This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "April 1, 2014 Security WG Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
Line 50: Line 50:
 
==Agenda==
 
==Agenda==
 
# ''(05 min)'' Roll Call, Approve [http://wiki.hl7.org/index.php?title=March_25,_2014_Security_WG_Conference_CallMarch 25, 2014 Security WG Conference Call]  Minutes & Accept Agenda
 
# ''(05 min)'' Roll Call, Approve [http://wiki.hl7.org/index.php?title=March_25,_2014_Security_WG_Conference_CallMarch 25, 2014 Security WG Conference Call]  Minutes & Accept Agenda
# ''(50 min) ''HL7 Meaningful Use 2015 NPRM Comments'' Deadline for comments is April 2nd (tomorrow).  Significant questions and issues to be addressed sent in list email.  Relevant links are:
+
# ''(50 min) ''HL7 Meaningful Use 2015 NPRM Comments'' Deadline for comments is April 2nd (tomorrow).  Significant questions and issues to be addressed sent in list email.   
*[https://www.federalregister.gov/articles/2014/02/26/2014-03959/voluntary-2015-edition-electronic-health-record-ehr-certification-criteria-interoperability-updates NPRM in Federal Register: Voluntary 2015 Edition Electronic Health Record (EHR) Certification Criteria; Interoperability Updates and Regulatory Improvements]
+
 
*[https://www.federalregister.gov/articles/2014/02/26/2014-03959/voluntary-2015-edition-electronic-health-record-ehr-certification-criteria-interoperability-updates#h-130 Certification Policy for EHR Modules and Privacy and Security Certification Criteria]
 
*[http://www.healthit.gov/sites/default/files/pswgtransmittalmemo_032613.pdf HITSC MU EHR P&S Certification Criteria Recommendations]
 
*[http://gforge.hl7.org/gf/download/docmanfileversion/7985/11681/2015%20Edition%20NPRM%20Response%20Notes.docx HL7 PAC 2015 Edition NPRM Response Notes]
 
*[http://wiki.directproject.org/file/view/Implementation+Guide+for+Direct+Edge+Protocols+v0+8.pdf/478264666/Implementation%20Guide%20for%20Direct%20Edge%20Protocols%20v0%208.pdf ONC Implementation Guide for Direct Edge Protocols]
 
 
PossibleHL7  Privacy and Security Comment Areas:
 
PossibleHL7  Privacy and Security Comment Areas:
 
#Options for EHR Module Privacy and Security certification criteria See Certification Policy for EHR Modules and Privacy and Security Certification Criteria and HITSC MU EHR P&S Certification Criteria Recommendations
 
#Options for EHR Module Privacy and Security certification criteria See Certification Policy for EHR Modules and Privacy and Security Certification Criteria and HITSC MU EHR P&S Certification Criteria Recommendations
Line 70: Line 66:
 
* Mike announced items that should be added to the WG meeting in Phoenix in May (read the last section in the minutes below)
 
* Mike announced items that should be added to the WG meeting in Phoenix in May (read the last section in the minutes below)
  
The reason I was busy was because these comments need to get in to the HL7 Policy Committee tomorrow. Some of the items I thought could use input from our group, I don’t have a lot of background on.  
+
Relevant links are:
Mike
+
*[https://www.federalregister.gov/articles/2014/02/26/2014-03959/voluntary-2015-edition-electronic-health-record-ehr-certification-criteria-interoperability-updates NPRM in Federal Register: Voluntary 2015 Edition Electronic Health Record (EHR) Certification Criteria; Interoperability Updates and Regulatory Improvements]
If there no objections, we’ll approve the agenda.
+
*[https://www.federalregister.gov/articles/2014/02/26/2014-03959/voluntary-2015-edition-electronic-health-record-ehr-certification-criteria-interoperability-updates#h-130 Certification Policy for EHR Modules and Privacy and Security Certification Criteria]
Kathleen
+
*[http://www.healthit.gov/sites/default/files/pswgtransmittalmemo_032613.pdf HITSC MU EHR P&S Certification Criteria Recommendations]
I will say that I’m not totally up to speed on everything. I just sent out a lengthy email regarding the NPRM. I guess what I’d like to do is work through John’s response to what I emailed. The brief thing I wanted to show was John’s response to my email from earlier. They are proposing that EHRs be able to filter on various metadata. I don’t know if they’ll want facility codes. If it were facility codes, you can indicate in the header of a CDA if a mental health or substance abuse facility. It would be helpful in understanding if a particular patient health record contains substance abuse information. John seems to agree with me, got the gist of what I was saying.  
+
*[http://gforge.hl7.org/gf/download/docmanfileversion/7985/11681/2015%20Edition%20NPRM%20Response%20Notes.docx HL7 PAC 2015 Edition NPRM Response Notes]
Mike
+
*[http://wiki.directproject.org/file/view/Implementation+Guide+for+Direct+Edge+Protocols+v0+8.pdf/478264666/Implementation%20Guide%20for%20Direct%20Edge%20Protocols%20v0%208.pdf ONC Implementation Guide for Direct Edge Protocols]
I think I understand John’s 2nd comment better than the 1st comment. This requirement is for CQM. I guess my only hesitation here is that these measures are for CQM purposes, and the fact that somebody else could use them for other purposes is nice, but it’s sufficient that the comments be directed toward the suitability for CQM and not for other special uses. It’s a bit gratuitous to me. We don’t know that these really provide us with sufficient information to really support a robust access control system.
+
 
