This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "July 14, 2015 Security WG Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(17 intermediate revisions by 3 users not shown)
Line 14: Line 14:
 
|-
 
|-
 
||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
||||||  [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
+
||||.||  [mailto:ken.salyards@samhsa.hhs.gov Ken Salyards]
 
||||x||  [mailto:cbrown@socialcare.com Christopher Brown] TX
 
||||x||  [mailto:cbrown@socialcare.com Christopher Brown] TX
  
Line 23: Line 23:
 
      
 
      
 
|-
 
|-
||.||  [mailto:Kathleen_Connor@comcast.net Kathleen Connor]
+
||x||  [mailto:Kathleen_Connor@comcast.net Kathleen Connor]
 
||||.||  [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.||  [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 
||||.||  [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
||||.||  [mailto:mjafari@edmondsci.com Mohammed Jafari]
  
 
|-
 
|-
||x||  [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
+
||.||  [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
||||||  [mailto:dwoelk@socialcare.com Darrell Woelk]  
+
||||.||  [mailto:dwoelk@socialcare.com Darrell Woelk]  
 
||||.||  [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||.||  [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
  
 
|-
 
|-
||  ||  [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
+
||  x||  [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||||||  [mailto:grahameg@gmail.com Grahame Grieve]
 
||||||  [mailto:grahameg@gmail.com Grahame Grieve]
 
||||.||  [mailto:bkinsley@nextgen.com William Kinsley]
 
||||.||  [mailto:bkinsley@nextgen.com William Kinsley]
Line 51: Line 51:
  
 
# ''( 5 min)'' Roll Call, Agenda Approval
 
# ''( 5 min)'' Roll Call, Agenda Approval
# ''( 5 min)'' Approve [http://wiki.hl7.org/index.php?title=June_30,_2015_Security_WG_Conference_Call June 30, Meeting Minutes],
+
# ''( 5 min)'' Approve [http://wiki.hl7.org/index.php?title=July_07,_2015_Security_WG_Conference_Call July 7, Meeting Minutes],
 
# ''( 5 min)'' PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson
 
# ''( 5 min)'' PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson
 +
# ''(10 min)'' '''ACS model''' - Mike *deferred due to full agenda*
 
# ''( 5 min)'' Joint Vocabulary Alignment Update - Diana
 
# ''( 5 min)'' Joint Vocabulary Alignment Update - Diana
 
# ''( 5 min)'' PSAF Update - Kathleen
 
# ''( 5 min)'' PSAF Update - Kathleen
 +
# ''( 5 min)'' Status of Provenance and AuditEvent subcommittee -- Kathleen/John
 +
# ''( 25 min)'' FHIR Security Discussion Items ready for a Discussion
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7752 7752] 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Persuasive
 +
# ''( 5 min)'' FHIR -- Items asking for Policy statements, where recommend that no specific Policy statement be given.
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7572 7572] 2015May core #863 - Explain business-specific details of update (Ioana Singureanu) None
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7683 7683] 2015May core #974 - Add security guidance for 'read' (Ioana Singureanu) None
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7685 7685] 2015May core #976 - Add authorization qualifier to 'vread' (Ioana Singureanu) None
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7686 7686] 2015May core #977 - Add authorization qualifier to 'update' (Ioana Singureanu) None
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7687 7687] 2015May core #978 - Add authorization qualifier to 'history' (Ioana Singureanu) None
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=7688 7688] 2015May core #979 - Add authorization qualifier to 'delete' (Ioana Singureanu) None
 +
## [http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=8165 8165] 2015May core #975b - Add authorization qualifier to 'read' (Ioana Singureanu) None
 
# ''( 5 min)'' October 2015 HL7 WGM - Atlanta, Georgia USA - agenda items
 
# ''( 5 min)'' October 2015 HL7 WGM - Atlanta, Georgia USA - agenda items
# '''Please send any agenda items to [mailto:suzanne.webb@engilitycorp.com Suzanne ]'''
+
## Please send any agenda items to [mailto:suzanne.webb@engilitycorp.com Suzanne ]
  
