This wiki has undergone a migration to Confluence found Here

Difference between revisions of "February 21st, 2012 Security Working Group Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
=Security Working Group Meeting=
 
=Security Working Group Meeting=
 
 
*[[Security| Meeting Information]]
 
*[[Security| Meeting Information]]
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]
 
 
==Attendees==
 
==Attendees==
 
 
* [mailto:Kathleen_Connor@comcast.net Kathleen Connor]
 
* [mailto:Kathleen_Connor@comcast.net Kathleen Connor]
* [mailto:ecoyne@drc.com Ed Coyne]
 
 
* [mailto:mike.davis@va.gov Mike Davis] Security Co-chair
 
* [mailto:mike.davis@va.gov Mike Davis] Security Co-chair
* [mailto:farmer@apelon.com Jon Farmer]
 
 
* [mailto:sgonzales-webb@drc.com Suzanne Gonzales-Webb] CBCC Co-chair
 
* [mailto:sgonzales-webb@drc.com Suzanne Gonzales-Webb] CBCC Co-chair
* [mailto:jim.kretz@samhsa.hhs.gov Jim Kretz]
 
 
 
* [mailto:john.moehrke@med.ge.com John Moehrke] Security Co-chair
 
* [mailto:john.moehrke@med.ge.com John Moehrke] Security Co-chair
* [mailto:milan.petkovic@phillips.com Milan Petkovic]
 
* [mailto:kenneth.salyards@samhsa.hhs.gov Ken Salyards]
 
* [mailto:richard.thoreson@samhsa.hhs.gov Richard Thoreson] CBCC Co-chair
 
* [mailto:weida@apelon.com Tony Weida] - Out of office, unable to attend.
 
* [mailto:trish.williams@ecu.edu.au Trish Williams], sends apologies, unable to attend (conflicting meeting)
 
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]
 
 
==Agenda==
 
==Agenda==
 
#''(05 min)'' Roll Call, Approve Minutes & Accept Agenda
 
#''(05 min)'' Roll Call, Approve Minutes & Accept Agenda
Line 26: Line 13:
 
#''(15 min)'' '''Security and Privacy Ontology'''- Update (Tony unable to make today's call)
 
#''(15 min)'' '''Security and Privacy Ontology'''- Update (Tony unable to make today's call)
 
#''(10 min)'' '''Harmonization Proposals '''  Update (Kathleen)
 
#''(10 min)'' '''Harmonization Proposals '''  Update (Kathleen)
 +
#''(10 min)'' '''Security WG Documents - update''' Bill Braithwaite
 
#''(10 min)'' '''Interim Co-Chair appointment'''
 
#''(10 min)'' '''Interim Co-Chair appointment'''
 