Kathleen
+
These comments need to get in to the HL7 Policy Committee tomorrow. Some of the items Kathleen thought could use input from our group.  Kathleen does have a lot of background on.  
I would agree. I can take care of the next comment. This is the standards committee letter where they are seeking recommendations for the next EHR certification.  
+
 
Mike
+
Kathleen - I will say that I’m not totally up to speed on everything. I just sent out a lengthy email regarding the NPRM. I guess what I’d like to do is work through John’s response to what I emailed. The brief thing I wanted to show was John’s response to my email from earlier. They are proposing that EHRs be able to filter on various metadata. I don’t know if they’ll want facility codes. If it were facility codes, you can indicate in the header of a CDA if a mental health or substance abuse facility. It would be helpful in understanding if a particular patient health record contains substance abuse information. John seems to agree with me, got the gist of what I was saying.  
I recall this being discussed within the committee. I remember a bulleted list of services that were being discussed. So, what are we doing with it? I guess, since I’m on this committee, I’d recommend option 3. This is the world we live in. It’s a world of challenges. If we didn’t have challenges, we couldn’t go forward.  
+
 
Kathleen
+
Mike - I think I understand John’s 2nd comment better than the 1st comment. This requirement is for CQM. I guess my only hesitation here is that these measures are for CQM purposes, and the fact that somebody else could use them for other purposes is nice, but it’s sufficient that the comments be directed toward the suitability for CQM and not for other special uses. It’s a bit gratuitous to me. We don’t know that these really provide us with sufficient information to really support a robust access control system.
Anything else other than me commenting positively on option 3?
+
 
Mike
+
Kathleen - I would agree. I can take care of the next comment. This is the standards committee letter where they are seeking recommendations for the next EHR certification.  
They’re not really clear on the challenges.  
+
 
Kathleen
+
Mike - I recall this being discussed within the committee. I remember a bulleted list of services that were being discussed. So, what are we doing with it? I guess, since I’m on this committee, I’d recommend option 3. This is the world we live in. It’s a world of challenges. If we didn’t have challenges, we couldn’t go forward.  
They are proposing that the ONC guide for delivery notifications be expired.  
+
 
Mike
+
Kathleen - Anything else other than me commenting positively on option 3? The challenges are not really clear. They are proposing that the ONC guide for delivery notifications be expired.  
I don’t have a pony in this race. The applicability statement was developed with that specification in there. We don’t care.
+
 
Kathleen
+
Mike - Regarding the integrity comment. Something’s wrong with this one. I think this is wrong. I think NIST has said that shell one will not be accepted after December of this year. You have to go to shell 256. They’re specifying an obsolete thing. I don’t care about exceptions. We should say that we do not concur, that NIST has already established that shell one should not be used. There is an official publication on the NIST site. The NIST reference for using shell one (NIST 131A).  
Another one. This was tagged for our review.
+
 
Mike
+
Diana - NIST 131A is “Recommendations for Transitioning the Use of Cryptographic Algorithms and Key Lengths.”
I see no reason why we would argue with this, or endorse it, either. We really have nothing to say about it.
+
 
Kathleen
+
Mike -  
Here’s the integrity comment.  
+
1 Ballot Reconciliation for 2 ballots:  
Mike
+
 
Something’s wrong with this one. I think this is wrong. I think NIST has said that shell one will not be accepted after December of this year. You have to go to shell 256. They’re specifying an obsolete thing. I don’t care about exceptions. We should say that we do not concur, that NIST has already established that shell one should not be used.
+
a. the Privacy Consent Directive Implementation Guide, and  
Kathleen
+
 