 
==Meeting Minutes==
 
==Meeting Minutes==
 +
 +
'''Approval of July 7 Meeting Minutes'''
 +
 +
* The WG unanimously approved the minutes from the July 7 meeting.
 +
 +
'''PASS Access Control Conceptual Model (SOA) Update'''
 +
 +
* The administrative portion of this project is complete as the NIB was submitted.
 +
* At the most recent meeting on Friday, project participants discussed FHIR resources for access control, but determined that, because there are multiple groups already working on that aspect and it's out of scope for this project, they would not incorporate these FHIR resources in the SOA-PASS ACS.
 +
* Diana and Mike will set up meetings to work together on the writing of the document.
 +
* A Doodle poll was taken to establish a new meeting date/time. Project meetings will now take place on Wednesdays at 1 p.m. Eastern / 10 a.m. Pacific. 
 +
 +
'''Joint Vocabulary Alignment Update'''
 +
 +
* Diana met with Reed and Gary to discuss how to create satisfactory EHR definitions. They are focusing on updating the definitions in the ISO/TC 215 21089 ''Trusted End-to-End Information Flows'' document to ensure they are good, correct and non-circular.
 +
* Once updated, these definitions will then be used in the HL7 EHR-S Functional Model and Record Lifecycle Event vocabulary so that the project team can complete its alignment work.
 +
 +
'''Status of Provenance and AuditEvent subcommittee'''
 +
 +
* Kathleen - I think it's critical that FHIR Provenance includes an element for Action or Activity, and that it be bound to a value set for Provenance Event. That value set would include the Lifecycle Event verbs as defined by this group in addition to the ones that are already there.
 +
** Diana - What I would really love is if it would be possible for either Kathleen or John, or both, to be present at next Tuesday's Vocabulary Alignment meeting.
 +
**  Mike - The Tuesday meeting is a good time to discuss this, but Gary hasn't been attending the Tuesday meeting.
 +
**  Diana will reach out to Gary asking him to attend the Tuesday calls.
 +
 +
'''PSAF Update'''
 +
 +
* Kathleen showed us a rough outline of the structural set of processes that are meant to support getting trust and provenance into the framework.
 +
* Folks have been meeting to talk about updates to the Security and Privacy DAM. They want to avoid repeating the classes that were used across various interests. They were talking about policies being at the top level. They would have a contract (any kind of policy), which would have an agent, activity and operation for the privacy policy domain, security policy domain, trust policy domain and provenance policy domain.
 +
** Different kinds of provenance: exchange policies, types of provenance metadata, payment provenance, research provenance, clinical provenance, etc.
 +
** These processes should be mapping to the functional model work that Dave Silver has been completing.
 +
* Mike - The standards that we have talk about the security policy information file. What Kathleen has done here is extend that model to include the privacy policy information file and trust policy information file, among others. It's consistent with ISO 10181-3. 
 +
** Kathleen - We need to come up with guidance on how to create the information files in any of these domains and how to specialize them. There are standards around that.
 +
 +
* Kathleen - All of this is work we're doing on the FHIM call (Tuesdays at 5 p.m. Eastern). Asked John to join the call and talk about the Provenance Activity.
 +
 +
'''ACS model'''
 +
 +
* Mike showed the ACS model to the group. The purpose of creating this was to help inform the activities of the PASS Access Control normative version.
 +
** There was a known gap of obligations. They also wanted to add information on trust frameworks and external authorization services (OAuth and UMA).
 +
 +
'''FHIR Security Discussion Items'''
 +
 +
* Between now and next week's call, John would like the WG to review these items and be ready for discussion.
 +
 +
''Meeting adjourned at 1300 PDT''

Latest revision as of 15:05, 21 July 2015

Attendees

x Member Name x Member Name x Member Name
x Mike DavisSecurity Co-chair . Duane DeCouteau . Chris Clark
x John MoehrkeSecurity Co-chair Johnathan Coleman . Aaron Seib
x Alexander Mense Security Co-chair . Ken Salyards x Christopher Brown TX
. Trish WilliamsSecurity Co-chair . Gary Dickinson . Tim McKay
x Kathleen Connor . Ioana Singureanu . Mohammed Jafari
. Suzanne Gonzales-Webb . Darrell Woelk . Galen Mulrooney
x Diana Proud-Madruga Grahame Grieve . William Kinsley
x Rick Grow Chethan Makoahalli Lloyd McKenzie

