Difference between revisions of "June 28, 2016 Security Conference Call"

Back to Security Work Group Main Page

Attendees

Back to Security Main Page

Agenda DRAFT

1. (2 min) Roll Call, Agenda Approval
2. (3 min) no minutes from last week as we continued CBCC topic on FHIR Consent
3. (3 min) Approve Security WG June 14, 2016 Minutes
4. (3 min) Approve Security WG June 21, 2016 Minutes
5. (15 min) Review and approval of Initial July Additional POU code Harmonization Proposal - Kathleen
   • Already added to July Harmonization Update for VA use case [see link above]: Add HTEST [test health data] as a specializable code specializing HOPERAT [healthcare operations] Description: To perform one or more operations on information that is simulated or synthetic health data used for testing system capabilities outside of a production or operational system environment. Usage note: Data marked with a HTEST security label enables an access control system to permit interfacing systems or end users provisioned with a clearance, which includes a HTEST purpose of use attribute, to test, verify, or validate that a system or application will operate in production as intended based on design specifications.
6. (15 min) Update on the PSAF Security Policy model - Mike
7. (10 min) Standards Privacy Impact Assessment Cookbook - Rick
8. (3 min) PASS Access Control Services Conceptual Model - Diana
9. (3 min) PASS Audit Conceptual Model – Diana Kathleen asks whether review of audit in ISTPA and various Privacy Frameworks, FIPPs, EU Data Protection Regulation etc. such as [http://xml.coverpages.org/ISTPA-PrivacyManagementReferenceModelV20.pdf Privacy Management
   • Reference Model - A framework for resolving privacy policy requirements into operational privacy services and functions International Security, Trust & Privacy Alliance] and ISTPA Analysis of Privacy Principles: Making Privacy Operational have been added to landscape review.
10. (10 min) How should 'test-data' be identified? Is this a legitimate use of security-tags?
    • It is clear that security-tags already support de-identified methods. The question is specifically about completely fabricated data.
    • See FHIR chat thread https://chat.fhir.org/#narrow/stream/implementers/topic/Distinguishing.20test.20patients
11. (10 min) De-Identification topics
    • mobile health workgroup http://lists.hl7.org/read/messages?id=297060
    • FHIR chat https://chat.fhir.org/#narrow/stream/implementers/topic/De-identification.20mechanisms.20in.20FHIR
12. (2 min) Action Items, next call agenda, adjournment

Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda

Minutes

Chaired by John

• Approved Security WG June 14, 2016 Minutes (Susan, Diana)

-*Approved Security WG June 21, 2016 Minutes (Susan, Kathleen)

• Review and approval of Initial July Additional POU code Harmonization Proposal - Kathleen

Already added to July Harmonization Update for VA use case [see link above]: Add HTEST [test health data] as a specializable code specializing HOPERAT [healthcare operations] Description: To perform one or more operations on information that is simulated or synthetic health data used for testing system capabilities outside of a production or operational system environment. Usage note: Data marked with a HTEST security label enables an access control system to permit interfacing systems or end users provisioned with a clearance, which includes a HTEST purpose of use attribute, to test, verify, or validate that a system or application will operate in production as intended based on design specifications.

• Stephanie (Subject Matter Expert): Background

-Ethics and Policy Researcher -Background in biochemistry and Science Communication and Bio-Ethics - Currently does research in Global Alliance research program - Liaison to many projects - Working on consent codes with alliances to harmonize data sets to come together and share data, and the Beacon Projects - Kathleen and I put together categories that we found coming up to cover 90% of consent based permission that are currently archived in major Archives

 - We broke them down into categories of consent codes
 - To describe how a permission should be interpreted in practice on data sets 

• Kathleen on Permissions to Share Healthcare

- shared link to proposal on Sunday night - walked through research consent code - after looking at the set of codes they were similar to:

A) Obligation policies
B) Purpose of Use
C) Research Consent Purpose of use 
D) some similar to Frames

- Did not yet research obligation but will have ready for next Harmonization meeting - Shared research on power point -Shared clinical trial research -Clinical trail includes patient care -Clinical Trails that do not include patient care - Pre-clinical trail research - The research focuses on the following categories: - Bio-medical, population origin/Ancestry, Disease, Discipline, but excludes pr-clinical research trials - Questions: Why are we adding more detail categories outside of Health Level 7 research focus on Health? - Answer: These are categories can be used for access control systems such as a Health App, Health Insurance etc. (Kathleen) - Concern: We kept the purpose of use at high level, the descriptions seem unlimited use of not having purpose of use. Feels they are rule specific to purpose of use. The activities seem to belong to the Military business rules. (Mike Davis) - Answers: They were approved by Security WG, all are high level. When the Veteran Benefits sends out info to Veteran asks about Military Discharge to see if they are covered under disability. Can be moved under operation per request of Mike, and away from coverage. (Kathleen) - Next Step: Kathleen will review minutes to see if Mike Davis approved the level of detail for Military purpose of use - Mike is okay with high level purpose of use, but the not the detailed rule set. Feels individual organizations should define the rule sets as they may not be common across organization. - Next Step: Will put on the agenda next Security WG and review proposal (John)

• Update on the PSAF Security Policy model - Mike

- NTR

• Standards Privacy Impact Assessment Cookbook - Rick

- Reviewed and approved by the CBCC, and approved by steering Division, and moving to PFC to review and approve - awaiting feedback from privacy officer with VHA for internal review and feedback on privacy - Concerns: Would like Rick to share the current Assessment Cookbook draft. - Suzanne agrees to put the draft document out -Next Step: We will provide the draft by July 5th

• PASS Access Control Services Conceptual Model - Diana

- 95% through all comments - Was able to get in touch with Ioana concerning original diagrams for Security Access model -

• PASS Audit Conceptual Model – Diana Kathleen asks whether review of audit in ISTPA and various Privacy Frameworks, FIPPs, EU Data Protection Regulation etc. such as [http://xml.coverpages.org/ISTPA-PrivacyManagementReferenceModelV20.pdf Privacy Management

Reference Model - A framework for resolving privacy policy requirements into operational privacy services and functions International Security, Trust & Privacy Alliance] and ISTPA Analysis of Privacy Principles: Making Privacy Operational have been added to landscape review.

• How should 'test-data' be identified? Is this a legitimate use of security-tags?

It is clear that security-tags already support de-identified methods. The question is specifically about completely fabricated data. See FHIR chat thread https://chat.fhir.org/#narrow/stream/implementers/topic/Distinguishing.20test.20patients

• De-Identification topics

mobile health workgroup http://lists.hl7.org/read/messages?id=297060 FHIR chat https://chat.fhir.org/#narrow/stream/implementers/topic/De-identification.20mechanisms.20in.20FHIR (2 min) Action Items, next call agenda, adjournment Note that there will be a FHIR Security call at 2pm PT/5pm ET See agenda at FHIR Security Agenda