Is there an official publication?
+
b. DTSU
Mike
+
 
Yeah, let me find this. It’s on the NIST site.
+
''I’m planning to have Duane dial in again for the Joint session to update us where we are with the Data Segmentation for Privacy and FHIR; ''
Kathleen
+
 
If you can do that, I can get a draft out and pull the publication link in.
+
2. DS4P (Duane in FHIR)
Diana
+
 
I just pulled up the NIST reference for using shell one (NIST 131A).  
+
3. Tony Weida - creating an interface that will allow the creation of security policies based on the Ontology;  
Mike
+
 
Thanks, Diana. NIST 131A, what is that?
+
4. work with SOA - PASS Security Architecture (an exitisn project; just necssary to dust if off and get it going again)
Diana
+
 
It’s “Recommendations for Transitioning the Use of Cryptographic Algorithms and Key Lengths.”
+
5. Conversation with EHR, Steve Hufnagel
Mike
+
 
Got it. So, have they said by when? 2016?
+
6. Security and Privacy DAM
Diana
+
 
No, by 2013 they would not be using shell one.
+
7. Mind Map - Diana, Tony - presentation / subject for discussion
Mike
+
 
There have to be some exceptions.
+
8. Joint Security Conversation for Data Provenance - Johnathan); future use of provenance
Diana
+
 
It’s acceptable for non-digital signature generation applications.
+
9. Ask John Moehrke about educational sessions - are we moving this out of our main agenda?
Mike
+
 
DoD is going to continue to use it in Direct, using their PKI requirements. That’s what their statement has been. I think pointing out that NIST has a strategy that it should be deprecated is sufficient progress.
+
10. Security c0-chair; Bernd's position ends in May 2014; unsure who will be running for his position
Suzanne
+
 
The other item I had was to work on some of the agenda items for the WG meeting in May.
+
11. CBCC Co-Chair replacement for Richard
Mike
+
 
Can we start to collect the list of stuff that we have to do? We have: Ballot Reconciliation for 2 ballots: the Privacy Consent Directive Implementation Guide, and the DTSU; I’m planning to have Duane dial in again for the Joint session to update us where we are with the Data Segmentation for Privacy and FHIR; Tony Weida is going to need some time, he’s been creating an interface that will allow people to create security policies based on the Ontology; I think we want to start a discussion on Trust Frameworks, which have been going on…we have collected information in this area already thanks to Kathleen; we’re going to have some work with SOA, the PASS Security Architecture…this is an existing project so it’s just necessary for us to dust it off and get it going again; we’ll want to put the DAM models into the Architecture and then ballot it as normative; we were going to have some discussions on any changes that need to be made to the DAM in the normative version; we started a conversation with EHR and this was on the vocabulary; I think at the EHR meeting we’ll talk about what Tony has done and that kind of thing, but, anyway, EHR and the Ontology vocabulary should be a subject, maybe for our Joint; Diana has been working on a Mind Map…maybe she’ll have that completed with Tony; that’s 7 things so far. A Joint discussion on future use of Provenance. What am I missing? We have to ask John about the educational sessions. He’s generally the lead on that. Has anybody seen the list of co-chair elections? The list that HL7 puts out? So, I think it’s known that Bert’s position ends in May, and I don’t think he intends to go for it again. I would expect that we’ll have some activity regarding that. There should be some discussion on the Security co-chair. There’s a deadline for submitting names. I think this is all going to be write-in based on the discussion that we’re having right now. I thought there was only one open position. We need to make everyone aware of the HL7 and CBCC co-chair deal.
+
12. Patient Naturual Language Project
 +
 
 +
 
 +
 
  
  

Latest revision as of 20:56, 8 April 2014

Meeting Information Back to Security Main Page

Attendees

Member Name Present Member Name Present Member Name Present
Mike Davis Security Co-chair John Moehrke Security Co-chair Trish Williams Security Co-chair
Bernd Blobel, Security Co-chair . Johnathan Coleman x Kathleen Connor x
Duane DeCouteau Reed Gelzer . Suzanne Gonzales-Webb CBCC Co-chair x
Rick Grow x David Henkel x Mohammed Jafari
Don Jorgenson . Diana Proud-Madruga x Harry Rhodes .
Ioana Singureanu . Richard Thoreson CBCC Co-chair . Ross Freeman .
Amanda Nash Walter Suarez . Tony Weida x
Chris Clark . [Paul Petronelli x .
. . .


Back to Security Main Page

Agenda

  1. (05 min) Roll Call, Approve 25, 2014 Security WG Conference Call Minutes & Accept Agenda
  2. (50 min) HL7 Meaningful Use 2015 NPRM Comments Deadline for comments is April 2nd (tomorrow). Significant questions and issues to be addressed sent in list email.

