This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "March 7, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "Back to Security Work Group Main Page ==Attendees== {| class="wikitable" |- !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x...")
 
 
(10 intermediate revisions by 2 users not shown)
Line 9: Line 9:
 
||  .|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair
 
||  .|| [mailto:JohnMoerke@gmail.com John Moehrke]Security Co-chair
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor]Security Co-chair  
||||x|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
+
||||.|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
||||.|| [mailto:trish.williams@ecu.edu.au Trish Williams]Security Co-chair
 
|-
 
|-
Line 15: Line 15:
 
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:Suzanne.Webb@engilitycorp.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:drs@securityrs.com David Staggs]
 
||||x|| [mailto:drs@securityrs.com David Staggs]
||||.|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
+
||||x|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 
|-
 
|-
 
||  x|| [mailto:gfm@securityrs.com Glen Marshall], SRS
 
||  x|| [mailto:gfm@securityrs.com Glen Marshall], SRS
Line 24: Line 24:
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||  x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
 
||||.|| [mailto:serafina.versaggi@gmail.com Serafina Versaggi ]
||||.|| [mailto:joe.lamy@aegis.net Joe Lamy]
+
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
||||.|| [mailto:Galen.Mulrooney@JPSys.com Galen Mulrooney]
 
|-
 
|-
Line 40: Line 40:
 
||||.|| [mailto:bkinsley@nextgen.com William Kinsley]
 
||||.|| [mailto:bkinsley@nextgen.com William Kinsley]
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
 
||||.|| [mailto:pknapp@pknapp.com Paul Knapp]   
||||.|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
+
||||x|| [mailto:Mayada.Abdulmannan@va.gov Mayada Abdulmannan]
 
|-
 
|-
 
||  .|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
 
||  .|| [mailto:kamalinivaidya@systemsmadesimple.com Kamalini Vaidya]
 
||||.|| [mailto:akleinebe@gmail.com Bill Kleinebecker ]
 
||||.|| [mailto:akleinebe@gmail.com Bill Kleinebecker ]
||||.|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
+
||||x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn]
 
||||.|| [mailto:grahameg@gmail.com Grahame Grieve]
 
||||.|| [mailto:grahameg@gmail.com Grahame Grieve]
 
|-
 
|-
Line 57: Line 57:
 
