Difference between revisions of "August 15, 2017 Security Conference Call"

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (2 min) Roll Call, Agenda Approval
2. (4 min) Review and Approval of Security WG Call Minutes August 1, 2017and Security WG Call Minutes August 8, 2017
3. (20 min) NIST 800-53 Rev 5 release draft Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft - Mike Davis
4. (25 min) Diagnosing and Treating Legal Ailments of the Electronic Health Record: Toward an Efficient and Trustworthy Process for Information Discovery and Release & presentation Potential for renewing EHR/Security work on Lifecycle Vocabulary - Reed Gelzer
5. (20 min) 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comments Review Draft Security WG comments for approval as input to HL7 response due August 14th. - Kathleen
6. (5 min) FHIR Security call

News and Review Material

• Links for ONC Trusted Exchange Common Agreement Kick Off
  • Presentation Recordings
  • ONC Trusted Exchange Common Agreement deck
• For Discussion on August 22 call: NSTC National Privacy Research Strategy

1. Summary People’s lives are inextricably interconnected with cyberspace and information systems. The computing revolution is enabling advances in many sectors of the economy, while social interactions have been profoundly affected by the rise of the Internet and mobile communications. Increasing computerization and data collection in transportation, education, health care, and other areas will accelerate these trends. Massive data collection, processing, and retention in the digital era challenge long-established privacy norms. On the one hand, large-scale data analytics is indispensable to progress in science, engineering, and medicine; on the other hand, when information about individuals and their activities can be tracked and repurposed without the individual’s knowledge or understanding, opportunities emerge for unauthorized disclosure, embarrassment and harassment, social stigma, crime, discrimination, and misuse. The fact that such an opportunity exists can itself have a detrimental and chilling effect on people’s behaviors. The Federal Government is mindful of this risk, and the resulting need for research and development. The White House report Big Data: Seizing Opportunities, Preserving Values1 highlights the need for large-scale privacy research: “We should dramatically increase investment for research and development in privacy-enhancing technologies, encouraging cross-cutting research that involves not only computer science and mathematics, but also social science, communications, and legal disciplines.” The National Privacy Research Strategy establishes objectives for Federally-funded privacy research (both extramural and government-internal research), provides a structure for coordinating research and development in privacy-enhancing technologies, and encourages multi-disciplinary research that recognizes the responsibilities of the government and the needs of society. The overarching goal of this strategy is to produce knowledge and technology that will enable individuals, commercial entities, and the government to benefit from transformative technological advancements, enhance opportunities for innovation, and provide meaningful protections for personal information and individual privacy. To achieve these goals, this strategy identifies the following priorities for privacy research: • Foster multidisciplinary approach to privacy research and solutions; • Understand and measure privacy desires and impacts; • Develop system design methods that incorporate privacy desires, requirements, and controls; • Increase transparency of data collection, sharing, use, and retention; • Assure that information flows and use are consistent with privacy rules; • Develop approaches for remediation and recovery; and • Reduce privacy risks of analytical algorithms.

Minutes

• Agenda Approved
• Approved Security WG Call Minutes August 1, 2017
• Approved Security WG Call Minutes August 8, 2017 (Suzzana Abstained)

• NIST 800-53 Rev 5 release draft Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft - Mike Davis
  • NIST had privacy in 800-53 Rev 5 reviewing security and privacy controls
  • There three Controls:
  • (1) Privacy are marked with a (P) consent is under privacy
  • (2) Security (S)
  • (3) Joint (J) (Security and Privacy controls)
  • Attributes for security and privacy are the basis of our HL7 work are listed as follows:
    • (A) Security labeling services
    • (B) Health carer classification system
    • (C) Vocabulary Standards
  • Vocabulary would mark data, labels are based health care security and privacy policy
  • NIST has integrated the Security and Privacy
  • Safety is not yet addressed within NIST but is possible future work
  • Once policy of access control is enforced, Privacy enforcement is usually carried on by security
  • By 2020 it is predicted that 70% of all industries would have adopted Attribute based access control
  • Next Step: For CBCC and Security work group to review and comment NIST 800-53 Rev 5 for HL7 response (Comments due Sept 12th)- Focus on the table to ensure the controls
  • Kathleen will work with Sam and create a joint wiki page for comments and review
• Diagnosing and Treating Legal Ailments of the Electronic Health Record: Toward an Efficient and Trustworthy Process for Information Discovery and Release & presentation Potential for renewing EHR/Security work on Lifecycle Vocabulary - Reed Gelzer
  • Reviewed the Records management of EHR systems in end use domains
  • The Sedona conference (Standards organization to provide convening space) address Western Hemisphere legal matters
  • The purpose of the conference is to find common means addressing the paper records to digital records system across industries in the Western Hemisphere
  • Membership is mainly composed of Lawyers
  • One concept is the design and maintenance and production of objects that meet data quality assurance
  • Reference 21089 with focus on data objects have to have specifications, for example Record Specification are of interest to many clinicians
  • Reference 21089 (Gary Dickerson also involved) involves authentication
  • In the U.S. Domain literature Authentication in the legal domain is described in 3 parts:
    • (1) For what purpose is the Record offered (What is it going to be used for?)
    • (2) Is the Record what it claims to be
    • (3) What evidence or source authenticates the records claim
  • Provenance and origination of records claim can either be a considered Data, such as EHR, or supported and detailed information (Metadata) records
  • Object specification must be forensically fit episode of care record would be more detailed than a general record claim
  • Release 2.1 will incorporate life cycle events in the functional model
  • It will extended in Risk management evidence support profile
  • Co-Chair Micheal Brody assembled a group of stakeholders of active clinicians and legal members
  • Security Work group to review the Authenticity section (6-7 pages) and the medication list, and determine how to adapt conventions such as naming CDA documents (eg: comprehensive patient summary reconciled against existing patient record)
  • EPIC now has a desktop function on any given episode of care record there are indicators on which indicators were imported:
    • An alarming example to consider is EPIC has a desktop function that show which information was imported, which populated, and language used to describe the behaviors (if the clinician did not create at the time they saw the patient) is not considered as original request

Note Items below were not discussed:

• 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comments Review Draft Security WG comments for approval as input to HL7 response due August 14th. - Kathleen

• FHIR Security call

• • Call adjourned