This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "HL7 WGM MAY 2017 - Madrid Spain AGENDA"

From HL7Wiki
Jump to navigation Jump to search
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
[http://www.hl7.org/documentcenter/public/brochures/wgm/HL7_WGM_20170317.pdf HL7 MAY WGM Event BROCHURE Link]
 
[http://www.hl7.org/documentcenter/public/brochures/wgm/HL7_WGM_20170317.pdf HL7 MAY WGM Event BROCHURE Link]
  
[http://**TBD Madrid WGM SITE]
+
[http://www.hl7.org/documentcenter/public/brochures/wgm/HL7_WGM_20170421.pdf TBD Madrid WGM SITE]
  
Minutes: [http://***TBD May 2017 Security WGM Minutes Madrid, Spain]
+
Minutes: [http://wiki.hl7.org/index.php?title=HL7_WGM_MAY_2017_-_Madrid_Spain_Minutes May 2017 Security WGM Minutes Madrid, Spain]
  
 
[[Security|Back to Security Meetings]]
 
[[Security|Back to Security Meetings]]
Line 43: Line 43:
 
||''' Joint CBCC - Security'''
 
||''' Joint CBCC - Security'''
 
* [[May 2017 CBCC Working Group Meeting - Madrid, Spain]]
 
* [[May 2017 CBCC Working Group Meeting - Madrid, Spain]]
||CBCC||TBD
+
||CBCC hosting Security
 +
||Alcudia
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
Line 49: Line 50:
 
|| '''Joint with CBCC – New discussion items and projects'''
 
|| '''Joint with CBCC – New discussion items and projects'''
 
* [[May 2017 CBCC Working Group Meeting - Madrid, Spain]]
 
* [[May 2017 CBCC Working Group Meeting - Madrid, Spain]]
||CBCC
+
||CBCC hosting Security
||TBD
+
||Alcudia
 
|-
 
|-
 
|-
 
|-
Line 69: Line 70:
 
** FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM
 
** FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM
 
||Security
 
||Security
||TBD
+
||Chinchon
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
Line 77: Line 78:
 
*[http://gforge... TF4FA Ballot Material]
 
*[http://gforge... TF4FA Ballot Material]
 
||Security
 
||Security
||TBD
+
||Chinchon
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
Line 84: Line 85:
 
*Josh assigned Core team assistance
 
*Josh assigned Core team assistance
 
*[http://hl7-fhir.github.io/pcd/consentdirective.html FHIR Consent Resource]
 
*[http://hl7-fhir.github.io/pcd/consentdirective.html FHIR Consent Resource]
||CBCC
+
||CBCC hosting Security, MH
||TBD
+
||Alcudia
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
 
| ||||Q4||4:30-6:00
 
| ||||Q4||4:30-6:00
 
||'''Security WG Project Meeting'''  
 
||'''Security WG Project Meeting'''  
*FHIR Privacy and Security Conformance Test Suite Planning Session
+
*Bernd Blobel - THEWS [https://www.slideshare.net/iirojan/thews-trusted-ehealth-and-ewelfare-space Trusted eHealth and eWelfare Space] Report on current work: trust calculation and informed trust decisions
*FHIR Security Front matter Work Session
 
*Outstanding FHIR Security CR Resolution
 
 
||Security
 
||Security
||TBD
+
||Chinchon
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
 
|WED||MAY 10||Q1||10:00-11:30
 
|WED||MAY 10||Q1||10:00-11:30
 
||'''Joint w/ EHR, CBCC, FHIR, SOA, Security'''
 
||'''Joint w/ EHR, CBCC, FHIR, SOA, Security'''
*Discussion with AEGIS Team on development of a FHIR Privacy, Security, Provenance, and Digital Ledger Technology Conformance Testing Suite.  Expectation is that WGs will bring any test cases [e.g., Cascading OAuth for Patient Right of Access] have been developed or input to test cases.
+
*1st hour: Discussion with AEGIS Team on development of a FHIR Privacy, Security, Provenance, and Digital Ledger Technology Conformance Testing Suite.  Expectation is that WGs will bring any test cases [e.g., Cascading OAuth for Patient Right of Access] have been developed or input to test cases.
||Security
+
*Last 30 Minutes: Bernd Blobel will brief us on the imminent need for standards such as the FHIR Security Labeling, and the Provenance and AuditEvent Resources, to meet the EU General Data Protection Regulation requirements in 2018. 
||TBD
+
||EHR hosting Security, CBCC, FHIR-I
 +
||Oxford
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
Line 108: Line 108:
 