=='''Agenda'''==
 
=='''Agenda'''==
 
# ''(2 min)'' '''Roll Call, Agenda Approval'''  
 
# ''(2 min)'' '''Roll Call, Agenda Approval'''  
# ''(4 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=February_7,_2017_Security_Conference_Call Security WG Call Minutes February 7, 2017],[http://wiki.hl7.org/index.php?title=February_14,_2017_Security_Conference_Call Security WG Call Minutes February 14, 2017], and [http://wiki.hl7.org/index.php? Security WG Call Minutes February 28, 2017]2017title=February_28,_2017_Security_Conference_Call ''' No Minutes for February_28_2017 due to cancellation for HIMSS.
+
# ''(4 min)'' ''' Review and Approval of [http://wiki.hl7.org/index.php?title=February_14,_2017_Security_Conference_Call Security WG Call Minutes February 14, 2017] and [http://wiki.hl7.org/index.php?title=February_28,_2017_Security_Conference_Call Security WG Call Minutes February 28, 2017]'''  
# ''(10 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20WG%20Administrative%20Documents/FTSD%20/CIMI-Sponsored%20HL7%20IIMnT%20Project%20PSS%202017.pdf CIMI-Sponsored HL7 IIM&T Project PSS ] and [http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20WG%20Administrative%20Documents/FTSD%20/Revised%20Ballot%20Process%20PSS%20-%202016-01-16.doc Revised Ballot Process PSS] Foundations and Technical Steering Division PSS votes from Security WG - John to lead discussion
+
# ''(5 min)'' '''Review any Security WG comments on ONC-sponsored: [https://docs.google.com/document/d/1wwCbNRLVNqrZc0TkPGAprqjRdQs2L061JUvjDf5E4uw/edit?usp=sharing Patient Generated Health Data (PGHD) whitepaper][http://www.hl7.org/documentcenter/public_temp_3D787BC5-1C23-BA17-0CF1FA12501D074B/wg/mobile/HL7%20WGM%20PGHD%20Update_Jan2017.pdf PGHD Overview] and [https://docs.google.com/document/d/1wwCbNRLVNqrZc0TkPGAprqjRdQs2L061JUvjDf5E4uw/edit?usp=sharing Google Document version for inline comments] [https://www.google.com/url?q=https%3A%2F%2Ffpf.org%2Fwp-content%2Fuploads%2F2015%2F10%2FCEA-Guiding-Principles-on-the-Privacy-and-Security-of-Personal-Wellness-Data-102215.pdf Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data] Comment deadline Moved to March 10th.  
# ''(5 min)'' '''HL7 coordinated response to ONC-sponsored: [https://docs.google.com/document/d/1wwCbNRLVNqrZc0TkPGAprqjRdQs2L061JUvjDf5E4uw/edit?usp=sharing Patient Generated Health Data (PGHD) whitepaper][http://www.hl7.org/documentcenter/public_temp_3D787BC5-1C23-BA17-0CF1FA12501D074B/wg/mobile/HL7%20WGM%20PGHD%20Update_Jan2017.pdf PGHD Overview] and [https://docs.google.com/document/d/1wwCbNRLVNqrZc0TkPGAprqjRdQs2L061JUvjDf5E4uw/edit?usp=sharing Google Document version for inline comments] Deadline Moved to March 10th.  
+
# ''(20 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20Jan%202017/V3_PSAF_R1_I1_2017JAN_amalgamated.xls TF4FA Ballot Reconciliation Spreadsheet Disposition Review]  
# ''(20 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/PSAF/PSAF%20TF4FA%20Jan%202017/V3_PSAF_R1_I1_2017JAN_amalgamated.xls TF4FA Ballot Reconciliation Spreadsheet Disposition Review] Ready for block vote based on 2/14 call and updated spreadsheet comments #24 - 54.  If possible, would like Ioana to walk the WG through her comments #55 – 75, which seem to be addressed by the [http://gforge.hl7.org/gf/download/docmanfileversion/9511/15017/TF4FA%20v2%20IOANA.docx TF4FA Behavioral Model].  The proposed dispositions on these are marked “persuasive”.
+
*If possible, would like Ioana to walk the WG through her comments #55 – 75, which seem to be addressed by the [http://gforge.hl7.org/gf/download/docmanfileversion/9511/15017/TF4FA%20v2%20IOANA.docx TF4FA Behavioral Model].  The proposed dispositions on these are marked “persuasive”.
# ''(10 min)'' '''[http://wiki.hl7.org/index.php?title=HL7_WGM_JANUARY_2017_-_San_Antonio,_Texas_USA_Minutes#HL7_Jan_Security_WGM_Sessions Security WGM Minutes Review and Approval]''' - Kathleen
+
*Review John Moehrke's comments 76 - 119 with his assistance.
 +
# '' (5 min)'' '''[http://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20WG%20Administrative%20Documents/Security%20Project%20Scope%20Statements/HL7%20Project%20%20Scope%20Statement%20Medical%20Device%20Security.doc Project Scope Statement - Medical Devices Security] - follow up of outreach to Medical Device WG '''- Mike Davis
 
# ''(5 min)'' '''[gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update]''' - Diana
 
# ''(5 min)'' '''[gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update]''' - Diana
 
# ''(5 min)'' '''Security Labeling Service Revision Update''' - Diana
 
# ''(5 min)'' '''Security Labeling Service Revision Update''' - Diana
# ''5 min)'' '''FHIR AuditEvent and Provenance ballot comments & FHIR Security Call''' John Moehrke
+
# ''5 min)'' '''FHIR AuditEvent and Provenance ballot comments & FHIR Security Call''' - cancelled.
# '' (5 min)'' '''Project Scope Statement - Medical Devices - follow up of outreach to Medical Device WG '''- Mike Davis
 
  
 