Back to Security Main Page

Agenda DRAFT

  1. ( 5 min) Roll Call, Agenda Approval
  2. ( 5 min) Approve July 7, Meeting Minutes,
  3. ( 5 min) PASS Access Control Conceptual Model (SOA) Update - Diana, Don Jorgenson
  4. (10 min) ACS model - Mike *deferred due to full agenda*
  5. ( 5 min) Joint Vocabulary Alignment Update - Diana
  6. ( 5 min) PSAF Update - Kathleen
  7. ( 5 min) Status of Provenance and AuditEvent subcommittee -- Kathleen/John
  8. ( 25 min) FHIR Security Discussion Items ready for a Discussion
    1. 7752 2015May core #1073 - Replace value set with FHIR Signer Type value set (Kathleen Connor) Not Persuasive
  9. ( 5 min) FHIR -- Items asking for Policy statements, where recommend that no specific Policy statement be given.
    1. 7572 2015May core #863 - Explain business-specific details of update (Ioana Singureanu) None
    2. 7683 2015May core #974 - Add security guidance for 'read' (Ioana Singureanu) None
    3. 7685 2015May core #976 - Add authorization qualifier to 'vread' (Ioana Singureanu) None
    4. 7686 2015May core #977 - Add authorization qualifier to 'update' (Ioana Singureanu) None
    5. 7687 2015May core #978 - Add authorization qualifier to 'history' (Ioana Singureanu) None
    6. 7688 2015May core #979 - Add authorization qualifier to 'delete' (Ioana Singureanu) None
    7. 8165 2015May core #975b - Add authorization qualifier to 'read' (Ioana Singureanu) None
  10. ( 5 min) October 2015 HL7 WGM - Atlanta, Georgia USA - agenda items
    1. Please send any agenda items to Suzanne

Meeting Minutes

Approval of July 7 Meeting Minutes

  • The WG unanimously approved the minutes from the July 7 meeting.

PASS Access Control Conceptual Model (SOA) Update

  • The administrative portion of this project is complete as the NIB was submitted.
  • At the most recent meeting on Friday, project participants discussed FHIR resources for access control, but determined that, because there are multiple groups already working on that aspect and it's out of scope for this project, they would not incorporate these FHIR resources in the SOA-PASS ACS.
  • Diana and Mike will set up meetings to work together on the writing of the document.
  • A Doodle poll was taken to establish a new meeting date/time. Project meetings will now take place on Wednesdays at 1 p.m. Eastern / 10 a.m. Pacific.

Joint Vocabulary Alignment Update

  • Diana met with Reed and Gary to discuss how to create satisfactory EHR definitions. They are focusing on updating the definitions in the ISO/TC 215 21089 Trusted End-to-End Information Flows document to ensure they are good, correct and non-circular.
  • Once updated, these definitions will then be used in the HL7 EHR-S Functional Model and Record Lifecycle Event vocabulary so that the project team can complete its alignment work.

Status of Provenance and AuditEvent subcommittee

  • Kathleen - I think it's critical that FHIR Provenance includes an element for Action or Activity, and that it be bound to a value set for Provenance Event. That value set would include the Lifecycle Event verbs as defined by this group in addition to the ones that are already there.
    • Diana - What I would really love is if it would be possible for either Kathleen or John, or both, to be present at next Tuesday's Vocabulary Alignment meeting.
    • Mike - The Tuesday meeting is a good time to discuss this, but Gary hasn't been attending the Tuesday meeting.
    • Diana will reach out to Gary asking him to attend the Tuesday calls.

PSAF Update

  • Kathleen showed us a rough outline of the structural set of processes that are meant to support getting trust and provenance into the framework.
  • Folks have been meeting to talk about updates to the Security and Privacy DAM. They want to avoid repeating the classes that were used across various interests. They were talking about policies being at the top level. They would have a contract (any kind of policy), which would have an agent, activity and operation for the privacy policy domain, security policy domain, trust policy domain and provenance policy domain.
    • Different kinds of provenance: exchange policies, types of provenance metadata, payment provenance, research provenance, clinical provenance, etc.
    • These processes should be mapping to the functional model work that Dave Silver has been completing.
  • Mike - The standards that we have talk about the security policy information file. What Kathleen has done here is extend that model to include the privacy policy information file and trust policy information file, among others. It's consistent with ISO 10181-3.
    • Kathleen - We need to come up with guidance on how to create the information files in any of these domains and how to specialize them. There are standards around that.
  • Kathleen - All of this is work we're doing on the FHIM call (Tuesdays at 5 p.m. Eastern). Asked John to join the call and talk about the Provenance Activity.

ACS model

  • Mike showed the ACS model to the group. The purpose of creating this was to help inform the activities of the PASS Access Control normative version.
    • There was a known gap of obligations. They also wanted to add information on trust frameworks and external authorization services (OAuth and UMA).

FHIR Security Discussion Items

  • Between now and next week's call, John would like the WG to review these items and be ready for discussion.

Meeting adjourned at 1300 PDT