Difference between revisions of "July 14, 2015 Security WG Conference Call"

Attendees

Back to Security Main Page

Agenda DRAFT

1. ( 5 min) Roll Call, Agenda Approval
2. ( 5 min) Approve July 7, Meeting Minutes,
3. ( 5 min) PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson
4. (10 min) ACS model - Mike *deferred due to full agenda*
5. ( 5 min) Joint Vocabulary Alignment Update - Diana
6. ( 5 min) PSAF Update - Kathleen
7. ( 5 min) Status of Provenance and AuditEvent subcommittee -- Kathleen/John
8. ( 25 min) FHIR Security Discussion Items ready for a Discussion
   1. 7752 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Persuasive
9. ( 5 min) FHIR -- Items asking for Policy statements, where recommend that no specific Policy statement be given.
   1. 7572 2015May core #863 - Explain business-specific details of update (Ioana Singureanu) None
   2. 7683 2015May core #974 - Add security guidance for 'read' (Ioana Singureanu) None
   3. 7685 2015May core #976 - Add authorization qualifier to 'vread' (Ioana Singureanu) None
   4. 7686 2015May core #977 - Add authorization qualifier to 'update' (Ioana Singureanu) None
   5. 7687 2015May core #978 - Add authorization qualifier to 'history' (Ioana Singureanu) None
   6. 7688 2015May core #979 - Add authorization qualifier to 'delete' (Ioana Singureanu) None
   7. 8165 2015May core #975b - Add authorization qualifier to 'read' (Ioana Singureanu) None
10. ( 5 min) October 2015 HL7 WGM - Atlanta, Georgia USA - agenda items
    1. Please send any agenda items to Suzanne

Meeting Minutes

Approval of July 7 Meeting Minutes

• The WG unanimously approved the minutes from the July 7 meeting.

PASS Access Control Conceptual Model (SOA) Update

• The administrative portion of this project is complete as the NIB was submitted.
• At the most recent meeting on Friday, project participants discussed FHIR resources for access control, but determined that, because there are multiple groups already working on that aspect and it's out of scope for this project, they would not incorporate these FHIR resources in the SOA-PASS ACS.
• Diana and Mike will set up meetings to work together on the writing of the document.
• A Doodle poll was taken to establish a new meeting date/time. Project meetings will now take place on Wednesdays at 1 p.m. Eastern / 10 a.m. Pacific.

Joint Vocabulary Alignment Update

• Diana met with Reed and Gary to discuss how to create satisfactory EHR definitions. They are focusing on updating the definitions in the ISO/TC 215 21089 Trusted End-to-End Information Flows document to ensure they are good, correct and non-circular.
• Once updated, these definitions will then be used in the HL7 EHR-S Functional Model and Record Lifecycle Event vocabulary so that the project team can complete its alignment work.

Status of Provenance and AuditEvent subcommittee

• Kathleen - I think it's critical that FHIR Provenance includes an element for Action or Activity, and that it be bound to a value set for Provenance Event. That value set would include the Lifecycle Event verbs as defined by this group in addition to the ones that are already there.
  • Diana - What I would really love is if it would be possible for either Kathleen or John, or both, to be present at next Tuesday's Vocabulary Alignment meeting.
  • Mike - The Tuesday meeting is a good time to discuss this, but Gary hasn't been attending the Tuesday meeting.
  • Diana will reach out to Gary asking him to attend the Tuesday calls.

PSAF Update

• Kathleen showed us a rough outline of the structural set of processes that are meant to support getting trust and provenance into the framework.
• Folks have been meeting to talk about updates to the Security and Privacy DAM. They want to avoid repeating the classes that were used across various interests. They were talking about policies being at the top level. They would have a contract (any kind of policy), which would have an agent, activity and operation for the privacy policy domain, security policy domain, trust policy domain and provenance policy domain.
  • Different kinds of provenance: exchange policies, types of provenance metadata, payment provenance, research provenance, clinical provenance, etc.
  • These processes should be mapping to the functional model work that Dave Silver has been completing.
• Mike - The standards that we have talk about the security policy information file. What Kathleen has done here is extend that model to include the privacy policy information file and trust policy information file, among others. It's consistent with ISO 10181-3.
  • Kathleen - We need to come up with guidance on how to create the information files in any of these domains and how to specialize them. There are standards around that.

• Kathleen - All of this is work we're doing on the FHIM call (Tuesdays at 5 p.m. Eastern). Asked John to join the call and talk about the Provenance Activity.

ACS model

• Mike showed the ACS model to the group. The purpose of creating this was to help inform the activities of the PASS Access Control normative version.
  • There was a known gap of obligations. They also wanted to add information on trust frameworks and external authorization services (OAuth and UMA).

FHIR Security Discussion Items

• Between now and next week's call, John would like the WG to review these items and be ready for discussion.

Meeting adjourned at 1300 PDT