=='''Minutes'''==
 
=='''Minutes'''==
* Chaired by   
+
* Chaired by Kathleen  
* Agenda Approved
+
* Agenda approved
 +
* Approved: Security WG Call Minutes February 14, 2017 and Security WG Call Minutes February 28, 2017
 +
* Review any Security WG comments on ONC-sponsored: Patient Generated Health Data (PGHD) whitepaperPGHD Overview and Google Document version for inline comments Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data Comment deadline Moved to March 10th.
 +
** (Kathleen) How patient generated health data can accelerate the access to health data for research studies using similar privacy and security approaches:
 +
*** Smart on FHIR approach can be used for patient consent on devices
 +
*** FHIR API can pull patient record and send to research projects
 +
*** Patient can authorize through a patient right of access for release of data for research
 +
*** Question: (Beth) What the profile would look like?
 +
*** Answer: Each Study would have a consent such as a HIPPA authorization used through a Gui
 +
*** Further discussion:
 +
*** Patient generated data is under HIPPA
 +
*** Consent codes for purpose of use are used from projects funded by NIH as a standard
 +
*** Comment (John): Data quality may become an issue, IRB may need to be used
 +
*** A standard for Patient Right of Access is needed
 +
** Comment (Beth): There is a section that has a description section under challenges: "Research Enabling Actions" :
 +
*** Strength in Patient consent in Data Use
 +
*** Next Step: Kathleen will write out new type of consent directive  for Patient Right of Access and send to Diana
 +
*** David suggested to reach out to projects working on IRB common rules
 +
*** Next Step:  David will provide a comment to Diana on IRB to include in the White Paper
 +
 
 +
* TF4FA Ballot Reconciliation Spreadsheet Disposition Review
 +
* Walk through Ioana's comments #55 – 75 ( addressed by the TF4FA Behavioral Model) 
 +
* proposed dispositions on these are marked “persuasive”
 +
* Ioanas Comment
 +
* #56:
 +
** HL7 Data segmentation for security labeling profile as normative, Iona  wants to add in the discussion on international standards. 
 +
** (Persuasive)
 +
* #57
 +
** Comment:  Policy Model should include Policy resolution services.
 +
** (Persuasive with Mod)
 +
* 58#:
 +
** Comment: Workflow initiated in Run time, should focus on negotiation between two domains.
 +
*** Kathleen added additional comment: Relationship should be clear on relationship with SLS
 +
** (Persuasive with Mod)
 +
** #59:
 +
** Comment:  Are the Domains referenced in Document NHiN specification?
 +
** Kathleen response; No they are not
 +
** Next step: David will notify Ioanna will to review and get back to comment
 +
* #60:
 +
** Comment: Trace Model either simplify the client application relies on local STS model for a negotiation resolution from one domain to request information  from a second domain
 +
** Kathleen response:
 +
** (Persuasive) should show actual negotiation
 +
* #61:
 +
** In addition this model will extent the support interpop patient patient care mediates and entities outside of healthcare to negotiate healthcare policies.
 +
** David in concurrence
 +
** (Persuasive) 
 +
* #62:
 +
** Inset new Trust Model Relationships to show Interoprability
 +
** HIMMS definition is used - Mike Davis
 +
** David in concurrence
 +
** Persuasive
 +
* #63:
 +
** Trust framework is establishes meets all legal requirements, assumptions should include Health information among members that should be verified
 +
** Mike Davis and David concurs
 +
** Persuasive
 +
* 64:
 +
** Comment: Section B should be moved to appendix in alignment with international standards
 +
** Mike Davis concurs
 +
** Persuasive
 +
* 65:
 +
** Misplaced Diagram  move to section one,  figure one
 +
* Persuasive
 +
* # 66:
 +
** Comment: Trust Services Model should state services required for Trusted Framework establishment vs. Trusted Framework resolution should be update figuer #1
 +
** David clarified the two concepts highlighted in Ioanna's comment: (a) Harmonizing Specific policy across two domains, (b) Other Trust services that don't negotiate but assert value set
 +
** There should be made clear on the two types of services.
 +
** Mike Davis concurs with David
 +
** Persuasive
 +
* #67:
 +
* Comment: Figure two should be replaced with a more detailed Diagram with more detail (UML)
 +
** Mike Davis comment: " Volume I was intended to be conceptual, volume II will incorporate UML diagrams
 +
** Non-Persuasive with Mod to include Mike Davis comment on Volume II
 +
* 68:
 +
** Comment: Trust Service should Clarify the Role in the Trust Mark for section 2.4
 +
* Mike Davis: The 2.4 Diaghram describes the roles
 +
** Next Step: David and Mike Davis can provide the wording for roles 
 +
* 66-68 have Resolutions
 +
** Domains are specified is 22600  specifications and were not intended to be mapped to affinity domains ( Mike Davis)
 +
** IAG is not being used as the standard, the core reference is 22600 specification
 +
* Motion approved from 56-68 ( Mike Davis, Dianna )
 +
* Review John Moehrke's comments 76 - 119 with his assistance.
 +
* Continuation of comments were reviewed from comment 66
 +
** Comment approved for Security Labeling is added and aligned with International Standards
 +
** Comment reviewed: Trust Services Federation Model should include policy resolution services
 +
* Project Scope Statement - Medical Devices Security - follow up of outreach to Medical Device WG - Mike Davis
 +
** Medical Devise Working Group never balloted on PSS (Project Scope Statement )
 +
** We should approach the Medical Devise working group to resubmit the PSS
 +
** Next Step: Kathleen will draft an invitation to Medical Devise Work group
 +
* gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diana
 +
** NTR
 +
* Security Labeling Service Revision Update - Diana
 +
** NTR
 +
** Will meet with Kathleen and Mike Davis offline to review
 +
** FHIR AuditEvent and Provenance ballot comments & FHIR Security Call - cancelled.

