HL7 WGM Sept 2017 - San Diego US MINUTES

Back to Security Meetings

MINUTES WGM San Diego 11th-14th September 2017

Monday Q3

Joint CBCC - Security

See CBCC Minutes

Monday Q4

Joint CBCC - Security

See CBCC Minutes

Tuesday Q1

Opening Security WG Meeting

Attendees:

• John Moehrke John.Moehrke@gmail.com
• Alexander Mense alexander.mense@hl7.at
• Kathleen Connor Kathleen.connor@comcast.net
• Mike Davis mike.davis@va.gov
• Chris Shawn christopher.shawn@va.gov
• David Pyke david.pyke@readycomputing.com
• Andreas Schuler andreas.schuler@fh-hagenberg.at
• Harri Honko harri.honk@w2e.fi
• Kevin Shekleton kshekleton@cerner.com
• Elysa Jones elysa@honeycombIQ.com
• Suzanne Webb suzanne.webb@bookzurman.com

Chaired by John

• Introductions
• Approval of agenda
• International Report outs
  • Updates on European legislation regarding security and privacy.

   European commission: Digital Single Market. [1]
   Directive on Network and Information Security: European Parliament and European Council: Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union. 2016, [2]
   GDPR: European Parliament and European Council: Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). In: Official Journal of the European Union, L 119/1, [3]
   ePrivacy: European Commission: Proposal for a Regulation on Privacy and Electronic Communications. 2017, [4]
   
   Rene's article about GDRP [5]

• • Discussion on European cross border health data exchange and trust frameworks
  • Finnland

   Report on Finnish PHR activities (PHR project, PHR profile)
   The W2E project (private initiative): https://w2e.fi 

• • US

   OASIS activities on tracking emnergency patients and the relation to HL7
   Discussion about making data available in case of emergency/disaster situations

• Liaison Reports: ISO, IHE, ONC
• HL7 Project status and updates:

       NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
           NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft
           Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
       Impact of NIST SP 800-53-5 on Privacy and Security Study Group Proposal - Mike Davis
       NIST SP 800-63 rev 3 - Chris Shawn
       Study Group for Minimum Necessary, Purpose of Use , and Healthcare Workflows
   [https://www.freeconferencecall.com/wall/recorded_audio?audioRecordingUrl=https%3A%2F%2Frs0000.freeconferencecall.com%2Fstorage%2FsgetFCC2%2FasJ8A%2FILf85&subscriptionId=8257383 Webmeeting recording of CBCC/Security JT on FHIR Consumer Centered Data Exchange Connectathon Track report out and demonstration - Kathleen Connor, Debi Willis, Bo Dagnall DCX (Plus Demo)
       Trust Framework - Ballot Reconciliation Plans
       SOA Audit – Ballot Reconciliation Plans
       FHIR Security - AuditEvent, Provenance, Security Labels
       FHIR Privacy and Security Conformance Test Suite Development - Discussions planned for WGM

Tuesday Q2

Continuation of Q1 topics

Attendees:

Chaired by xxxx

Tuesday Q3

Joint CBCC, Hosting Security, Mobile Health

See CBCC for minutes

• Proposed Topics: HL7 Project status and udates:

   MyData Architecture Framework - Reacting to GDPR with Privacy as a Service Infrastructure’ Harry Honko, Finland
   NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
       NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
       NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft
       Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
   Study Group for Secondary use of HIoT data
   Study Group for Minimum Necessary, Purpose of Use , and Healthcare Workflows

Tuesday Q4

Trust Framework Work Session

Attendees:

Chaired by xxxx

• Review May TF4FA Ballot Comments and proposed dispositions

   TF4FA Ballot Material

Wednesday Q1

Joint w/ EHR, CBCC, FHIR, SOA, Security

See EHR Wiki for Minutes

• Agenda included indepth discussion about:

   NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
     NIST SP 800-53/800-63 Impacts on current Security and CBCC WG standards
     NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft
     Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
   Study Group for Secondary use of HIoT data
   Study Group for Minimum Necessary, Purpose of Use, and Healthcare Workflows

Wednesday Q2

Joint with SOA

Refer to SOA Wiki for minutes

• Agenda Items - Report out on:

   PASS Audit Ballot Spreadsheet
   PASS Audit Ballot January 2017
   Future PASS standards moving to Security

Wednesday Q3

Security WG deep FHIR topics

Attendees:

