGM.
- Mike would like to solicit any other suggestions. The audit model is traceable to other standards that we have (ISO, ASTM...) that are used for the usage of terms and concepts. may not be seen here at this point.
- a link will be provided to the items being presented today
- each of the functions is described in the word document - they should be familiar
- is there a cross walk to NIST SP 800-92 (a functional model for audit logging)? no, this is the only cross walk done at this time
- it's unfortunate that 800-92 did not clearly do that for us.
- at the WGM, we may have the requirements ready for presentation; approx. 250 requirements written
- we want to have the requirements traceable to 800-53
ACTION: Two documents forwarded to Security WG listserve (Suzanne)
Meeting adjourned at 1357 AZT --Suzannegw (talk) 16:09, 15 December 2015 (EST)