Difference between revisions of "March 27, 2018 Security Conference Call"

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (2 min) Roll Call, Agenda Approval
2. (5 min) Review and Approval of March 13, 2018 minutes
3. (30 min) TF4FA Review for Ballot Submission - Diana Proud Madruga and Dave Silver
4. (15 min) FHIR Security Updates - John

Meeting Materials

• Trust Framework for Federated Authorization presentation
• TF4FA Vol. 2Behavioral Model May Ballot
• Is Privacy Obsolete Study Group news from EU
• HIMSS - What Healthcare Organizations need to know about the GDPR and HIMSS Presentation recording
• Dutch referendum: Spy tapping powers 'rejected'

Meeting Minutes DRAFT

Kathleen chair Roll Call, Agenda Approval

Trust Framework TF4FA "TF"

• May 2018 Normative Ballot
  • providing more clarification to the ballot material
  • New = "enhancements" for this discussion
• Understood that all the volumes in TF have been updated per the ballot comment/reconciliation from May 2014
  • Note: some of the comments were OBE since the original ballot

Policy Diagram (slide)

• No changes made (remains in the document, basic core concept)
• conveying TF accepts/adopts accepts the PMAC ISO 22600-2:2006

Trust Context

• No changes

Trust Services

• No changes, another core concept; generalized trust model that we have adopted from PMAC where TF is based

Federated Trust Reference Model

• • No changes; the diagram came about from ballot reconciliation (comments addressed); now showing the three overarching phases (at the top); no longer showing the overlap)

Trust Framework Capabilities

• no changes, comes from PASS ACS - trust framework service capabilities, TF; this ties our work back to PASS ACS

Trust Framework Services (New)

• Policy Bridging Service - harmonizes the four policy domains into a unified federation policy (to exchange information)
• External Policy Management Service - a publicly facing service -
• NEW - Trustworthiness Assessment Service - an event driven service to perform continuous assessment and analysis of initiator behavior. Adaptive behavior analytics is used to assess whether current trust should be continued or modified; a real-time check; anything that might happen that would affect your decision... 'access decision'
• TF1.4 - Domain Trust Service (this is not the ACS); The Domain Trust Service is a front end, service that is creating and submitting/signing the trust proposals and counter trust-proposals

Boundary View NEW

• an enhancement to original presentation; right diagram shows new version - should elaborate and show services
• 'newer names' - diagram reflects the above trust services (4) above
• high level core set of activates, laid out clearer to see the flow from the initial proposal to the proposals/counter-proposals to the bottom use case accepting the trust contract

Functional Framework (New) - enhanced

Trust Framework Information Model

• no changes - remains as high level
• Trust Policy Information Model

Trust Proposal Message

• added two items; bottom right, clearance and basic policy attestations
• this message gets updated throughout the trust establishment process (proposal/counter-proposal)

--end VOLUME ONE Note: No changes (above) describes the ballot content for no changes from the March 13 presentation

TF4FA Volume 2, Behavioral Model Volume 2 has in large remained intact

Link to Presentation: <<seeabove>>

MOTION: Approve the above submission to the ballot Trust Frame for Federation Volume 1, Volume 2 - behavioral model: (Mike / JohnM) Discussion: none Vote: Abstain: none Oppose: none; motion passes: 10

FHIR Security Updates

• We have new meeting day/time NEW: hour before the Security WG
  • Attended by a few new people today
  • Noted today was that we will be creating a new ZULIP stream - there are experts in the fields are finding the S&P developers are noisy and not fulfilling their S&P needs
  • Interest in cologne to do a GDPR FHIR Connectathon - mostly discussion less testing
  • Block chain potential for FHIR (per Grahame); not a lot interest...there is some ONC work using block chain in provenance
  • Heart WG is invigorating their calls - educational information on the project is going out, describing how HEART project
  • API security and privacy paper (Johnathan)
    • Grahame - provider-to-provider security needs; others to be continued working on
  • Probably need to lay out the topic areas across the cologne agenda so that we can attract interest

(John will work with Kathleen on Agenda/Cologne)

No questions

some authorization services available to do more sophisticated scopes if needed/interested (security WG home page; consumer centered data exchange papers - some of which are the proposed enhancements

HIMSS - GDPR, recording and PPT link (above)

• impact on US entities; citizens in the EU, processes and collection of data - which may have interest in agencies in the US; including financial transactions

All HL7 V3 vocabulary - for authorization, delegation was approved including the V2 and the addition of the confidentiality

All ready for used with V2

Security labels in header can have high-water mark "access restriction manifest' - repeated security labels (by Rikki Merrick, all optional)

Creates interoperable security labels across all HL7 products

Next week will start preparing the Cologne agenda

Meeting adjourned at 1235 PM Arizona Time