HL7 September 2018 WGM MINUTES
201809 Security WGM Agenda
TUE OCT 02 Q1
9:00-10:30 Opening Security WG Meeting
- Approval of agenda
- International Report outs Liaison Reports:
- ISO, IHE, ONC, OASIS XSPA
- FHIR Security Report out/S&P Considerations - John Moehrke
- HL7 Project status and update
- Is Privacy Obsolete Study Group (report out here and at joint EHR meeting and possibly FHIR group?) - Mike Davis
- PSAF Project Refresh, Trust Framework and S&P DAM - Next Steps overview - Mike Davis
- 20109 Agenda approved by consensus
- Review of Security 201805 Cologne WGM Minutes
- Fix May Minutes - Hide stated that there is no hyphen in company name. Minutes were corrected.
- Minutes approved Beth/John; Kevin Donnelly abstained 14-1-0
Security International SDO Report out
- AU Personal Health Care Electronic Record (PHCER) System has an Opt-out consent scheme.
- AU Senate review of the PHCER summary record found poor adoption of the summary record. A PCP doesn't need to look at summary record. Government is till trying to get adoption among PCP or specialists, which are having to be incentivized [payment model]. Providers have concern with privacy and security because of breach in Singapore. One million patients have opted out.
- AU citizens don't have to have private health insurance, but it’s not needed except to choose hospital/specialists.
- PHCER uses IHE XDS architecture.
- Hide reported that the Japanese government has decided on implementing a new citizen identification system for health record to make patient matching easier.
- Some EHR vendors are implementing a common viewer for EHRs for sharing or checking medications and prescriptions, and medical records to address lack of EHR interoperability.
- Next year, Japan will implement patient consent scheme for default opt-in with restriction of organizational EHRs. Patient can decide which healthcare organizations can access their health information, and supports opt-out. Will trial in 2020.
- John asked if Japan treat some conditions more sensitive. Hide said that all health data is deemed sensitive.
- Hide also presented on ISO activities (attached and in gforge) @ WG-JWG Closing Plenary WG4 MaringaV3.pdf
Peter van Liesdonk Netherlands
- For GDPR implementation, things going wrong wrt de-identified vs ability to relink, anonymize vs encryption can be re-identified. SSL is identifiable.
- There are projects with legal university. Analysis over encrypted data. Encrypted data sent without key, which are easily broken brute force so that the hacker can find all records with same blob. Anonymization with big data impossible. ISO pseudonymization: Analysis about ability to reidentify the data shows that reidentification is a risk, which must be managed. Bottom line – all participants need trust contracts with everyone.
Alex Mense - Austria
- Austria has an opt out scheme. No security category - no sensitivities in the laws because all health information is deemed sensitive, same as Japan.
- Implementing IHE security. Patient portal can control access to record - can opt in at record type to specific providers.
- Treatment is the only permissible purpose of use.
- Bridging borders for cross border exchange started in 2010. Other EU ePrivacy law pertain: The Directive for network security, which each jurisdiction must put into national law because health exchange networks considered critical infrastructure.
- Mike - SUD is sensitive - EU SUD is criminal but all providers must treat. Mike wanted more details about how EU is addressing this issue.
- Norway - TMC: GDPR is the major focus.
- IHE - John Moehrke
IHE had a panel discussion that discussed the finding that large organizations are giving patient access and ability to direct disclosure policies. The ability to delegate access/disclosure policies is well implemented across large systems.
- Hide stated that Japan has delegation policy but not widely implemented. Patient-defined policies is the focus.
- Alex stated that there is delegation for minors, but not for other personal representatives. Girls are no longer minors at 14. Boys at 16 in Austria.
- John continued about IHE discussion on delegation: US implementers have problems with enforcing state level ppolicies on minor's health privacy rights. Age of majority is different by state. This is a problem for large organizations span multiple states. Isn't that the organizations wanted to remove controls; they just want consistency. Under-age emancipated minors are difficult to identify.
- John noted on a different topic that both DICOM and IHE have added named options that can be claimed as conformance that require TLS 1.2 or higher, and conformance to IETF Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) or BCP195. He noted that FHIR also 'recommends' this, so the mandate has to comes from profiles, not from core FHIR. Also, ATNA @ TLS 1.0. migrating to a later release.
- ONC Debbie Bucci: ONC interested in how to address identifying emancipated minors, and policy-bridging different state minors’ rights laws.
- RE Blockchain: Debbie stated that no government agency is willing to put information on blockchain. Debbie could not find use case except perhaps RDF – ID for which blockchain could add value set. Maybe for managed access and delegation. Can only have pointers to PHI on blockchain. Blockchain use cases are focused on micro-services.
- OASIS - Chris: XSPA-SAML update. Old version from HITSP days have POU codes hard coded. Update has been circulated but may want to revise. Relaxing provider requirements because policy can dictate. OASIS XSAP 2.0 still needs 3 implementers to move forward to standard.
- Sequoia - Matt Blackman
DICOM 2018 TLS 1.2 with some cypher requirements. ISO supplement 204 TLS 2. cypher-suite mandatory - 2016 server. Windows 7 and 2013 can support all. ATNA aligned with ISO.
- Smart on FHIR Argonaut work parallel with Smart on FHIR - Bulk Data Transfer - OAuth ability but doesn't assume that it’s a human.
- FHIR Server must publish a Capability Statement - CRUD/Resources/Query - security TLS informative list - library of security implementation specifications - others besides Smart on FHIR. Some may be inappropriate for PHI, but appropriate for other uses such as test data, deidentified data. Expose all approaches. FHIR-I is sponsor with cosponsor.
