April 1, 2014 Security WG Conference Call

Meeting Information Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (05 min) Roll Call, Approve 25, 2014 Security WG Conference Call Minutes & Accept Agenda
2. (50 min) HL7 Meaningful Use 2015 NPRM Comments Deadline for comments is April 2nd (tomorrow). Significant questions and issues to be addressed sent in list email. Relevant links are:

• NPRM in Federal Register: Voluntary 2015 Edition Electronic Health Record (EHR) Certification Criteria; Interoperability Updates and Regulatory Improvements
• Certification Policy for EHR Modules and Privacy and Security Certification Criteria
• HITSC MU EHR P&S Certification Criteria Recommendations
• HL7 PAC 2015 Edition NPRM Response Notes
• ONC Implementation Guide for Direct Edge Protocols

PossibleHL7 Privacy and Security Comment Areas:

1. Options for EHR Module Privacy and Security certification criteria See Certification Policy for EHR Modules and Privacy and Security Certification Criteria and HITSC MU EHR P&S Certification Criteria Recommendations
2. Authentication of Patients and Authorized Representatives for View, Download, Transmit
3. Patients’ ability to control authorized representatives’ access to portions of their records
4. Selection of two edge protocols that HISPS and Edge Systems should support and two they may support along with their applicable Transport Security and Authentication requirements – do the conformance statements make sense? Are there interoperability issues that could result with optionality? Are some protocols more secure than others?
5. Secure Messaging and Integrity Criteria – any comments?
6. Mandatory notification standards – do they add value?
7. (05 min) Agenda: May 2014 Working Group Meeting Agenda Items

Meeting Minutes DRAFT

• WG voted to unanimously approve the March 18, 2014 meeting minutes
• WG voted unanimously to approve the March 25, 2014 minutes, with the proviso that Suzanne add the link to John’s slides
• Mike announced items that should be added to the WG meeting in Phoenix in May (read the last section in the minutes below)

The reason I was busy was because these comments need to get in to the HL7 Policy Committee tomorrow. Some of the items I thought could use input from our group, I don’t have a lot of background on. Mike If there no objections, we’ll approve the agenda. Kathleen I will say that I’m not totally up to speed on everything. I just sent out a lengthy email regarding the NPRM. I guess what I’d like to do is work through John’s response to what I emailed. The brief thing I wanted to show was John’s response to my email from earlier. They are proposing that EHRs be able to filter on various metadata. I don’t know if they’ll want facility codes. If it were facility codes, you can indicate in the header of a CDA if a mental health or substance abuse facility. It would be helpful in understanding if a particular patient health record contains substance abuse information. John seems to agree with me, got the gist of what I was saying. Mike I think I understand John’s 2nd comment better than the 1st comment. This requirement is for CQM. I guess my only hesitation here is that these measures are for CQM purposes, and the fact that somebody else could use them for other purposes is nice, but it’s sufficient that the comments be directed toward the suitability for CQM and not for other special uses. It’s a bit gratuitous to me. We don’t know that these really provide us with sufficient information to really support a robust access control system. Kathleen I would agree. I can take care of the next comment. This is the standards committee letter where they are seeking recommendations for the next EHR certification. Mike I recall this being discussed within the committee. I remember a bulleted list of services that were being discussed. So, what are we doing with it? I guess, since I’m on this committee, I’d recommend option 3. This is the world we live in. It’s a world of challenges. If we didn’t have challenges, we couldn’t go forward. Kathleen Anything else other than me commenting positively on option 3? Mike They’re not really clear on the challenges. Kathleen They are proposing that the ONC guide for delivery notifications be expired. Mike I don’t have a pony in this race. The applicability statement was developed with that specification in there. We don’t care. Kathleen Another one. This was tagged for our review. Mike I see no reason why we would argue with this, or endorse it, either. We really have nothing to say about it. Kathleen Here’s the integrity comment. Mike Something’s wrong with this one. I think this is wrong. I think NIST has said that shell one will not be accepted after December of this year. You have to go to shell 256. They’re specifying an obsolete thing. I don’t care about exceptions. We should say that we do not concur, that NIST has already established that shell one should not be used. Kathleen Is there an official publication? Mike Yeah, let me find this. It’s on the NIST site. Kathleen If you can do that, I can get a draft out and pull the publication link in. Diana I just pulled up the NIST reference for using shell one (NIST 131A). Mike Thanks, Diana. NIST 131A, what is that? Diana It’s “Recommendations for Transitioning the Use of Cryptographic Algorithms and Key Lengths.” Mike Got it. So, have they said by when? 2016? Diana No, by 2013 they would not be using shell one. Mike There have to be some exceptions. Diana It’s acceptable for non-digital signature generation applications. Mike DoD is going to continue to use it in Direct, using their PKI requirements. That’s what their statement has been. I think pointing out that NIST has a strategy that it should be deprecated is sufficient progress. Suzanne The other item I had was to work on some of the agenda items for the WG meeting in May. Mike Can we start to collect the list of stuff that we have to do? We have: Ballot Reconciliation for 2 ballots: the Privacy Consent Directive Implementation Guide, and the DTSU; I’m planning to have Duane dial in again for the Joint session to update us where we are with the Data Segmentation for Privacy and FHIR; Tony Weida is going to need some time, he’s been creating an interface that will allow people to create security policies based on the Ontology; I think we want to start a discussion on Trust Frameworks, which have been going on…we have collected information in this area already thanks to Kathleen; we’re going to have some work with SOA, the PASS Security Architecture…this is an existing project so it’s just necessary for us to dust it off and get it going again; we’ll want to put the DAM models into the Architecture and then ballot it as normative; we were going to have some discussions on any changes that need to be made to the DAM in the normative version; we started a conversation with EHR and this was on the vocabulary; I think at the EHR meeting we’ll talk about what Tony has done and that kind of thing, but, anyway, EHR and the Ontology vocabulary should be a subject, maybe for our Joint; Diana has been working on a Mind Map…maybe she’ll have that completed with Tony; that’s 7 things so far. A Joint discussion on future use of Provenance. What am I missing? We have to ask John about the educational sessions. He’s generally the lead on that. Has anybody seen the list of co-chair elections? The list that HL7 puts out? So, I think it’s known that Bert’s position ends in May, and I don’t think he intends to go for it again. I would expect that we’ll have some activity regarding that. There should be some discussion on the Security co-chair. There’s a deadline for submitting names. I think this is all going to be write-in based on the discussion that we’re having right now. I thought there was only one open position. We need to make everyone aware of the HL7 and CBCC co-chair deal.

Meeting Adjourned at 1458 PST --Suzannegw (talk) 22:04, 1 April 2014 (UTC)

Action Items

Back to Security Main Page