Difference between revisions of "HL7 September 2018 WGM MINUTES"

• 201809 Baltimore WGM minutes document

201809 Security WGM Agenda

TUE OCT 02 Q1

9:00-10:30 Opening Security WG Meeting

• Introductions
• Approval of agenda
• International Report outs Liaison Reports:
  • ISO, IHE, ONC, OASIS XSPA
  • FHIR Security Report out/S&P Considerations - John Moehrke
  • HL7 Project status and update
    • Is Privacy Obsolete Study Group (report out here and at joint EHR meeting and possibly FHIR group?) - Mike Davis
    • PSAF Project Refresh, Trust Framework and S&P DAM - Next Steps overview - Mike Davis
• 20109 Agenda approved by consensus
• Review of Security 201805 Cologne WGM Minutes
• Fix May Minutes - Hide stated that there is no hyphen in company name. Minutes were corrected.
• Minutes approved Beth/John; Kevin Donnelly abstained 14-1-0

Security International SDO Report out

Trish AU

• AU Personal Health Care Electronic Record (PHCER) System has an Opt-out consent scheme.
• AU Senate review of the PHCER summary record found poor adoption of the summary record. A PCP doesn't need to look at summary record. Government is till trying to get adoption among PCP or specialists, which are having to be incentivized [payment model]. Providers have concern with privacy and security because of breach in Singapore. One million patients have opted out.
• AU citizens don't have to have private health insurance, but it’s not needed except to choose hospital/specialists.
• PHCER uses IHE XDS architecture.

Hide Japan

• Hide reported that the Japanese government has decided on implementing a new citizen identification system for health record to make patient matching easier.
• Some EHR vendors are implementing a common viewer for EHRs for sharing or checking medications and prescriptions, and medical records to address lack of EHR interoperability.
• Next year, Japan will implement patient consent scheme for default opt-in with restriction of organizational EHRs. Patient can decide which healthcare organizations can access their health information, and supports opt-out. Will trial in 2020.
• John asked if Japan treat some conditions more sensitive.  Hide said that all health data is deemed sensitive.
• Hide also presented on ISO activities (attached and in gforge) @ WG-JWG Closing Plenary WG4 MaringaV3.pdf

Peter van Liesdonk Netherlands

• For GDPR implementation, things going wrong wrt de-identified vs ability to relink, anonymize vs encryption can be re-identified.  SSL is identifiable. 
• There are projects with legal university.  Analysis over encrypted data.  Encrypted data sent without key, which are easily broken brute force so that the hacker can find all records with same blob. Anonymization with big data impossible. ISO pseudonymization: Analysis about ability to reidentify the data shows that reidentification is a risk, which must be managed. Bottom line – all participants need trust contracts with everyone.

Alex Mense - Austria

• Austria has an opt out scheme. No security category - no sensitivities in the laws because all health information is deemed sensitive, same as Japan.
• Implementing IHE security. Patient portal can control access to record - can opt in at record type to specific providers.
• Treatment is the only permissible purpose of use.
• Bridging borders for cross border exchange started in 2010. Other EU ePrivacy law pertain: The Directive for network security, which each jurisdiction must put into national law because health exchange networks considered critical infrastructure.
• Mike - SUD is sensitive - EU SUD is criminal but all providers must treat. Mike wanted more details about how EU is addressing this issue.
• Norway - TMC: GDPR is the major focus.
• IHE - John Moehrke

IHE had a panel discussion that discussed the finding that large organizations are giving patient access and ability to direct disclosure policies. The ability to delegate access/disclosure policies is well implemented across large systems.

• Hide stated that  Japan has delegation policy but not widely implemented. Patient-defined policies is the focus. 
• Alex stated that there is delegation for minors, but not for other personal representatives.  Girls are no longer minors at 14. Boys at 16 in Austria. 
• John continued about IHE discussion on delegation: US implementers have problems with enforcing state level ppolicies on minor's health privacy rights.  Age of majority is different by state.  This is a problem for large organizations span multiple states.  Isn't that the organizations wanted to remove controls; they just want consistency.  Under-age emancipated minors are difficult to identify. 
• John noted on a different topic that both DICOM and IHE have added named options that can be claimed as conformance that require TLS 1.2 or higher, and conformance to IETF Recommendations for Secure Use of Transport Layer Security (TLS)and Datagram Transport Layer Security (DTLS) or BCP195. He noted that FHIR also 'recommends' this, so the mandate has to comes from profiles, not from core FHIR. Also, ATNA @ TLS 1.0. migrating to a later release.
• ONC Debbie Bucci: ONC interested in how to address identifying emancipated minors, and policy-bridging different state minors’ rights laws.
• RE Blockchain: Debbie stated that no government agency is willing to put information on blockchain. Debbie could not find use case except perhaps RDF – ID for which blockchain could add value set. Maybe for managed access and delegation. Can only have pointers to PHI on blockchain. Blockchain use cases are focused on micro-services.
• OASIS - Chris: XSPA-SAML update. Old version from HITSP days have POU codes hard coded. Update has been circulated but may want to revise. Relaxing provider requirements because policy can dictate.  OASIS XSAP 2.0 still needs 3 implementers to move forward to standard.
• Sequoia - Matt Blackman