Chaired by xxxx

• Josh assigned FHIR Core team
• SMART on FHIR
• CDS-hooks security model
• Cascading OAuth - Add overview to the FHIR Security page based on links @ HIMSS 2017 page
• Security endorsement of CORS??? what conditions? What considerations? What alternatives (See Keith Boone)

       https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=13827 GF#13827

• Discuss John Moehrke’s Blog FHIR OAuth scope proposal using FHIR query parameters

Wednesday Q4

Security WG Project Meeting

Attendees:

Chaired by xxxx

• 10 minute introduction to PSS on Context Synchronization (Isaac Vetter) here: https://drive.google.com/open?id=165BU5ZmUyuwxz4kg2dtjRWkNM7o4u2PrdcIKSxP94Ts

• PASS Audit Ballot Reconciliation

   Focused on Bernd Blobel’s comment dispositions.
   PASS Audit Ballot Spreadsheet

• TF4FA Ballot Reconciliation

   Focused on Bernd Blobel’s comment dispositions.
   PASS Audit Ballot Spreadsheet
   PASS Audit Ballot January 2017
   PASS Audit Ballot January 2017
   Continue TF4FA Reconciliation
   November Harmonization Proposals

Thursday Q1

Security hosting CBCC, FHIR-I Joint on FHIR App Verification and FHIR Consent Resource

Attendees:

• Kathleen Connor VA kathleen.connor@comcast.net
• Neelima Chennemeja SAMHSA needlimaj70@gmail.com
• Mark Scrimshire mark@ckinemark.com
• David Pyke Ready Computing David Pyke@readycomputing.com
• John Moehrke John Moehrke@gmail.com
• Alexander Mense HL7 Austria alexandre.mense@hl7.at
• Andreas Schriler Andreas.Schriler@fh.ha…. (?)
• Reinhard Egelkraut reinhard.egelkraut@cgm.com
• Suzanne Gonzales-Webb VA suzanne.webb@bookzurman.com
• Trish Williams HL7 Australia/Flinders University patricia.williams@flinders.edu.au
• Anthony Chiarelli Achiarelli@r1solutions.com
• Chris Shawn VA Christopher.Shawn2@va.gov
• Michael Clifton mclifton@epic.com
• Isaac Vetter isaac@epic.com
• Dennis Patterson dennis.patterson@cerner.com
• Michael.Donnelly Michael.Donnelly@epic.com
• Hideyuki Miyohara HL7 Japan Miyohara.Hideyuki@ap.MitsubishiElectric.co
• Reuben Daniels reuben@saludex.com
• Tessa van Stijh NICTIZ stijh@nictiz.nl
• Martin Entwistle Ares Health Systems ment@areshs.com
• Mike Davis Mike.Davis@va.gov
• Joe Lamy Aegis/SSA joe.lamy@aegis.net
• Corey Spears Infer Corey.spears@info.com (?)
• Sean McIvenna Lantana sean@lantanagroup.com

Chaired by John

• vote on PSS on Context Synchronization (Isaac Vetter) here: https://drive.google.com/open?id=165BU5ZmUyuwxz4kg2dtjRWkNM7o4u2PrdcIKSxP94Ts
  • POET Presentationof a FHIR App Verification - Mark Scrimshire Audio

• HL7 FHIR Consent Directive Project

• FHIR Consent Resource

Thursday Q2

General Meeting: SecWG Project Health and Administration

Attendees:

• John Moehrke John.Moehrke@gmail.com
• Alexander Mense alexander.mense@hl7.at
• Trish Williams patricia.williams@flinders.edu.au
• Hideyuki Miyohara Miyohara.Hideyuki@ap.MitsubishiElectric.co

Chaired by Trish

WG Health

• Two items listed as over 120 days:
  • Motion to extend the 1209 PSS with the FHIR rel 4 milestones with a new deadline of Dec 2018 subject to FHIR deadlines. Extend project end date Jan2019, next milestone is Jan 2018. Proposed by JM, Second AM, 3/0/0. We agreed this week that some tasks groups look at security configuration guidance, rather than turn-on-cause – and this would be in the project scope, Task group on application registration (from Q1) would also be under the same project 1209
  • DAM milestone – need to ask Kathleen

• Updated to 3 yr plan – addition co-sponsor to Smart-On-FHIR Project Insight 1341; added SLS Version 2; and removed completed projects. Motion to accept the new 3 yr plan Proposed John, Seconded Alex 3/0/0
• Uploaded DMP and updated 3-year plan to SecWG Homepage on HL7.org site

• Security Labelling Service – another type of service called The Legitimate Relationship Service was tried in the UK. ADT feed but was hindered by workflow incompatibility. As a workgroup we could socialise this as a potential service for privacy consent problems.