 
==Meeting Minutes==
 
==Meeting Minutes==
 +
''' Mike Davis - Presiding Cochair '''
 +
*Roll Call:  Many are attending HIMSS. 
 +
*Approval of Minutes – deferred.
 +
*Agenda modifications: 
 +
**Add update on Security and Privacy Ontology ballot status and project scope statement
 +
**Defer Security and Privacy Ontology Update (Tony unable to make today's call)
 +
Agenda item pushed to next week. Will contact Tony to request a report be distributed via the Security listserve.
 +
*[[Security and Privacy Ontology|Security and Privacy Ontology Project Wiki]]
 +
**Defer Security WG Documents update because Bill is absent. '' 
 +
=Discussion Items=
 +
'''Update on Security and Privacy Ontology ballot status and project scope statement.''' 
 +
*Mike announced that the Security and Privacy Ontology will be balloted in May as a ''for comment only'' ballot because Tony will not be able to complete the work before then.  Mike recommended that the Ontology be balloted as normative in September rather than DSTU.  Kathleen noted that the TSC has ruled that domain analysis models should not be balloted as DSTU because they cannot be implemented directly, and that the same reasoning would likely apply to an ontology.
 +
*Mike walk-through the updates he proposed for the Security and Privacy Ontology Project Scope statement that reflect the change in balloting status and dates.  Suzanne offered additional corrections to artifact names and assignments.  Mike has already asked for agenda time on the upcoming Domain Expert Steering Division call to ask for approval for these changes if the Security WG approves them.
 +
*Suzanne moved to approve; John seconded; motion carried without discussion 3-0-0.
 +
Kathleen will research the status of the [http://gforge.hl7.org/gf/download/docmanfileversion/6455/8715/AmalgamatedMay2011BallotCommentsonSecurityandPrivacyOntology.xlsx May 2011 Ontology ballot reconciliation] and the steps needed to complete that in order to ballot this May.
 +
'''Interim Co-Chair appointment'''
 +
*Mike announced the outcome of the online voting as 18-0-0 in favor of a fourth Security WG cochair.  He noted that the WG may nominate an interim fourth cochair who may serve through September by which time the WG needs to officially petition for an election of a fourth cochair.
 +
'''Harmonization Proposals ''' Update (Kathleen)
 +
*Kathleen updated the WG on some technical corrections made to the coversheets per input from vocabulary.  She will continue to refine the proposals with further input and get these to the WG for final approval to submit by next week’s call (February 28th).
 +
*She discussed [http://gforge.hl7.org/gf/download/docmanfileversion/6666/9132/March2012ProposedHarmonizationVocabulary.pptx March 2012 Proposed Harmonization Vocabulary] slides: 
 +
# a diagram showing the structure and relationships among the proposed vocabulary,
 +
# a Visio version of the DAM to which she is adding relevant standards and vocabularies, and
 +
# a diagram illustrating how the DAM includes RBAC permissions as a refinement. 
  
'''Roll Call, Approve Minutes'''
+
Kathleen noted that the DAM represents RBAC Permissions as components of a Security Role (Figure 1.1.1: Authorization (Role-based Access Control) rather than as a Basic Policy. This last topic will likely need follow up discussion to clarify questions raised by Mike and John about the relationship between RBAC Permission Catalog as a vocabulary and as a class in the DAM. 
  
 
+
See slides 5 - 7 added after the call to [http://gforge.hl7.org/gf/download/docmanfileversion/6666/9132/March2012ProposedHarmonizationVocabulary.pptx March 2012 Proposed Harmonization Vocabulary]
'''ONC Privacy & Security Mobile Device Roundtable Input'''
+
**[http://gforge.hl7.org/gf/download/docmanfileversion/6653/9119/HL7HarmonizationProposalMarch2012PurposeofUse.doc Purpose of Use Vocabulary Update Harmonization Proposal]
 +
**[http://gforge.hl7.org/gf/download/docmanfileversion/6654/9120/HL7HarmonizationProposalMarch2012TechnicalCorrectionActPolicyType.doc ActPrivacyPolicy Technical Corrections Harmonization proposal]
 +
**[http://gforge.hl7.org/gf/download/docmanfileversion/6655/9121/HL7HarmonizationProposalMarch2012ActSecurityObligationandRefrainPolicyType.doc ActSecurity, Obligation, and Refrain Vocabulary Harmonization Proposal]
 +
'''ONC Privacy & Security Mobile Device Roundtable Input – For reference only, but not discussed during call.  John’s response to the HL7 Policy Committee below.'''
 
e-mail to HL7 Co-Chairs:
 
e-mail to HL7 Co-Chairs:
 
 
''ONC's Office of the Chief Privacy Officer in cooperation with the HHS Office for Civil Rights (OCR) launched a Privacy & Security Mobile Device project.  HL7 may have an opportunity this Spring to provide input into this project during a public roundtable.  Although the focus is on privacy and security and many of those elements may be outside of HL7's domain as they are managed through lower level protocols, operating systems, etc., there is a sense that some of our standards may be, or may need to be applicable and sensitive to the context of a mobile device where the data exchanged is consumed. ''
 
''ONC's Office of the Chief Privacy Officer in cooperation with the HHS Office for Civil Rights (OCR) launched a Privacy & Security Mobile Device project.  HL7 may have an opportunity this Spring to provide input into this project during a public roundtable.  Although the focus is on privacy and security and many of those elements may be outside of HL7's domain as they are managed through lower level protocols, operating systems, etc., there is a sense that some of our standards may be, or may need to be applicable and sensitive to the context of a mobile device where the data exchanged is consumed. ''
 +
''We would like to get your input whether your workgroup already has, is planning to develop, or would believe there should be HL7 standards and/or guidance to enhance on the privacy and security of mobile devices.  For example, are hardware/OS/network solutions sufficient to achieve appropriate privacy & security levels unique to mobile devices, or should additional data be available at the application level to enable appropriate restrictions by the application at that mobile device, or should we be completely agnostic to that context?  Are there capabilities in the functional model that should be further defined uniquely to mobile devices, or is that context irrelevant?''
  