DICOM 2018 TLS 1.2 with some cypher requirements. ISO supplement 204 TLS 2. cypher-suite mandatory - 2016 server. Windows 7 and 2013 can support all. ATNA aligned with ISO.

• Smart on FHIR Argonaut work parallel with Smart on FHIR - Bulk Data Transfer - OAuth ability but doesn't assume that it’s a human. 
• FHIR Server must publish a Capability Statement - CRUD/Resources/Query - security TLS informative list - library of security implementation specifications - others besides Smart on FHIR.  Some may be inappropriate for PHI, but appropriate for other uses such as test data, deidentified data. Expose all approaches. FHIR-I is sponsor with cosponsor.
• John said he had an agreement with Josh Mandel to not make breaking changes in Smart on FHIR based on John’s comments (on behalf of Security WG) about adding security label for next iteration. Smart on FHIR was balloted earlier, and some changes made due to resolution of that ballot. Security can now work on updates to Smart on FHIR to bring in security labels perhaps as json scopes per Mohammad Jafari’s blog on Using JSON to Model Complex OAuth Scopes. Argonaut Smart on FHIR offered to HL7 to ballot w/o breaking changes.  Jan/May ballot.

  If Smart on FHIR is published as normative spec, it is intended to be international.   Bulk Data Transfer is in Argonaut - not yet brought to HL7 like CDS-hooks.  Vendors make first iteration.  Will bring back to HL7 and vote can make breaking changes.   PSAF overview - Mike - TF4FA.  PASS Audit has been balloted and reconciled, but need to make changes to Audit spec. SOA - need to get PASS Audit changes done and published before Jan.  TF4FA v1 and 2 need to be published.   Motion to revise PSAF PSS for deliverable dates and change realm to representative BUT we need to delay until after Jan. to not impede Jan Ballot of TF4FA vol. 3. Need to revise for May 2019 ballot cycle.   TF4FA v3 - Provenance.  Like to renamed as TF4F Provenance under PSAF.  As part of reconciliation make name change.   HIDE - problem with international - change to representative realm is TSC decision?   Motion approved Mike/Beth 12-3-0   Tues Q2 Security   Q2 11:00-12:30 Security Ballot Reconciliation · TF4FA Volumes 1 & 2 Ballot Reconciliation · Update of Volume 3 Draft - Mike Davis · PASS Audit Ballot Reconciliation - Update PASS Audit per ballot dispositions   From <http://wiki.hl7.org/index.php?title=September_2018_Security_Working_Group_Meeting_Agenda_-_Baltimore>   Ballot documents for reconciliation: https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot/Ballot%20Documents%20for%20reconciliation   ballotcomments_V3_PSAF_R1_N1_2018MAY amalgamated_20181002_sgw.xlsm   TF4FA v1 and 2 Reconciliation Comment Dispositions 107 - 129 Approved Chris/Diana 10-0-0     Tues Q3 Security Q3 1:45-3:00 Joint CBCP, Hosting Security Proposed Topics: HL7 Project status and updates: 1. Trust (Luis Maas-if able to attend) 2. FHIR-Security and Privacy Topic Overview/cont.(John M) o Future FHIR-Security and Privacy topics o Drill down of FHIR Security-Privacy activities   Luis Maas dd not attend. John gave FHIR 101 overview Use Cases where a particular security technology is appropriate. · API Key · OAuth KC – To address the minor’s rights issues we should map between Sensitivity codes to applicable laws => example default security label/privacy tags. This would be a new approach to a Security/CBCP project to catalogue privacy policies/consent directives. Theresa Ardal Connor will help get this started.   John noted that we need to categorize Resources that are more likely to contain PHI and sensitive information.   eLTSS Reconciliations Johnathan Coleman stated that the eLTSS team is not ready to present dispositions yet.   Tues Q4 Security   Q4 3:30-5:00 Security Joint with CBCP · MiHIN's ONC Patient Granular Choice Pilot presentation - Shreya Patel · FHIR Consent and FHIR Contract Comparison proposed white paper   From <http://wiki.hl7.org/index.php?title=September_2018_Security_Working_Group_Meeting_Agenda_-_Baltimore>   Shreya Patel gave overview. Kathleen committed to Compare and Contrast Consent/Contract for inclusion in FHIR.   