* Tentative Agenda Items:
 
* Tentative Agenda Items:
 
** PASS Audit topics (joint w Security, CBCC, SOA)
 
** PASS Audit topics (joint w Security, CBCC, SOA)
||SOA
+
||SOA hosting Security
||TBD
+
||La Puebla
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
Line 124: Line 124:
 
*** User using mobile App
 
*** User using mobile App
 
*** System-to-system (e.g. organization to organization)
 
*** System-to-system (e.g. organization to organization)
* Introduction to CDS-Hook
+
* Introduction to CDS Hooks
**Some points that might not be fully clear why I am interested in cds-hook. First,  
+
**Some points that might not be fully clear why I am interested in CDS Hooks. First,  
**the security workgroup knows that we are not experts on medical information. We see the general concept of CDS to be a service that fully understands medical information. Thus we callup the general concept to tell us if there are sensitive health topics. This is what we have encapsulated in the SLS. So, wondering how we can leverage the cds-hook similarly. I think this is what Grahame was referring to with the point about suggesting security tags to the user. It would be best if the user doesn't need to think about security-tags, although they should be able to change them authoritatively with proper authorization. Adding a layer that can transparently assess the data using current CDS knowledge and expertise to apply proper security-tags.
+
**the security workgroup knows that we are not experts on medical information. We see the general concept of CDS to be a service that fully understands medical information. Thus we callup the general concept to tell us if there are sensitive health topics. This is what we have encapsulated in the SLS. So, wondering how we can leverage CDS Hooks similarly. I think this is what Grahame was referring to with the point about suggesting security tags to the user. It would be best if the user doesn't need to think about security-tags, although they should be able to change them authoritatively with proper authorization. Adding a layer that can transparently assess the data using current CDS knowledge and expertise to apply proper security-tags.
**The other point is that to fully protect healthcare data to the very finegrain level that some envision, we need not only security assessment of the data in create/update, or resting, but also during accessing. Today OAuth scopes are very simplistic (i.e. SMART), but eventually they need to get more detailed and multi-layered. Way beyond what OAuth standards support today. The interpretation of the OAuth security token, relative to the query requested, and the results it uncovers; should be done by some security layer that is aware of FHIR, but is not fundamentally changing the baseline concept that is FHIR. --- So I am looking at what you have done with cds-hooks to see if there is something similar that can be done to advance the capability toward more fine grain authorization enforcement.
+
**The other point is that to fully protect healthcare data to the very finegrain level that some envision, we need not only security assessment of the data in create/update, or resting, but also during accessing. Today OAuth scopes are very simplistic (i.e. SMART), but eventually they need to get more detailed and multi-layered. Way beyond what OAuth standards support today. The interpretation of the OAuth security token, relative to the query requested, and the results it uncovers; should be done by some security layer that is aware of FHIR, but is not fundamentally changing the baseline concept that is FHIR. --- So I am looking at what you have done with CDS Hooks to see if there is something similar that can be done to advance the capability toward more fine grain authorization enforcement.
 
**background materials from Kevin Shekleton CDS Hooks slide deck from the HSPC HIT Developers Conference today. presentation was recorded and when available will share that link in the Speaker Deck description for the presentation.
 
**background materials from Kevin Shekleton CDS Hooks slide deck from the HSPC HIT Developers Conference today. presentation was recorded and when available will share that link in the Speaker Deck description for the presentation.
 