PossibleHL7 Privacy and Security Comment Areas:

  1. Options for EHR Module Privacy and Security certification criteria See Certification Policy for EHR Modules and Privacy and Security Certification Criteria and HITSC MU EHR P&S Certification Criteria Recommendations
  2. Authentication of Patients and Authorized Representatives for View, Download, Transmit
  3. Patients’ ability to control authorized representatives’ access to portions of their records
  4. Selection of two edge protocols that HISPS and Edge Systems should support and two they may support along with their applicable Transport Security and Authentication requirements – do the conformance statements make sense? Are there interoperability issues that could result with optionality? Are some protocols more secure than others?
  5. Secure Messaging and Integrity Criteria – any comments?
  6. Mandatory notification standards – do they add value?
  7. (05 min) Agenda: May 2014 Working Group Meeting Agenda Items

Meeting Minutes DRAFT

  • WG voted to unanimously approve the March 18, 2014 meeting minutes
  • WG voted unanimously to approve the March 25, 2014 minutes, with the proviso that Suzanne add the link to John’s slides
  • Mike announced items that should be added to the WG meeting in Phoenix in May (read the last section in the minutes below)

Relevant links are:

These comments need to get in to the HL7 Policy Committee tomorrow. Some of the items Kathleen thought could use input from our group. Kathleen does have a lot of background on.

Kathleen - I will say that I’m not totally up to speed on everything. I just sent out a lengthy email regarding the NPRM. I guess what I’d like to do is work through John’s response to what I emailed. The brief thing I wanted to show was John’s response to my email from earlier. They are proposing that EHRs be able to filter on various metadata. I don’t know if they’ll want facility codes. If it were facility codes, you can indicate in the header of a CDA if a mental health or substance abuse facility. It would be helpful in understanding if a particular patient health record contains substance abuse information. John seems to agree with me, got the gist of what I was saying.

Mike - I think I understand John’s 2nd comment better than the 1st comment. This requirement is for CQM. I guess my only hesitation here is that these measures are for CQM purposes, and the fact that somebody else could use them for other purposes is nice, but it’s sufficient that the comments be directed toward the suitability for CQM and not for other special uses. It’s a bit gratuitous to me. We don’t know that these really provide us with sufficient information to really support a robust access control system.

Kathleen - I would agree. I can take care of the next comment. This is the standards committee letter where they are seeking recommendations for the next EHR certification.

Mike - I recall this being discussed within the committee. I remember a bulleted list of services that were being discussed. So, what are we doing with it? I guess, since I’m on this committee, I’d recommend option 3. This is the world we live in. It’s a world of challenges. If we didn’t have challenges, we couldn’t go forward.

Kathleen - Anything else other than me commenting positively on option 3? The challenges are not really clear. They are proposing that the ONC guide for delivery notifications be expired.

Mike - Regarding the integrity comment. Something’s wrong with this one. I think this is wrong. I think NIST has said that shell one will not be accepted after December of this year. You have to go to shell 256. They’re specifying an obsolete thing. I don’t care about exceptions. We should say that we do not concur, that NIST has already established that shell one should not be used. There is an official publication on the NIST site. The NIST reference for using shell one (NIST 131A).

Diana - NIST 131A is “Recommendations for Transitioning the Use of Cryptographic Algorithms and Key Lengths.”

Mike - 1 Ballot Reconciliation for 2 ballots:

a. the Privacy Consent Directive Implementation Guide, and

b. DTSU

I’m planning to have Duane dial in again for the Joint session to update us where we are with the Data Segmentation for Privacy and FHIR;

2. DS4P (Duane in FHIR)

3. Tony Weida - creating an interface that will allow the creation of security policies based on the Ontology;

4. work with SOA - PASS Security Architecture (an exitisn project; just necssary to dust if off and get it going again)

5. Conversation with EHR, Steve Hufnagel

6. Security and Privacy DAM

7. Mind Map - Diana, Tony - presentation / subject for discussion

8. Joint Security Conversation for Data Provenance - Johnathan); future use of provenance

9. Ask John Moehrke about educational sessions - are we moving this out of our main agenda?

10. Security c0-chair; Bernd's position ends in May 2014; unsure who will be running for his position

11. CBCC Co-Chair replacement for Richard

12. Patient Naturual Language Project



Meeting Adjourned at 1458 PST --Suzannegw (talk) 22:04, 1 April 2014 (UTC)

Action Items

Back to Security Main Page

Retrieved from "https://wiki.hl7.org/w/index.php?title=April_1,_2014_Security_WG_Conference_Call&oldid=85190"