Latest revision as of 18:27, 21 March 2017

Back to Security Work Group Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes February 14, 2017 and Security WG Call Minutes February 28, 2017
  3. (5 min) Review any Security WG comments on ONC-sponsored: Patient Generated Health Data (PGHD) whitepaperPGHD Overview and Google Document version for inline comments Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data Comment deadline Moved to March 10th.
  4. (20 min) TF4FA Ballot Reconciliation Spreadsheet Disposition Review
  • If possible, would like Ioana to walk the WG through her comments #55 – 75, which seem to be addressed by the TF4FA Behavioral Model. The proposed dispositions on these are marked “persuasive”.
  • Review John Moehrke's comments 76 - 119 with his assistance.
  1. (5 min) Project Scope Statement - Medical Devices Security - follow up of outreach to Medical Device WG - Mike Davis
  2. (5 min) [gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diana
  3. (5 min) Security Labeling Service Revision Update - Diana
  4. 5 min) FHIR AuditEvent and Provenance ballot comments & FHIR Security Call - cancelled.

Minutes

  • Chaired by Kathleen
  • Agenda approved
  • Approved: Security WG Call Minutes February 14, 2017 and Security WG Call Minutes February 28, 2017
  • Review any Security WG comments on ONC-sponsored: Patient Generated Health Data (PGHD) whitepaperPGHD Overview and Google Document version for inline comments Consumer Electronics Association Guiding Principles on Privacy and Security of Personal Wellness Data Comment deadline Moved to March 10th.
    • (Kathleen) How patient generated health data can accelerate the access to health data for research studies using similar privacy and security approaches:
      • Smart on FHIR approach can be used for patient consent on devices
      • FHIR API can pull patient record and send to research projects
      • Patient can authorize through a patient right of access for release of data for research
      • Question: (Beth) What the profile would look like?
      • Answer: Each Study would have a consent such as a HIPPA authorization used through a Gui
      • Further discussion:
      • Patient generated data is under HIPPA
      • Consent codes for purpose of use are used from projects funded by NIH as a standard
      • Comment (John): Data quality may become an issue, IRB may need to be used
      • A standard for Patient Right of Access is needed
    • Comment (Beth): There is a section that has a description section under challenges: "Research Enabling Actions" :
      • Strength in Patient consent in Data Use
      • Next Step: Kathleen will write out new type of consent directive for Patient Right of Access and send to Diana
      • David suggested to reach out to projects working on IRB common rules
      • Next Step: David will provide a comment to Diana on IRB to include in the White Paper
  • TF4FA Ballot Reconciliation Spreadsheet Disposition Review
  • Walk through Ioana's comments #55 – 75 ( addressed by the TF4FA Behavioral Model)
  • proposed dispositions on these are marked “persuasive”
  • Ioanas Comment
  • #56:
    • HL7 Data segmentation for security labeling profile as normative, Iona wants to add in the discussion on international standards.
    • (Persuasive)
  • #57
    • Comment: Policy Model should include Policy resolution services.
    • (Persuasive with Mod)
  • 58#:
    • Comment: Workflow initiated in Run time, should focus on negotiation between two domains.
      • Kathleen added additional comment: Relationship should be clear on relationship with SLS
    • (Persuasive with Mod)