WED Q1 Joint w/ EHR, CBCP, FHIR, SOA, Security  Q1 9:00-10:30 Joint w/ EHR, CBCP, FHIR, SOA, Security In-depth discussion : 1. TF4FA Vol. 3 Update - Mike Davis 2. PSAF Project Update - Mike Davis 3. S&P Considerations for FHIR - John Moehrke · Security rep to OO for FHIR2V2 PSS for security labels W Q1/Q4 · Security rep to PAC   WED Q1 PAC – KC attended HL7 PAC Agenda October 2-3 2018 v2.docx HL7 Principles List 07.29.18 1.docx   WED Q2 – no room so no meeting Q2 11:00-12:30 Security · PSAF Project Refresh, Trust Framework and S&P DAM - (Information Model) Next Steps - Mike Davis (moved to THURS Q2)     WED Q3 Security WG - FHIR topics   Q3 1:45-3:00 Security WG - FHIR topics · S&P Considerations for FHIR · 9167 AuditEvent needs to make more obvious how to record a break-glass event (John Moehrke) · 10343 Three additional Signature.type codes (Kathleen Connor) · 11071 Improve security label guidance (Kathleen Connor) · 12660 HCS use clarification (John Moehrke) · 17192 Verification of given resource without changing the content (Thomas Johansen) · 17299 enhance current disclosure AuditEvent so that it explains what is being recorded and why (John Moehrke) · 17300 Break-Glass description needs clarifications (John Moehrke) · 14678 Implementation guide for signatures+-+2018-Jan Core+%231 (Brian Pech)   WED Q4 GDPR Q4 3:30-5:00 GDPR Session · GDPR Chat-a-thon Findings · GDPR White Paper · Security GDPR Wiki   THURS Q1 Security hosting CBCP, FHIR-I Joint   Q1 9:00-10:30 Security hosting CBCP, FHIR-I Joint · FHIR Consent Resource - Discussion (CBCP-Security) see Wiki: HL7 FHIR Consent Directive Project o Contract vs Consent Issue Grahame, Lloyd · FHIR categorization by security/privacy considerations o can the FHIR tooling help build UI around categorization into various groups (public, business, personal, patient, other) o thus each page would have something at the top similar to 'compartment' with possibly multiple classifications o and each page 'might' have additional S&P considerations only where it is different than that classification · FHIR FMM advancement for Security and Privacy resources   RE Contract vs Consent Issue – Kathleen will write a Contrast/Compare Consent/Contract paper. RE FHIR categorization by security/privacy considerations – John presented a proposal FHIR_Security_Considerations_20181003.pptx that was approved and Grahame will implement on the top banner of each Resource. Kathleen discussed the need to map Sensitivity codes to applicable laws to develop default security labels to quick start implementers and improve security labeling adoption. First examples would be several state minor’s rights and consents.   Grahame proposed adding provenance url of a Resource at the header.   Kathleen noted that this might also be possible approach for binding the consent directive or privacy policy governing a Resource. Value is that when the consent directive or privacy policy changes, the change would be reflected by the url in subsequent disclosures of the Resource while the earlier governing consent directive or privacy policy could be persisted on the same Resource as evidence of earlier authorization.   THURS Q2 Security Housekeeping   Q2 11:00-12:30 Security WG Project Meeting · PSAF Project Refresh, Trust Framework and S&P DAM - (Information Model) Next Steps - Mike Davis · Workgroup Health Update - Security needs to publish S&P DAM and align 3 Year Plan with Project Insight Security Projects. · Infrastructure Steering Division - September Interim Report · Security 3 Year Plan 2016 · Security 3 Year Plan 2018 draft Reviewed Security WG Health and distributed gold stars. [KC – see information below from Infrastructure Steering Division - September Interim Report ] Mike discussed possible next steps in the PSAF project once TF4FA Provenance volume 3 is balloted in January.   Kathleen discussed updates to the Security 3 Year Plan 201809, which she will post on the Security home page and continue updating.   Ken, Diana and Mike discussed their opinions about whether a Part 2 facility could release health information that is not specifically about substance use disorders under HIPAA Treatment, Payment, and Operations purposes of use. Diana pointed out that the revised Part 2 rule still prohibits disclosing any indication that a patient received or is receiving care in a Part 2 Facility. There were no conclusions drawn from the discussion.   Note was taken of new policies and procedures that impact the Security WG. New Policies and Procedures Added a new link on the Security home page to Relevant HL7 Policies and Procedures