Difference between revisions of "April 25, 2017 Security Conference Call"
(→Agenda) |
|||
| (3 intermediate revisions by one other user not shown) | |||
| Line 76: | Line 76: | ||
HL7 TF4FA could serve as the conceptual model for the healthcare consumer trust negotiation technologies needed to enable this emerging market. | HL7 TF4FA could serve as the conceptual model for the healthcare consumer trust negotiation technologies needed to enable this emerging market. | ||
| + | |||
| + | ==Example of sites discussing CTF4FA== | ||
| + | *[https://www.cdt.org/files/healthprivacy/20080514HPframe.pdf Center for Democracy and Technology: Comprehensive Privacy and Security: Critical for Health Information Technology] | ||
| + | *[https://www.slideshare.net/iirojan/thews-trusted-ehealth-and-ewelfare-space THEWS - Trusted eHealth and eWelfare Space – SlideShare www.slideshare.net/iirojan/thews-trusted-ehealth-and-ewelfare-space] | ||
| + | *[https://www.jmir.org/2012/2/e52 JMIR-A Conceptual Framework and Principles for Trusted eHealth and eWelfare Space] | ||
=='''Minutes'''== | =='''Minutes'''== | ||
| + | =='''Minutes'''== | ||
| + | * Chaired by Kathleen | ||
| + | * Agenda Approved | ||
| + | * Minutes March 28, 2017 approved | ||
| + | * Trust Framework and SLS (Kathleen and Mike Davis) | ||
| + | * Issue: How to establish a Trust Framework with Applications (app) when patients share health information | ||
| + | ** Question: Can an app be trusted when patient shares health data with it? | ||
| + | ** It is not up to the providers to dictate who they will share with | ||
| + | ** Applications (Apps) are not considered providers | ||
| + | ** When patient shares with App from a Privacy point of view they are sharing the information with themselves | ||
| + | ** The Health Information is not protected | ||
| + | ** They are a transport which serve as a pass through | ||
| + | ** Patient information is not encrypted or protected when sharing with app | ||
| + | ** Controls should be established with app | ||
| + | ** SLS maybe a solution to implement Cascading OATH capabilities | ||
| + | ** From a privacy point of view if Patient info is sent to an application it would be treated as if Patient sent the info to themselvess | ||
| + | ** Organizations can take Privacy protection service | ||
| + | ** Comment (Beth): We should partner with Mobile Security for Mobile Health | ||
| + | ** Mobil Security Group will not be in the Madrid conference for the topic to be discussed on the agenda | ||
| + | ** Next Step: The Trust Framework Mobile App issue will be covered in the next iteration | ||
| + | |||
| + | * FHIR Security Call - Please review front matter - John Moehrke | ||
| + | ** NTR | ||
| + | ** John was not present on the call | ||
| + | * No call on May 2nd due to Madrid conference | ||
Latest revision as of 19:09, 23 May 2017
Contents
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | . | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| x | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Mohammed Jafari | |||
| x | Glen Marshall, SRS | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Galen Mulrooney | |||
| . | Duane DeCouteau | . | Chris Clark | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | . | Christopher D Brown TX | . | Gary Dickinson | x | Dave Silver | |||
| x | Rick Grow | . | William Kinsley | . | Paul Knapp | x | Mayada Abdulmannan | |||
| . | Kamalini Vaidya | . | Bill Kleinebecker | x | Christopher Shawn | . | Grahame Grieve | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (2 min) Roll Call, Agenda Approval
- (4 min) Review and Approval of Security WG Call Minutes April 18, 2017
- (5 min) TF4FA May ballot results to date - Kathleen - please vote!
- (20 min) What does the WG want to achieve in Madrid - Attending cochairs: Opportunity to review the May WG Agenda_and discuss key objectives that the WG representative should try to achieve.
- (20 min) Brainstorming on what a Healthcare Consumer Trust Framework for Federated Authorization [CTF4FA] would encompass. This topic was initiated on the April 18th call. The conversation needs to continue to gain insights on what the community would expect a CTF4FA to look like. See summary below.
- (5 min) FHIR Security Call - Please review front matter - John Moehrke
Consumer Oriented TF4FA
Current Trust Frameworks are static; once established, these are very hard to change. Static Trust Frameworks are typically oriented to those who control information and value flows. Consumers seem to have little or no voice in these Trust Framework Trust Policy, or the resulting Trust Recipient or Trust Relying Party Agreements.
Should the HL7 TF4FA be more encompassing of healthcare consumers as parties in the negotiation of Trust Frameworks for Federated Authorization with counterparties with which they can share health information on terms that consumers find more attractive in some way - e.g., for more control of their information's privacy and security, or even for compensation for use of their health information?
Enabling healthcare consumers to negotiate more equitable trust framework will require changing the balance of power where custodians "own" the consumer's health information. Patient Right of Access is disrupting that paradigm. It may be that providers and EHR vendors will see an advantage in supporting PRA as a means to off-load breach liability and consent management, and by simply duplicating patient information in a server accessible to patients for view, download, and transmit, they are able to avoid EHR security issues, although they still have responsibility for the security of a PRA store.
At the same time as custodians are seeing advantages, so are secondary users of patient information. PRA is attractive in that it reduces friction resulting from meeting data sharing requirements of custodians. At this juncture however, these secondary users seem somewhat inclined to negotiate with the consumers that are now supplying them with patient information.
As this new mode of sharing health information scales, healthcare consumers' market place clout to demand more control will increase. With user friendly trust negotiation technologies, we can imagine many healthcare consumers with 0..* trust domains, and 0..* privacy preferences, and security and trust risk tolerances having more and more health information consumers with which to bargain for their best trust contract deal.
HL7 TF4FA could serve as the conceptual model for the healthcare consumer trust negotiation technologies needed to enable this emerging market.
Example of sites discussing CTF4FA
- Center for Democracy and Technology: Comprehensive Privacy and Security: Critical for Health Information Technology
- THEWS - Trusted eHealth and eWelfare Space – SlideShare www.slideshare.net/iirojan/thews-trusted-ehealth-and-ewelfare-space
- JMIR-A Conceptual Framework and Principles for Trusted eHealth and eWelfare Space
Minutes
Minutes
- Chaired by Kathleen
- Agenda Approved
- Minutes March 28, 2017 approved
- Trust Framework and SLS (Kathleen and Mike Davis)
- Issue: How to establish a Trust Framework with Applications (app) when patients share health information
- Question: Can an app be trusted when patient shares health data with it?
- It is not up to the providers to dictate who they will share with
- Applications (Apps) are not considered providers
- When patient shares with App from a Privacy point of view they are sharing the information with themselves
- The Health Information is not protected
- They are a transport which serve as a pass through
- Patient information is not encrypted or protected when sharing with app
- Controls should be established with app
- SLS maybe a solution to implement Cascading OATH capabilities
- From a privacy point of view if Patient info is sent to an application it would be treated as if Patient sent the info to themselvess
- Organizations can take Privacy protection service
- Comment (Beth): We should partner with Mobile Security for Mobile Health
- Mobil Security Group will not be in the Madrid conference for the topic to be discussed on the agenda
- Next Step: The Trust Framework Mobile App issue will be covered in the next iteration
- FHIR Security Call - Please review front matter - John Moehrke
- NTR
- John was not present on the call
- No call on May 2nd due to Madrid conference
