This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

HL7 FHIR Security 2016-11-29

From HL7Wiki
Jump to navigation Jump to search

Call Logistics

Weekly: Tuesday at 05:00 EST (2 PM PST)

Conference Audio: 770-657-9270,' Access: 845692
Join online meeting:  https://global.gotomeeting.com/join/520841173  
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
x John Moehrke Security Co-Chair x Kathleen Connor Security Co-Chair x Suzanne Gonzales-Webb CBCC Co-Chair
. Gary Dickinson EHR Co-Chair . Johnathan ColemanCBCC Co-Chair . Mike Davis
. Reed Gelzer RM-ES Lead x Glen Marshal . Galen Mulrooney
. Dave Silver . Rob Horn . Judy Fincher
. Diana Proud-Madruga . Beth Pumo . Oliver Lawless
. Bob Dieterle . Mario Hyland x Joe Lamy
. Rick Grow . [mailto: Richard Etterma] . [mailto: Wayne Kubic]

Agenda

FHIR Security block vote

Minutes

  • John Chair
  • Agenda
  • Discussion of improvement opportunity presented by the three existing security/privacy pages
  • Outline for a FAQ improvement on the module page
  • Access Control
    • Access Control diagram from Mike (Inputs – Decision – Enforcement – Outputs)
    • Using OAuth
      • Identity
        • Leverage OpenID Connect
        • Federate (cross-reference, mapping) to local identity descritions
          • Informally, or Formally
      • Roles
        • Using Standard roles from HL7
        • Using local codes
        • Clearance
      • Scopes
        • Using SMART scopes
          • Basic starter set
          • Supports Organizational use-cases with simple consent
          • Doesn’t support fine-grain
          • Doesn’t support complex consent
        • Using HEART – UMA
      • Using Cascading Authorization Servers
        • Bridging SMART and UMA and organizational requirements
    • Using Security labels
      • HCS conformance
        • MUST have a _confidentiality value (1..1)
        • Use of persistence label
        • Bundle use of security_tags – high-water
        • Comprehensive security_tags on each resource communicated to a trusted peer
        • Using security lables from a consent directive (privacy policy) on goverened resources
        • Using Clearance with security labels
    • Bring in stuff from the Privacy Consent Implementation Guide (Consent IG)
      • TODO
    • Should we create a new page, parellel with security.html -- privacy.html
      • Privacy Principles
      • Consent as a way to control Collection/Use/Disclosure
      • ISO four models (In, Out, In with exceptions, Out with exceptions)
    • Trust Framework
      • impact on the Conformance resource published by partners.
      • Establishing trust Contracts between trading partners