This wiki has undergone a migration to Confluence found Here

February 9th 2010 Security Conference Call

From HL7Wiki
Jump to navigation Jump to search

Security Work Group Weekly Conference Call

Meeting Information



Agenda includes time allocated to the CBCC Call

  1. (05 min) Roll Call, Approve Minutes Feb 2, 2010 & Call for Additional Agenda Items
  2. (30 min) Security and Privacy Ontology project status
  3. (25 min) Security Domain Analysis Model project status
  4. (5 min) RBAC Ballot Reconciliation status
  5. (10 min) SAEAF Alpha project question
    • When is it appropriate to use the RIM in a Security Privacy domain?
  6. (15 min) Security and CBCC WG response to Meaningful Use IFR
    • Discussion
    • No link to submit comments electronically on the homepage as yet
    • Comments can be emailed directly to Karen Van Hentenryck
  7. (5 min) FYI: Topics for future WG meeting
    • Security Risk Assessment
      • A number of WG members missed the presentation John gave at the Phoenix WGM
    • Privacy Templates Scope Statement

Ontologies presentation from the Phoenix WGM :


1. Action Items

  1. Ioana/Serafina to update the Security DAM based on ballot reconciliation and present at next week's meeting
  2. Ioana to circulate first draft of harmonized Security and Composite Privacy DAMS in next week's meeting as well

2. Resolutions - N/A

3. Announcements - N/A

4. Updates/Discussion

Security and Privacy Ontology project scope statement

  • Scope statement submitted to the Foundation & Technology Steering Division (FTSD) for approval but Security co-chairs unable to attend today’s meeting. The Steering division discussed the project in order to inform the Security WG of their concerns as follows:
    • FTSD felt the current proposal is unclear as to what is being defined (classified) in this Ontology. Also, need some assurance that the Vocabulary Work Group principles and methods for defining code systems will be followed and that the ontology will be published in the same way as current vocabulary content
    • Security asked to consider refinements to address these questions. The Project Proposal will be brought up again for consideration on February 23
    • ArB requested to be added as an interested party on the SOA Ontology project. Security will add ArB as interested party to Security & Privacy Ontology project as well

Security Domain Analysis Model

  • Scope statement submitted. On track from the perspective of HL7 mechanic
  • Mike to notify the TSC of changes to the project scope statement as well (Informative  DSTU)
  • Ballot reconciliation is complete and comments will be incorporated into the document and model
  • Next step is to harmonize the Security DAM with the Composite Privacy DAM
    • Dealing with common concepts and establishing the relationship between the Security policies and the policy maker and consumer-driven policies in the Privacy DAM
    • This work will serve as a preamble to the Ontology project which will develop reasoning tools to move between the two viewpoints.
    • This also gives us a level of confidence that we’re referring to the concepts in the same way in each Domain Analysis Model
    • Physically there will be a single UML model with the ability to represent two different viewpoints. This makes it easier to maintain, keep definitions in synch, class names and concepts defined where there is overlap.
  • First opportunity to submit content is March 7; deadline to submit final content for May ballot is March 28
  • Next week we will circulate the reconciled Security DAM as well as will provide an initial draft of the harmonized Security and Composite Privacy DAMs.
    • WG can provide feedback by Feb 23
    • Feedback will be incorporated and another draft submitted to the WG for review before submitting final content by 28 March

SAEAF Alpha Project Question – when is it appropriate to use the RIM in a Security/Privacy Domain?

  • A simple answer is that it is appropriate to use a Security Model in the RIM when applying Security to HL7 supported messaging
    • Some of the work of this WG in defining vocabularies falls outside the RIM into security services that are not part of HL7 messaging ,where the protocols exist in other standards and we’re providing value sets for use by those protocols
    • With respect to the information models, we should be cognizant of what is in the RIM if it is appropriate to the use that we intend
  • We need to deal with Security concepts that are not currently reflected in the RIM and which may require HL7 harmonization work for some of those concepts
  • Glen is not confident that the RIM contains all the necessary concepts, especially those in other standard’s domains that HL7 has not treated normatively.
    • Another concern is the issue of harmonization –where concepts exist in the Security DAM but not in the RIM, or where concepts are in both but are defined differently
  • Ioana clarified the fact that the Domain Analysis Model is not related to the RIM. This question is raised by the SAEAF Alpha is involved. The PASS Alpha project has to produce an HL7 standard
  • The question is what is the role of the RIM in specifying a platform independent model for the PASS Alpha Project (Access Control)
  • John: it is not appropriate that the HL7 Rim must incorporate all possible domains that could be used within heath care when there is a mature domain that can be referenced
    • The way the RIM is supposed to be used is the base class for all the classes in the Domain
    • e.g., Constraint policy to be passed via service parameters
      • Consider using RIM-Derived concepts to represent the constraint policy if you’re trying to pass parameters that describes such an object if there is no support (following analysis)
      • The RIM is not supposed to be the union of all classes for all domains – it is supposed to be the starting point. If there is something required by the Security Domain Analysis that we cannot represent using a class derived from a RIM class, then we may have a gap and may require harmonization to add those classes, or the SAEAF Alpha project can go in another direction
  • As PASS works through the Audit Service, there are very mature domains (DICOM 95, RFC 3881) that should be used, and not brought into the RIM. This would be a good area to focus on first to address this issue
  • The problem is that the question of what is in/what is out is always subject to debate

RBAC Ballot Reconciliation Status

  • Ballot reconciliation 100% complete for RBAC – Microsoft has withdrawn their negative vote
  • The package will be uploaded to the Ballot site as of later today
  • Incorporated all the changes into a new version of the Permissions catalog which is posted on GForge
  • ANSI then issue the new identifier for version 2

Security and CBCC WG Response to Meaningful Use IFR

  • Work Group members should post their comments on the ListServ (Security and CBCC Lists)
  • Comments from the WGs should be related to HL7-specific standards as many on these WGs participate in other SDOs and have already submitted comments related to those organizations
  • A new wiki page to consolidate the list serv comments will be placed on the CBCC and Security main page Security Project Space and CBCC Project Space
  • The ListServ threads will be reviewed during next Tuesday’s joint meeting and those that are endorsed by the WGs will be compiled and submitted to HL7 leadership for inclusion in the overall HL7 response
  • It is not expected that comments will result in major changes to the rule. Comments have been requested to provide a roadmap for enhancements to the 2013 and 2015 rules
  • Glen’s comments that are specific to HL7 will be considered for endorsement by the Security WG along with others that may be submitted via the list at next week’s meeting

Meeting was adjourned at 2:00 PM EST No significant motions or decisions were made