This wiki has undergone a migration to Confluence found Here

Difference between revisions of "HL7 FHIR Security 2018-08-14"

From HL7Wiki
Jump to navigation Jump to search
 
Line 111: Line 111:
  
 
==Minutes==
 
==Minutes==
 +
*Roll;
 +
* approval of agenda  -- unanimous
 +
* approval of [[HL7 FHIR Security 2018-07-31]] Minutes -- unanimous
 +
* Announcements
 +
** Baltimore Connectathon?  http://wiki.hl7.org/index.php?title=FHIR_Connectathon_19
 +
** FHIR Build is frozen for R4 ballot. QA happening
 +
** Short report out from ONC Interop Forum - Privacy Standards panel
 +
*** Group asks ONC to provide guidance on expectation of how standards will be used to fulfill
 +
**** various privacy regulations (National, State, age based, data sensitivity based, individual, etc)
 +
***** Delegated/Proxy account accessing an emancipated minor going through transition where transition ages are different in various locations.
 +
**** Provenance when publishing/sending
 +
**** Provenance when consuming/authenticating
 +
*** Generally there was understanding that Interop standards exist (HL7, IHE, FHIR, etc)
 +
*** Concern around Client Application rights/responsibilities. As distinct from user.
 +
*** Need for help writing privacy notices/policies in way that conveys facts to typical human
 +
* Review Kathleen's proposal for Safety Checklist
 +
** Kathleen was not on, so we skipped this
 +
* Should we have a procedure that other workgroups can bring us FHIR Resources or FHIR IG, where we do a Privacy and Security analysis SO-THAT we inform their "Security and Privacy Considerations" section?
 +
** To focus on FHIR as a scoping mechanism. That is to say that this effort could be applied everywhere, but we need to start somewhere. There has been some interest for this kind of review in FHIR.
 +
*** Person resource http://build.fhir.org/person.html#security
 +
** Much like IETF has with W3C PING?
 +
*** W3C PING https://w3c.github.io/privacy-considerations/
 +
*** W3C specification for writing Privacy Considerations http://yrlesru.github.io/SPA/
 +
*** W3C Self-Review Questionnaire: Security and Privacy https://www.w3.org/TR/security-privacy-questionnaire/
 +
** IETF guidance on writing the Security Considerations section https://tools.ietf.org/html/rfc3552
 +
** IETF guidance on writing a protocol module -- a description of your standard so that an analysis can be made https://tools.ietf.org/html/rfc4101
 +
** Could try to apply W3C process without customization to see how well it applies?
 +
*** W3C Self-Review Questionnaire: Security and Privacy -- GITHUB active version https://w3ctag.github.io/security-questionnaire/
 +
*** Note not all FHIR resources are sensitive, some are intended to be publicly exposed.
 +
** Notes from call
 +
*** Lui is worried that adding a section to each page of the FHIR specification would not be helpful, it would be too much replication of the same statements
 +
**** Should improve security pages as needed (ACTION John to add CR for the two items mentioned on the Person resource)
 +
*** Suzanne -- need to bring this to the larger WG
 +
**** Yes, once we have some experimentation. Too soon to bring this to them. Possibly at Baltimore
 +
*** ACTION: John -- focus on the resources going normative. What can be said? Is it repetition? Is there groups of similar text?
 +
* All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
 +
** Did not address
 +
* New business
 +
** none brought forward

Latest revision as of 19:28, 14 August 2018

Call Logistics

Weekly: Tuesday at 02:00 pm EST

Web conference desktop and VOIP https://www.freeconferencecall.com/join/security36 
Online Meeting ID: security36
Phone: +1 515-604-9567, Participant Code: 880898
 Please be aware that teleconference meetings are recorded to assist with creating the meeting minutes 