    • #59:
    • Comment: Are the Domains referenced in Document NHiN specification?
    • Kathleen response; No they are not
    • Next step: David will notify Ioanna will to review and get back to comment
  • #60:
    • Comment: Trace Model either simplify the client application relies on local STS model for a negotiation resolution from one domain to request information from a second domain
    • Kathleen response:
    • (Persuasive) should show actual negotiation
  • #61:
    • In addition this model will extent the support interpop patient patient care mediates and entities outside of healthcare to negotiate healthcare policies.
    • David in concurrence
    • (Persuasive)
  • #62:
    • Inset new Trust Model Relationships to show Interoprability
    • HIMMS definition is used - Mike Davis
    • David in concurrence
    • Persuasive
  • #63:
    • Trust framework is establishes meets all legal requirements, assumptions should include Health information among members that should be verified
    • Mike Davis and David concurs
    • Persuasive
  • 64:
    • Comment: Section B should be moved to appendix in alignment with international standards
    • Mike Davis concurs
    • Persuasive
  • 65:
    • Misplaced Diagram move to section one, figure one
  • Persuasive
  • # 66:
    • Comment: Trust Services Model should state services required for Trusted Framework establishment vs. Trusted Framework resolution should be update figuer #1
    • David clarified the two concepts highlighted in Ioanna's comment: (a) Harmonizing Specific policy across two domains, (b) Other Trust services that don't negotiate but assert value set
    • There should be made clear on the two types of services.
    • Mike Davis concurs with David
    • Persuasive
  • #67:
  • Comment: Figure two should be replaced with a more detailed Diagram with more detail (UML)
    • Mike Davis comment: " Volume I was intended to be conceptual, volume II will incorporate UML diagrams
    • Non-Persuasive with Mod to include Mike Davis comment on Volume II
  • 68:
    • Comment: Trust Service should Clarify the Role in the Trust Mark for section 2.4
  • Mike Davis: The 2.4 Diaghram describes the roles
    • Next Step: David and Mike Davis can provide the wording for roles
  • 66-68 have Resolutions
    • Domains are specified is 22600 specifications and were not intended to be mapped to affinity domains ( Mike Davis)
    • IAG is not being used as the standard, the core reference is 22600 specification
  • Motion approved from 56-68 ( Mike Davis, Dianna )
  • Review John Moehrke's comments 76 - 119 with his assistance.
  • Continuation of comments were reviewed from comment 66
    • Comment approved for Security Labeling is added and aligned with International Standards
    • Comment reviewed: Trust Services Federation Model should include policy resolution services
  • Project Scope Statement - Medical Devices Security - follow up of outreach to Medical Device WG - Mike Davis
    • Medical Devise Working Group never balloted on PSS (Project Scope Statement )
    • We should approach the Medical Devise working group to resubmit the PSS
    • Next Step: Kathleen will draft an invitation to Medical Devise Work group
  • gforge ballot spreadsheet - HL7 PASS Audit Ballot Reconciliation Update] - Diana
    • NTR
  • Security Labeling Service Revision Update - Diana
    • NTR
    • Will meet with Kathleen and Mike Davis offline to review
    • FHIR AuditEvent and Provenance ballot comments & FHIR Security Call - cancelled.
Retrieved from "https://wiki.hl7.org/w/index.php?title=March_7,_2017_Security_Conference_Call&oldid=136121"