 +
''A further question may be whether with the expansion of mobile devices there are other aspects beyond privacy & security in particular and that are unique to mobile computing that HL7 workgroups are already focusing on, have plans for, or should be considering. ''
  
''We would like to get your input whether your workgroup already has, is planning to develop, or would believe there should be HL7 standards and/or guidance to enhance on the privacy and security of mobile devices.  For example, are hardware/OS/network solutions sufficient to achieve appropriate privacy & security levels unique to mobile devices, or should additional data be available at the application level to enable appropriate restrictions by the application at that mobile device, or should we be completely agnostic to that context?  Are there capabilities in the functional model that should be further defined uniquely to mobile devices, or is that context irrelevant?''
 
 
''A further question may be whether with the expansion of mobile devices there are other aspects beyond privacy & security in particular and that are unique to mobile computing that HL7 workgroups are already focusing on, have plans for, or should be considering.
 
 
Although the primary focus of this question is on the Security, Healthcare Devices, EHR, CIC, and CBCC workgroups, other workgroups may have some perspectives as well that we should consider.  We would appreciate your feedback by March 31 to help us determine how HL7 should respond to a request to contribute to the public roundtable. ''
 
Although the primary focus of this question is on the Security, Healthcare Devices, EHR, CIC, and CBCC workgroups, other workgroups may have some perspectives as well that we should consider.  We would appreciate your feedback by March 31 to help us determine how HL7 should respond to a request to contribute to the public roundtable. ''
  
 
You may post this on the [http://wiki.hl7.org/index.php?title=PAC:_Privacy_%26_Security_for_Mobile_Devices PAC wiki page for Privacy & Security for Mobile Devices], or forward to either John Speakman or Hans Buitendijk.
 
You may post this on the [http://wiki.hl7.org/index.php?title=PAC:_Privacy_%26_Security_for_Mobile_Devices PAC wiki page for Privacy & Security for Mobile Devices], or forward to either John Speakman or Hans Buitendijk.
+
 
Policy Advisory Committee Co-Chairs:
+
''Policy Advisory Committee Co-Chairs:''
+
 
'''[mailto:hans.buitendijk@siemens.com  Hans J. Buitendijk] '''
+
'''[mailto:hans.buitendijk@siemens.com  Hans J. Buitendijk]'''
 
Siemens Medical Solutions USA, Inc.
 
Siemens Medical Solutions USA, Inc.
 
Standards & Regulations Manager
 
Standards & Regulations Manager
Line 56: Line 67:
 
NCI Center for biomedical Informatics and Information Technology
 
NCI Center for biomedical Informatics and Information Technology
  
 +
'''John’s response to HL7 Policy Committee'''
 +
Hans,
 +
I would request that you include:
 +
• Security WG – Basic security and privacy
 +
• CBCC WG – Privacy – Consent Directive CDA template
 +
• SOA WG  -- Services Oriented view used by many mobile devices; also include Access Control and Audit Control services
 +
• EHR FM WG – Functional Model that includes Security and Privacy functional capabilities
  
'''Security and Privacy Ontology'''- Update (Tony unable to make today's call)
+
My overall my answer is, that mobile devices are not different than any other.  Mobile Devices are just more likely to get lost or stolen (for pawn). It is this increased likelihood (of known risks) that needs to be considered. Thus good application design keeps sensitive information off of the device. Since this is a USA domain, it is quite easy to point at NIST who have excellent guidelines on this topic:
Agenda item pushed to next week.
+
• NIST Guidelines on Cell Phone and PDA Security SP800-124.pdf
Will contact Tony to request a report be distributed via the Security listserve
+
• NIST Guide to Storage Encryption Technologies for End User Devices SP800-111.pdf
*[[Security and Privacy Ontology|Security and Privacy Ontology Project Wiki]]
+
• NIST Recommended Security Controls for Federal Information Systems and Organizations SP800-53-rev3-db
  
 
+
The policy, methods, and technology used to protect a mobile device are common place in IT security circles. There is little that HL7 should add except where there are deep specifics to Healthcare and specifically HL7 artifacts.
 