- John said he had an agreement with Josh Mandel to not make breaking changes in Smart on FHIR based on John’s comments (on behalf of Security WG) about adding security label for next iteration. Smart on FHIR was balloted earlier, and some changes made due to resolution of that ballot. Security can now work on updates to Smart on FHIR to bring in security labels perhaps as json scopes per Mohammad Jafari’s blog [https://medium.com/@jafarim/using-json-to-model-complex-oauth-scopes-fa8a054b2a28
Using JSON to Model Complex OAuth Scopes]. Argonaut Smart on FHIR offered to HL7 to ballot w/o breaking changes. Jan/May ballot.
- If Smart on FHIR is published as normative spec, it is intended to be international.
- Bulk Data Transfer is in Argonaut - not yet brought to HL7 like CDS-hooks. Vendors make first iteration. Will bring back to HL7 and vote can make breaking changes.
- PSAF overview - Mike - TF4FA. PASS Audit has been balloted and reconciled, but need to make changes to Audit spec. SOA needs to get PASS Audit changes done and published before January.
- TF4FA Volumes 1 and 2 need to be published. WG should revise PSAF PSS for deliverable dates and change realm to representative, but we need to delay until after January to not impede January Ballot of TF4FA Volume 3. WG needs to revise for May 2019 ballot cycle.
- Mike - Since TF4FA Volume 3 is focused on Provenance, he would like to renamed it as "TF4F Provenance" under PSAF as part of reconciliation make name change.
- HIDE asked what the problem is with TF4FA being international. Is the change to representative realm a TSC decision?
- Motion to publish TF4FA Volumes 1 and 2, to change the name of Volume 3 to "TF4F Provenance", and to update the PSS after January was approved Mike/Beth 12-3-0.
Tues Q2 Security
Q2 11:00-12:30 Security Ballot Reconciliation · TF4FA Volumes 1 & 2 Ballot Reconciliation · Update of Volume 3 Draft - Mike Davis · PASS Audit Ballot Reconciliation - Update PASS Audit per ballot dispositions From <http://wiki.hl7.org/index.php?title=September_2018_Security_Working_Group_Meeting_Agenda_-_Baltimore> Ballot documents for reconciliation: https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot/Ballot%20Documents%20for%20reconciliation ballotcomments_V3_PSAF_R1_N1_2018MAY amalgamated_20181002_sgw.xlsm
- TF4FA v1 and 2 Reconciliation Comment Dispositions 107 - 129 Approved
Tues Q3 Security
Q3 1:45-3:00 Joint CBCP, Hosting Security Proposed Topics: HL7 Project status and updates: 1. Trust (Luis Maas-if able to attend) 2. FHIR-Security and Privacy Topic Overview/cont.(John M) o Future FHIR-Security and Privacy topics o Drill down of FHIR Security-Privacy activities Luis Maas dd not attend. John gave FHIR 101 overview Use Cases where a particular security technology is appropriate. · API Key · OAuth KC – To address the minor’s rights issues we should map between Sensitivity codes to applicable laws => example default security label/privacy tags. This would be a new approach to a Security/CBCP project to catalogue privacy policies/consent directives. Theresa Ardal Connor will help get this started. John noted that we need to categorize Resources that are more likely to contain PHI and sensitive information. eLTSS Reconciliations Johnathan Coleman stated that the eLTSS team is not ready to present dispositions yet.
Tues Q4 Security Security Joint with CBCP
- MiHIN's ONC Patient Granular Choice Pilot presentation - Shreya Patel
- FHIR Consent and FHIR Contract Comparison proposed white paper
- Shreya Patel gave overview of MiHIN's ONC Patient Granular Choice Pilot.
- After discussion about CBCP decision to writing a white paper FHIR Consent and FHIR Contract Comparison, Kathleen committed to drafting a discussion about the appropriate used cases as a Compare and Contrast of Consent/Contract and other approaches to collecting and conveying consent directives for inclusion in FHIR.
WED Q1 Joint w/ EHR, CBCP, FHIR, SOA, Security
- TF4FA Vol. 3 Update - Mike Davis
- PSAF Project Update - Mike Davis
- S&P Considerations for FHIR - John Moehrke
- Security rep to OO for FHIR2V2 PSS for security labels W Q1/Q4
- Security rep to PAC – KC attended
WED Q2 SecuritynProjects
- PSAF Project Refresh, Trust Framework and S&P DAM - (Information Model) Next Steps - Mike Davis
- No room reserved, so no meeting (moved to THURS Q2)
WED Q3 FHIR topics
The following Topics and CRs were discussed. See CR# for resolutions
S&P Considerations for FHIR 9167 AuditEvent needs to make more obvious how to record a break-glass event (John Moehrke) 10343 Three additional Signature.type codes (Kathleen Connor) 11071 Improve security label guidance (Kathleen Connor) 12660 HCS use clarification (John Moehrke) 17192 Verification of given resource without changing the content (Thomas Johansen) 17299 enhance current disclosure AuditEvent so that it explains what is being recorded and why (John Moehrke) 17300 Break-Glass description needs clarifications (John Moehrke) 14678 Implementation guide for signatures+-+2018-Jan Core+%231 (Brian Pech)
WED Q4 GDPR
GDPR Chat-a-thon Findings discussed. GDPR White Paper - update provided - see http://confluence.hl7.org:8090/display/SEC/FHIR+-+GDPR
- GDPR Wiki - See new materials added, all of which needs to be linked into Confluence GDPR Project