*** https://speakerdeck.com/kpshek/remote-decision-support-with-cds-hooks-hspc-hit-developers-conference
 
*** https://speakerdeck.com/kpshek/remote-decision-support-with-cds-hooks-hspc-hit-developers-conference
||Security
+
||Security hosting FHIR-I
||TBD
+
||Alcudia
 
|-valign="top"
 
|-valign="top"
 
| ||||Q4||4:30-6:00
 
| ||||Q4||4:30-6:00
 
||'''Security WG Project Meeting'''
 
||'''Security WG Project Meeting'''
* Continue TF4FA Reconciliation
+
* [http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20May%202017/ballotcomments_V3_PSAF_R1_I2_2017MAY%20Amalgamated%20wo%20BB%20or%20depositions.xls Continue TF4FA Reconciliation]
 
* Workgroup Health Update - cont. THU Q2
 
* Workgroup Health Update - cont. THU Q2
 
** [http://gforge.hl7.org/gf/download/docmanfileversion/9008/13736/2016%20Jan%20Security%20WG%20Three-Year%20Plan.xlsx Current 3 Yr Plan]
 
** [http://gforge.hl7.org/gf/download/docmanfileversion/9008/13736/2016%20Jan%20Security%20WG%20Three-Year%20Plan.xlsx Current 3 Yr Plan]
Line 141: Line 141:
 
** [http://gforge.hl7.org/gf/download/docmanfileversion/9381/14666/HL7%20Baltimore%202016%20Security%20WGM%20Governance%20and%20Health.pptx Security Health Report]
 
** [http://gforge.hl7.org/gf/download/docmanfileversion/9381/14666/HL7%20Baltimore%202016%20Security%20WGM%20Governance%20and%20Health.pptx Security Health Report]
 
||Security
 
||Security
||TBD
+
||Chinchon
 
|-valign="top"
 
|-valign="top"
| THU||MAY 11||Q1||9:00-10:00
+
| THU||MAY 11||Q1||10:00-11:30
 
||'''Security Joint with CBCC,FHIR-I'''
 
||'''Security Joint with CBCC,FHIR-I'''
 
*Josh assigned FHIR Core team
 
*Josh assigned FHIR Core team
 +
*FHIR Priorities (email from Lloyd) http://lists.hl7.org/read/archive?id=312425
 
*Continued: FHIR Connectathon Privacy and Security testing scenarios
 
*Continued: FHIR Connectathon Privacy and Security testing scenarios
||Security
+
*how might [http://build.fhir.org/graphdefinition.html GraphDefinition] be used with Provenance? How might it be used in an Audit Analysis/Reporting?
||TBD|-
+
*how might a client that get subsetted/redacted data be enabled to do Update/Patch?
 +
** Subsetted by _summary
 +
** Subsetted by some client request (not yet available, is this a FHIR-I work item?)
 +
*** Some mechanism that is based on profiles, where client asks data to be subsetted to the constraints in a profile
 +
** Subsetted by redaction rules -- where communicating the redaction result
 +
** So That - when an update happens, the server knows that the client is NOT asking to have the elements missing be removed from the server copy.
 +
** What might be issues?
 +
* Can we use a general subsetting type of a profile to enable more complete de-identification algorithms.
 +
||Security hosting CBCC, FHIR-I
 +
||Marsella
 +
|-
 
|-valign="top"
 
|-valign="top"
 
| ||||Q2||12:00-1:30
 
| ||||Q2||12:00-1:30
Line 155: Line 166:
 
** Addition to FHIR Agent value set
 
** Addition to FHIR Agent value set
 
** POU additions - HTEST, Research Consent POUs
 
** POU additions - HTEST, Research Consent POUs
** Prose Object code system
+
** Addition to FHIR ProvenanceEvent value set for export, disclose, import, receive, disassemble, decompose, which are in the Lifecycle Event matrix. Needed for Provenance Lifecycle test script.
 
||Security
 
||Security
||TBD
+
||Chinchon
 
|-valign="top"
 
|-valign="top"
| ||||Q3||2:45-4:00
+
| ||||Q3||2:45-4:00||.||||.
||'''Security WG Housekeeping Session'''
+
|-
*Security WGM Minutes, Health, Plan, updates to DMP etc.
+
valign="top"
||Security
+
| ||||Q4||4:30-6:00||.||||.
||TBD
 
|-valign="top"
 
| ||||Q4||3:30 - 5:00
 
||'''Continue: Security WG Housekeeping Session'''
 