+
In the HL7 space, we do encourage a Risk Assessment/Management approach to reasonable applying security technology according to risk Impact and likelihood. This is the core of our Security Risk Assessment Cookbook, that which is being included in the fabric of HL7 standards development. Beyond this we do have tools in the HL7 family that are not specific to Mobile devices but are just as applicable: EHR Functional Model that includes security and privacy functionality – with efforts to align with ISO-1441 security functional models; Services for Access Control, and Audit Controls; Role-Based Access Control Permissions Catalog; ConfidentialityCode vocabulary; and Composite Consent Directive (CDA).
'''Harmonization Proposals '''  Update (Kathleen)
+
John Moehrke
 
+
Co-chair Security WG
 
 
'''Interim Co-Chair appointment'''
 
  
 
==Action Items==
 
==Action Items==
 
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]

Latest revision as of 19:46, 22 February 2012

Security Working Group Meeting

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

  1. (05 min) Roll Call, Approve Minutes & Accept Agenda
  2. (15 min) ONC Privacy & Security Mobile Device Roundtable Input
  3. (15 min) Security and Privacy Ontology- Update (Tony unable to make today's call)
  4. (10 min) Harmonization Proposals Update (Kathleen)
  5. (10 min) Security WG Documents - update Bill Braithwaite
  6. (10 min) Interim Co-Chair appointment

Meeting Minutes

Mike Davis - Presiding Cochair

  • Roll Call: Many are attending HIMSS.
  • Approval of Minutes – deferred.
  • Agenda modifications:
    • Add update on Security and Privacy Ontology ballot status and project scope statement
    • Defer Security and Privacy Ontology Update (Tony unable to make today's call)

Agenda item pushed to next week. Will contact Tony to request a report be distributed via the Security listserve.

Discussion Items

Update on Security and Privacy Ontology ballot status and project scope statement.

  • Mike announced that the Security and Privacy Ontology will be balloted in May as a for comment only ballot because Tony will not be able to complete the work before then. Mike recommended that the Ontology be balloted as normative in September rather than DSTU. Kathleen noted that the TSC has ruled that domain analysis models should not be balloted as DSTU because they cannot be implemented directly, and that the same reasoning would likely apply to an ontology.
  • Mike walk-through the updates he proposed for the Security and Privacy Ontology Project Scope statement that reflect the change in balloting status and dates. Suzanne offered additional corrections to artifact names and assignments. Mike has already asked for agenda time on the upcoming Domain Expert Steering Division call to ask for approval for these changes if the Security WG approves them.
  • Suzanne moved to approve; John seconded; motion carried without discussion 3-0-0.

Kathleen will research the status of the May 2011 Ontology ballot reconciliation and the steps needed to complete that in order to ballot this May. Interim Co-Chair appointment

  • Mike announced the outcome of the online voting as 18-0-0 in favor of a fourth Security WG cochair. He noted that the WG may nominate an interim fourth cochair who may serve through September by which time the WG needs to officially petition for an election of a fourth cochair.

Harmonization Proposals Update (Kathleen)

  • Kathleen updated the WG on some technical corrections made to the coversheets per input from vocabulary. She will continue to refine the proposals with further input and get these to the WG for final approval to submit by next week’s call (February 28th).
  • She discussed March 2012 Proposed Harmonization Vocabulary slides:
  1. a diagram showing the structure and relationships among the proposed vocabulary,
  2. a Visio version of the DAM to which she is adding relevant standards and vocabularies, and
  3. a diagram illustrating how the DAM includes RBAC permissions as a refinement.

