This wiki has undergone a migration to Confluence found Here

Difference between revisions of "May 23, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
Line 80: Line 80:
 
   
 
   
 
*Agenda Approval
 
*Agenda Approval
+
 
 
 
*Approved  of Security WG Call Minutes April 25, 2017
 
*Approved  of Security WG Call Minutes April 25, 2017
+
* Madrid Debrief - Review of Minutes, presentations - cochairs
* Madrid Debrief - Review of Minutes, presentations - cochairs  
+
* (Kathleen)
+
* Highlights from Madrid Meeting:
* (Kathleen)
+
** (1) David Pikes: Privilage Management Access Control ISO 2600
+
** based on our Security Privacy Domain Analysis Model (Modeling Domains
** Highlights from Madrid Meeting:  
+
** His main audience was the clinical modeling Information initiative
+
** He presented on the European Data Protection Regulation (More regulated than the U.S.)
** (1) David Pikes: Privilage Management Access Control ISO 2600
+
** It may have possible interoprability issues with storing between European and American Health info
+
** (2) The Trusted eHealth project
*** based on our Security Privacy Domain Analysis Model (Modeling Domains)
+
** part of it is option national health exchange scheme
+
*** Free to consumer
*** His main audience was the clinical modeling Information initiative
+
*** It provides healthcare delivery to consumer available
+
*** (3) Clinical Decision Support ( Kathleen, John)
*** He presented on the European Data Protection Regulation (More regulated than the U.S.)
+
*** Discussed Hooking up EHR's to apps external to EHR
 
*** It may have possible interoprability issues with storing between European and American Health info
 
 
** (2) The Trusted eHealth project
 
 
*** part of it is option national health exchange scheme
 
 
*** Free to consumer
 
 
*** It provides healthcare delivery to consumer available  
 
 
*** (3) Clinical Decision Support ( Kathleen, John)  
 
 
*** Discussed Hooking up EHR's to apps external to EHR  
 
 
 
*** Drug Drug interactions  
 
*** Drug Drug interactions  
 
+
*** How to secure CDS hooks
*** How to secure CDS hooks  
+
*(John)
 
*(John)
 
 
 
**  (4) Held a meeting with SMART on FHIR team
 
**  (4) Held a meeting with SMART on FHIR team
 
** Came to understanding what users it covers
 
** Came to understanding what users it covers
Line 129: Line 110:
 
** proposed disposition of the  DoD comments (Dr. Mark kramer)
 
** proposed disposition of the  DoD comments (Dr. Mark kramer)
 
** He raised the need for discussion on how negotiations take place, to include in the next version
 
** He raised the need for discussion on how negotiations take place, to include in the next version
** ISO 600 has a tutorial how to build policy bridging, can be a starting place of behavioral models of different component used for composite policy (How to compose Composition Policy )
+
** ISO 600 has a tutorial how to build policy bridging, can be a starting place of behavioral models of different component used for composite policy (How to compose Composition Policy )
+
** He asserts basic policy should have nested policy
 
** He asserts basic policy should have nested policy  
 
  
+
* PASS Audit Ballot Reconciliation - Diana
* PASS Audit Ballot Reconciliation - Diana
+
** Comments (97-129) reviews for vote
+
** #97 withdrawn
+
** Comment 98 (accepted
**  
+
** comment 99 accepted
+
** Comment 100 persuasive with mod ( Accepted)
+
** RC-3881 was removed as a reference
* FHIR Security Call - Please review front matter - John Moehrke
+
** Comment 103 and 104 accepted
+
** Redundancy and consolidation was made to 104 (Accepted)
+
** The word disclosure was added to comment 106 (Accepted)
Healthcare Requirements for Emergency Access by Mike Davis VA
+
** ISO standard definition is added to 107 (Accepted)
   
+
** Comment 108 (Accepted)
+
** Comment 110-
Veterans Choice Program FAQ
+
Comment 112-113 to make vocab consistency (Accepting
+
** Comment 114 formatting issues (accepted)
+
** Comment 117 accepted
Bernd Blobel Madrid Presentations
+
** Comment 118 was repeated, reworded (Accepted)
+
** Comment 121 was repeat in previous comment
+
** Comment 123 is considered for future use, but moved to persuasive and Accepted based on the following:
HIMSS 2017 Patient Choice on FHIR
+
*** Has to do with Audit Archive service for the functional Model
+
*** Comment: (Mike Davis) Archive is part of Audit
+
*** Moved to persuasive and approved ( accepted )
Tuesday Security WG Session: Kevin Skekleton and Josh Mandel presented on FHIR CDS Hooks CDS-Hooks uses SMART on FHIR to specify services to create vendor-independent “substitutable apps” that can be plugged into a variety of EHR and other systems. The services equips a native EHR with an event model, triggering calls to remote CDS services when specific user activities occur (e.g., "prescribe a drug", or "open a patient record"). These CDS Hook services can respond with advice, alternative suggestions, and in-context app launch links that can be presented to the user in accordance with explicit user experience guidelines.  The following videos provide excellent presentations on CDS Hooks:
+
** Is not a retrieve archive capability
+
** Comment 124 was repeat in previous comment
+
** Comment 125 accepted
Josh Mandel CDS Hooks Video
+
** Comment 128 Agreed with Persuasive with MOD
+
** Comment 129 Accepted
+
** Motion to Approve 97-129 (Diana, Mike Davis)
Kevin Skekleton [Cerner Presentations]
 
 
 
Remote Decision Support with CDS Hooks Kevin Skekleton
 
 
 
This CDS-Hook services might be an approach for creating “break glass” alerts for e.g., drug-drug interactions where the treating provider did not have clearance to view the entire record – e.g., where a patient has not consented for this provider to access sensitive information.  The SLS would provide the CDS with unmasked record while permitting the treating provider to only access the masked record until provider executed break glass based on the CDS alert.
 

