This wiki has undergone a migration to Confluence found Here

August 15, 2017 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes August 1, 2017and Security WG Call Minutes August 8, 2017
  3. (20 min) NIST 800-53 Rev 5 release draft Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft - Mike Davis
  4. (25 min) Diagnosing and Treating Legal Ailments of the Electronic Health Record: Toward an Efficient and Trustworthy Process for Information Discovery and Release & presentation Potential for renewing EHR/Security work on Lifecycle Vocabulary - Reed Gelzer
  5. (20 min) 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comments Review Draft Security WG comments for approval as input to HL7 response due August 14th. - Kathleen
  6. (5 min) FHIR Security call

News and Review Material

1. Summary People’s lives are inextricably interconnected with cyberspace and information systems. The computing revolution is enabling advances in many sectors of the economy, while social interactions have been profoundly affected by the rise of the Internet and mobile communications. Increasing computerization and data collection in transportation, education, health care, and other areas will accelerate these trends. Massive data collection, processing, and retention in the digital era challenge long-established privacy norms. On the one hand, large-scale data analytics is indispensable to progress in science, engineering, and medicine; on the other hand, when information about individuals and their activities can be tracked and repurposed without the individual’s knowledge or understanding, opportunities emerge for unauthorized disclosure, embarrassment and harassment, social stigma, crime, discrimination, and misuse. The fact that such an opportunity exists can itself have a detrimental and chilling effect on people’s behaviors. The Federal Government is mindful of this risk, and the resulting need for research and development. The White House report Big Data: Seizing Opportunities, Preserving Values1 highlights the need for large-scale privacy research: “We should dramatically increase investment for research and development in privacy-enhancing technologies, encouraging cross-cutting research that involves not only computer science and mathematics, but also social science, communications, and legal disciplines.” The National Privacy Research Strategy establishes objectives for Federally-funded privacy research (both extramural and government-internal research), provides a structure for coordinating research and development in privacy-enhancing technologies, and encourages multi-disciplinary research that recognizes the responsibilities of the government and the needs of society. The overarching goal of this strategy is to produce knowledge and technology that will enable individuals, commercial entities, and the government to benefit from transformative technological advancements, enhance opportunities for innovation, and provide meaningful protections for personal information and individual privacy. To achieve these goals, this strategy identifies the following priorities for privacy research: • Foster multidisciplinary approach to privacy research and solutions; • Understand and measure privacy desires and impacts; • Develop system design methods that incorporate privacy desires, requirements, and controls; • Increase transparency of data collection, sharing, use, and retention; • Assure that information flows and use are consistent with privacy rules; • Develop approaches for remediation and recovery; and • Reduce privacy risks of analytical algorithms.

Minutes

  • Agenda Approved
  • Approved Security WG Call Minutes August 1, 2017
  • Approved Security WG Call Minutes August 8, 2017 (Suzzana Abstained)
  • NIST 800-53 Rev 5 release draft Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft - Mike Davis
    • NIST had privacy in 800-53 Rev 5 reviewing security and privacy controls
    • There three Controls:
    • (1) Privacy are marked with a (P) consent is under privacy
    • (2) Security (S)
    • (3) Joint (J) (Security and Privacy controls)
    • Attributes for security and privacy are the basis of our HL7 work are listed as follows:
      • (A) Security labeling services
      • (B) Health carer classification system
      • (C) Vocabulary Standards
    • Vocabulary would mark data, labels are based health care security and privacy policy
    • NIST has integrated the Security and Privacy
    • Safety is not yet addressed within NIST but is possible future work
    • Once policy of access control is enforced, Privacy enforcement is usually carried on by security
    • By 2020 it is predicted that 70% of all industries would have adopted Attribute based access control
    • Next Step: For CBCC and Security work group to review and comment NIST 800-53 Rev 5 for HL7 response (Comments due Sept 12th)- Focus on the table to ensure the controls
    • Kathleen will work with Sam and create a joint wiki page for comments and review
  • Diagnosing and Treating Legal Ailments of the Electronic Health Record: Toward an Efficient and Trustworthy Process for Information Discovery and Release & presentation Potential for renewing EHR/Security work on Lifecycle Vocabulary - Reed Gelzer
    • Reviewed the Records management of EHR systems in end use domains
    • The Sedona conference (Standards organization to provide convening space) address Western Hemisphere legal matters
    • The purpose of the conference is to find common means addressing the paper records to digital records system across industries in the Western Hemisphere
    • Membership is mainly composed of Lawyers
    • One concept is the design and maintenance and production of objects that meet data quality assurance
    • Reference 21089 with focus on data objects have to have specifications, for example Record Specification are of interest to many clinicians
    • Reference 21089 (Gary Dickerson also involved) involves authentication
    • In the U.S. Domain literature Authentication in the legal domain is described in 3 parts:
      • (1) For what purpose is the Record offered (What is it going to be used for?)
      • (2) Is the Record what it claims to be
      • (3) What evidence or source authenticates the records claim
    • An alarming example to consider is EPIC has a desktop function that show which information was imported, which populated, and language used to describe the behaviors (if the clinician did not create at the time they saw the patient) is not considered as original request


  • 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comments Review Draft Security WG comments for approval as input to HL7 response due August 14th. - Kathleen
  • FHIR Security call