Kathleen noted that the DAM represents RBAC Permissions as components of a Security Role (Figure 1.1.1: Authorization (Role-based Access Control) rather than as a Basic Policy. This last topic will likely need follow up discussion to clarify questions raised by Mike and John about the relationship between RBAC Permission Catalog as a vocabulary and as a class in the DAM.

See slides 5 - 7 added after the call to March 2012 Proposed Harmonization Vocabulary

ONC Privacy & Security Mobile Device Roundtable Input – For reference only, but not discussed during call. John’s response to the HL7 Policy Committee below. e-mail to HL7 Co-Chairs: ONC's Office of the Chief Privacy Officer in cooperation with the HHS Office for Civil Rights (OCR) launched a Privacy & Security Mobile Device project. HL7 may have an opportunity this Spring to provide input into this project during a public roundtable. Although the focus is on privacy and security and many of those elements may be outside of HL7's domain as they are managed through lower level protocols, operating systems, etc., there is a sense that some of our standards may be, or may need to be applicable and sensitive to the context of a mobile device where the data exchanged is consumed. We would like to get your input whether your workgroup already has, is planning to develop, or would believe there should be HL7 standards and/or guidance to enhance on the privacy and security of mobile devices. For example, are hardware/OS/network solutions sufficient to achieve appropriate privacy & security levels unique to mobile devices, or should additional data be available at the application level to enable appropriate restrictions by the application at that mobile device, or should we be completely agnostic to that context? Are there capabilities in the functional model that should be further defined uniquely to mobile devices, or is that context irrelevant?

A further question may be whether with the expansion of mobile devices there are other aspects beyond privacy & security in particular and that are unique to mobile computing that HL7 workgroups are already focusing on, have plans for, or should be considering.

Although the primary focus of this question is on the Security, Healthcare Devices, EHR, CIC, and CBCC workgroups, other workgroups may have some perspectives as well that we should consider. We would appreciate your feedback by March 31 to help us determine how HL7 should respond to a request to contribute to the public roundtable.

You may post this on the PAC wiki page for Privacy & Security for Mobile Devices, or forward to either John Speakman or Hans Buitendijk.

Policy Advisory Committee Co-Chairs:

Hans J. Buitendijk Siemens Medical Solutions USA, Inc. Standards & Regulations Manager

John Speakman Chief Program Office NCI Center for biomedical Informatics and Information Technology

John’s response to HL7 Policy Committee Hans, I would request that you include: • Security WG – Basic security and privacy • CBCC WG – Privacy – Consent Directive CDA template • SOA WG -- Services Oriented view used by many mobile devices; also include Access Control and Audit Control services • EHR FM WG – Functional Model that includes Security and Privacy functional capabilities

My overall my answer is, that mobile devices are not different than any other. Mobile Devices are just more likely to get lost or stolen (for pawn). It is this increased likelihood (of known risks) that needs to be considered. Thus good application design keeps sensitive information off of the device. Since this is a USA domain, it is quite easy to point at NIST who have excellent guidelines on this topic: • NIST Guidelines on Cell Phone and PDA Security SP800-124.pdf • NIST Guide to Storage Encryption Technologies for End User Devices SP800-111.pdf • NIST Recommended Security Controls for Federal Information Systems and Organizations SP800-53-rev3-db

The policy, methods, and technology used to protect a mobile device are common place in IT security circles. There is little that HL7 should add except where there are deep specifics to Healthcare and specifically HL7 artifacts. In the HL7 space, we do encourage a Risk Assessment/Management approach to reasonable applying security technology according to risk Impact and likelihood. This is the core of our Security Risk Assessment Cookbook, that which is being included in the fabric of HL7 standards development. Beyond this we do have tools in the HL7 family that are not specific to Mobile devices but are just as applicable: EHR Functional Model that includes security and privacy functionality – with efforts to align with ISO-1441 security functional models; Services for Access Control, and Audit Controls; Role-Based Access Control Permissions Catalog; ConfidentialityCode vocabulary; and Composite Consent Directive (CDA). John Moehrke Co-chair Security WG

Action Items

Back to Security Main Page