*Security WGM Minutes, Health, Plan, updates to DMP etc.
 
||Security
 
||TBD
 
 
 
 
|-valign="top"
 
|-valign="top"
| FRI||MAY 12||Q1|| 10:00-11:30||FHIR and SGB Meetings||||TBD
+
| FRI||MAY 12||Q1|| 10:00-11:30||.||||.
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
| ||||Q2||12:00-1:30||FHIR and SGB Meetings||||TBD
+
| ||||Q2||12:00-1:30||.||||.
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
| ||||Q3||12:00-1:30||FHIR and SGB Meetings||||.TBD
+
| ||||Q3||2:45-4:00||.||||.
 
|-
 
|-
 
|-valign="top"
 
|-valign="top"
| ||||Q4||4:30-6:00||FHIR and SGB Meetings||||
+
| ||||Q4||4:30-6:00||.||||.
 
|}
 
|}
 
[[Security|Back to Security Wiki Meetings]]
 
[[Security|Back to Security Wiki Meetings]]

Latest revision as of 07:51, 11 May 2017

HL7 MAY WGM Event BROCHURE Link

TBD Madrid WGM SITE

Minutes: May 2017 Security WGM Minutes Madrid, Spain

Back to Security Meetings

AGENDA

valign="top"
Day Date Qtr Time Event Session Leader Room
SUN MAY 7 Q1 10:00-11:30 International Affiliates/Connectathon Report Out International Affiliates/Connectathon TBD
Q2 12:00-1:30 International Affiliates/Connectathon Report Out International Affiliates/Connectathon TBD
Q3 2:45-4:00 Cochair FHIR Session FHIR MG TBD
Q4 4:30-6:00 Cochair Vocabulary Session Vocabulary WG TBD
MON MAY 8 Q1 10:00-11:30 . No Meeting .
Q2 12:00-1:30 . No Meeting .
Q3 2:45-4:00 Joint CBCC - Security CBCC hosting Security Alcudia
Q4 4:30-6:00 Joint with CBCC – New discussion items and projects CBCC hosting Security Alcudia
TUE May 9 Q1 10:00-11:30 Opening Security WG Meeting
  • Introductions
  • Approval of agenda
  • International Report outs
  • HL7 Policy Advisory Committee update
  • Liaison Reports: ISO, IHE, ONC
  • HL7 Project status and updates:
    • FHIR Security - AuditEvent, Provenance, Security Labels
    • Trust Framework - Ballot Report and WGM Reconciliation Plans, Links to FHIR Security
    • SLS Revisions - WGM Development Plans, Links to FHIR Security
    • SOA Audit - Status, Development Plans, Links to FHIR Security
    • FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM
 Security Chinchon
Q2 12:00-1:30 Trust Framework Work Session Security Chinchon
Q3 2:45-4:00 CBCC FHIR-I Joint on FHIR Consent Resource CBCC hosting Security, MH Alcudia
Q4 4:30-6:00 Security WG Project Meeting Security Chinchon
WED MAY 10 Q1 10:00-11:30 Joint w/ EHR, CBCC, FHIR, SOA, Security
  • 1st hour: Discussion with AEGIS Team on development of a FHIR Privacy, Security, Provenance, and Digital Ledger Technology Conformance Testing Suite. Expectation is that WGs will bring any test cases [e.g., Cascading OAuth for Patient Right of Access] have been developed or input to test cases.
  • Last 30 Minutes: Bernd Blobel will brief us on the imminent need for standards such as the FHIR Security Labeling, and the Provenance and AuditEvent Resources, to meet the EU General Data Protection Regulation requirements in 2018.
 EHR hosting Security, CBCC, FHIR-I Oxford
Q2 12:00-1:30 Joint w/ SOA
  • Tentative Agenda Items:
    • PASS Audit topics (joint w Security, CBCC, SOA)
 SOA hosting Security La Puebla
Q3 2:45-4:00 Security WG deep FHIR topics
  • Josh assigned FHIR Core team
  • SMART on FHIR
    • Deep dive on HOW it does this
    • Experience from the field
    • Are their known stepping-stones
    • Work on how FHIR should address SMART vs HEART vs IUA vs TLS vs others
    • Various use-cases
      • User using browser app
      • User using mobile App
      • System-to-system (e.g. organization to organization)
  • Introduction to CDS Hooks
    • Some points that might not be fully clear why I am interested in CDS Hooks. First,