Latest revision as of 18:59, 13 June 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
. John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
x Mike Davis x Suzanne Gonzales-Webb x David Staggs x Mohammed Jafari
x Glen Marshall, SRS x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi x Joe Lamy . Galen Mulrooney
. Duane DeCouteau . Chris Clark . Johnathan Coleman . Aaron Seib
. Ken Salyards . Christopher D Brown TX . Gary Dickinson x Dave Silver
x Rick Grow . William Kinsley . Paul Knapp x Mayada Abdulmannan
. Kamalini Vaidya . Bill Kleinebecker x Christopher Shawn . Grahame Grieve
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (4 min) Review and Approval of Security WG Call Minutes April 25, 2017
  3. (15 min) Madrid Debrief - Review of Minutes, presentations - cochairs
  1. (10 min) TF4FA Ballot Reconciliation - Kathleen
  2. (10 min) PASS Audit Ballot Reconciliation - Diana
  3. (5 min) FHIR Security Call - Please review front matter - John Moehrke

Tuesday Security WG Session: Kevin Skekleton and Josh Mandel presented on FHIR CDS Hooks CDS-Hooks uses SMART on FHIR to specify services to create vendor-independent “substitutable apps” that can be plugged into a variety of EHR and other systems. The services equips a native EHR with an event model, triggering calls to remote CDS services when specific user activities occur (e.g., "prescribe a drug", or "open a patient record"). These CDS Hook services can respond with advice, alternative suggestions, and in-context app launch links that can be presented to the user in accordance with explicit user experience guidelines.  The following videos provide excellent presentations on CDS Hooks:

This CDS-Hook services might be an approach for creating “break glass” alerts for e.g., drug-drug interactions where the treating provider did not have clearance to view the entire record – e.g., where a patient has not consented for this provider to access sensitive information.  The SLS would provide the CDS with unmasked record while permitting the treating provider to only access the masked record until provider executed break glass based on the CDS alert. 

Minutes

  • Chaired by Kathleen
  • Agenda Approval
  • Approved of Security WG Call Minutes April 25, 2017
  • Madrid Debrief - Review of Minutes, presentations - cochairs
  • (Kathleen)
  • Highlights from Madrid Meeting:
    • (1) David Pikes: Privilage Management Access Control ISO 2600
    • based on our Security Privacy Domain Analysis Model (Modeling Domains
    • His main audience was the clinical modeling Information initiative
    • He presented on the European Data Protection Regulation (More regulated than the U.S.)
    • It may have possible interoprability issues with storing between European and American Health info
    • (2) The Trusted eHealth project
    • part of it is option national health exchange scheme
      • Free to consumer
      • It provides healthcare delivery to consumer available
      • (3) Clinical Decision Support ( Kathleen, John)
      • Discussed Hooking up EHR's to apps external to EHR
      • Drug Drug interactions
      • How to secure CDS hooks
  • (John)
    • (4) Held a meeting with SMART on FHIR team
    • Came to understanding what users it covers
    • Came up with other patterns that SMART may not cover such as server to server communication
    • Discussed Testing security and privacy resources
    • We sent out an opportunity for other work groups to work together on their security needs
    • Gary and Kathleen came up with a proposal on test scripts on provenance

HL7 WGM MAY 2017 - Madrid Spain Minutes

  • TF4FA Ballot Reconciliation - Kathleen
    • Completed spreadsheet
    • proposed disposition of the DoD comments (Dr. Mark kramer)
    • He raised the need for discussion on how negotiations take place, to include in the next version
    • ISO 600 has a tutorial how to build policy bridging, can be a starting place of behavioral models of different component used for composite policy (How to compose Composition Policy )
    • He asserts basic policy should have nested policy
  • PASS Audit Ballot Reconciliation - Diana
    • Comments (97-129) reviews for vote
    • #97 withdrawn
    • Comment 98 (accepted
    • comment 99 accepted
    • Comment 100 persuasive with mod ( Accepted)
    • RC-3881 was removed as a reference
    • Comment 103 and 104 accepted
    • Redundancy and consolidation was made to 104 (Accepted)
    • The word disclosure was added to comment 106 (Accepted)
    • ISO standard definition is added to 107 (Accepted)
    • Comment 108 (Accepted)
    • Comment 110-

Comment 112-113 to make vocab consistency (Accepting

    • Comment 114 formatting issues (accepted)
    • Comment 117 accepted
    • Comment 118 was repeated, reworded (Accepted)
    • Comment 121 was repeat in previous comment
    • Comment 123 is considered for future use, but moved to persuasive and Accepted based on the following:
      • Has to do with Audit Archive service for the functional Model
      • Comment: (Mike Davis) Archive is part of Audit
      • Moved to persuasive and approved ( accepted )
    • Is not a retrieve archive capability
    • Comment 124 was repeat in previous comment
    • Comment 125 accepted
    • Comment 128 Agreed with Persuasive with MOD
    • Comment 129 Accepted
    • Motion to Approve 97-129 (Diana, Mike Davis)