Back to HL7 FHIR security topics

Attendees

Member Name Member Name Member Name
x John Moehrke Security Co-Chair . Kathleen Connor Security Co-Chair . Alexander Mense Security Co-chair
x Suzanne Gonzales-Webb CBCC Co-Chair . Johnathan Coleman CBCC co-chair . Chris Shawn Security co-chair
x Jim Kretz . Kenneth Salyards . Nathan Botts Mobile co-chair
. Diana Proud-Madruga . Joe Lamy AEGIS x Beth Pumo
. Irina Connelly . Matt Blackman Sequoia . Mark Underwood NIST
. Peter Bachman . Grahame Greve FHIR Program Director . Kevin Shekleton (Cerner, CDS Hooks)
x Luis Maas . Julie Maas . Francisco Jauregui
. Gary Dickinson . Dave Silver . Foo Bar

Agenda


ACTIONS

  • Kathleen - update her proposal for safety checklist

references


Current Open issues in gForge

  • 9167 AuditEvent+needs+to+make+more+obvious+how+to+record+a+break-glass+event (John Moehrke) Considered for Future Use
  • 10343 Three+additional+Signature.type+codes (Kathleen Connor) Considered for Future Use
  • 11071 Improve+security+label+guidance+-+2016-09+core+%2390 (Kathleen Connor) None
  • 12660 HCS+use+clarification (John Moehrke) None
  • 17192 Verification+of+given+resource+without+changing+the+content (Thomas Johansen) None
  • 17299 enhance+current+disclosure+AuditEvent+so+that+it+explains+what+is+being+recorded+and+why (John Moehrke) None
  • 17300 Break-Glass+description+needs+clarifications (John Moehrke) None
  • 14678 Implementation+guide+for+signatures+-+2018-Jan+Core+%231 (Brian Pech) Not Persuasive

Minutes

  • Roll;
  • approval of agenda -- unanimous
  • approval of HL7 FHIR Security 2018-07-31 Minutes -- unanimous
  • Announcements
    • Baltimore Connectathon? http://wiki.hl7.org/index.php?title=FHIR_Connectathon_19
    • FHIR Build is frozen for R4 ballot. QA happening
    • Short report out from ONC Interop Forum - Privacy Standards panel
      • Group asks ONC to provide guidance on expectation of how standards will be used to fulfill
        • various privacy regulations (National, State, age based, data sensitivity based, individual, etc)
          • Delegated/Proxy account accessing an emancipated minor going through transition where transition ages are different in various locations.
        • Provenance when publishing/sending
        • Provenance when consuming/authenticating
      • Generally there was understanding that Interop standards exist (HL7, IHE, FHIR, etc)
      • Concern around Client Application rights/responsibilities. As distinct from user.
      • Need for help writing privacy notices/policies in way that conveys facts to typical human
  • Review Kathleen's proposal for Safety Checklist
    • Kathleen was not on, so we skipped this
  • Should we have a procedure that other workgroups can bring us FHIR Resources or FHIR IG, where we do a Privacy and Security analysis SO-THAT we inform their "Security and Privacy Considerations" section?
    • To focus on FHIR as a scoping mechanism. That is to say that this effort could be applied everywhere, but we need to start somewhere. There has been some interest for this kind of review in FHIR.
    • Much like IETF has with W3C PING?
    • IETF guidance on writing the Security Considerations section https://tools.ietf.org/html/rfc3552
    • IETF guidance on writing a protocol module -- a description of your standard so that an analysis can be made https://tools.ietf.org/html/rfc4101
    • Could try to apply W3C process without customization to see how well it applies?
    • Notes from call
      • Lui is worried that adding a section to each page of the FHIR specification would not be helpful, it would be too much replication of the same statements
        • Should improve security pages as needed (ACTION John to add CR for the two items mentioned on the Person resource)
      • Suzanne -- need to bring this to the larger WG
        • Yes, once we have some experimentation. Too soon to bring this to them. Possibly at Baltimore
      • ACTION: John -- focus on the resources going normative. What can be said? Is it repetition? Is there groups of similar text?
  • All security open http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&tracker_query_id=4967
    • Did not address
  • New business
    • none brought forward