    • the security workgroup knows that we are not experts on medical information. We see the general concept of CDS to be a service that fully understands medical information. Thus we callup the general concept to tell us if there are sensitive health topics. This is what we have encapsulated in the SLS. So, wondering how we can leverage CDS Hooks similarly. I think this is what Grahame was referring to with the point about suggesting security tags to the user. It would be best if the user doesn't need to think about security-tags, although they should be able to change them authoritatively with proper authorization. Adding a layer that can transparently assess the data using current CDS knowledge and expertise to apply proper security-tags.
    • The other point is that to fully protect healthcare data to the very finegrain level that some envision, we need not only security assessment of the data in create/update, or resting, but also during accessing. Today OAuth scopes are very simplistic (i.e. SMART), but eventually they need to get more detailed and multi-layered. Way beyond what OAuth standards support today. The interpretation of the OAuth security token, relative to the query requested, and the results it uncovers; should be done by some security layer that is aware of FHIR, but is not fundamentally changing the baseline concept that is FHIR. --- So I am looking at what you have done with CDS Hooks to see if there is something similar that can be done to advance the capability toward more fine grain authorization enforcement.
    • background materials from Kevin Shekleton CDS Hooks slide deck from the HSPC HIT Developers Conference today. presentation was recorded and when available will share that link in the Speaker Deck description for the presentation.
Security hosting FHIR-I Alcudia
Q4 4:30-6:00 Security WG Project Meeting Security Chinchon
THU MAY 11 Q1 10:00-11:30 Security Joint with CBCC,FHIR-I
  • Josh assigned FHIR Core team
  • FHIR Priorities (email from Lloyd) http://lists.hl7.org/read/archive?id=312425
  • Continued: FHIR Connectathon Privacy and Security testing scenarios
  • how might GraphDefinition be used with Provenance? How might it be used in an Audit Analysis/Reporting?
  • how might a client that get subsetted/redacted data be enabled to do Update/Patch?
    • Subsetted by _summary
    • Subsetted by some client request (not yet available, is this a FHIR-I work item?)
      • Some mechanism that is based on profiles, where client asks data to be subsetted to the constraints in a profile
    • Subsetted by redaction rules -- where communicating the redaction result
    • So That - when an update happens, the server knows that the client is NOT asking to have the elements missing be removed from the server copy.
    • What might be issues?
  • Can we use a general subsetting type of a profile to enable more complete de-identification algorithms.
 Security hosting CBCC, FHIR-I Marsella
Q2 12:00-1:30 Security WG Project Meeting
  • July Harmonization Proposals: Signature Types
    • Addition to FHIR Agent value set
    • POU additions - HTEST, Research Consent POUs
    • Addition to FHIR ProvenanceEvent value set for export, disclose, import, receive, disassemble, decompose, which are in the Lifecycle Event matrix. Needed for Provenance Lifecycle test script.
 Security Chinchon
Q3 2:45-4:00 . .
Q4 4:30-6:00 . .
FRI MAY 12 Q1 10:00-11:30 . .
Q2 12:00-1:30 . .
Q3 2:45-4:00 . .
Q4 4:30-6:00 . .

Back to Security Wiki Meetings


Session Type:

Business Meeting
Technical Meeting
Ballot Reconciliation
Retrieved from "https://wiki.hl7.org/w/index.php?title=HL7_WGM_MAY_2017_-_Madrid_Spain_AGENDA&oldid=139210"