This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "October 16, 2018 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
(Created page with "Back to Security Main Page ==Attendees== Back to Security Main Page {| class="wikitable" |- !x||'''Member Name'''|| !! x ||'''Member Name''' !!|| ...")
 
 
(37 intermediate revisions by the same user not shown)
Line 16: Line 16:
 
||||x|| [mailto:Suzanne.Webb@bookzurman.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:Suzanne.Webb@bookzurman.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||x|| [mailto:mike.davis@va.gov Mike Davis]
||||x|| [mailto:david.staggs@bookzurman.com David Staggs]
+
||||.|| [mailto:david.staggs@bookzurman.com David Staggs]
 
   
 
   
 
|-
 
|-
Line 34: Line 34:
 
||||.|| [mailto:Bo.Dagnall@dxc.com Bo Dagnall]
 
||||.|| [mailto:Bo.Dagnall@dxc.com Bo Dagnall]
 
|-
 
|-
||    .|| [mailto: ]
+
||    x|| [mailto:peter.van.liesdonk@philips.com Peter van Liesdonk]
||||.|| [mailto: ]
+
||||x|| [mailto:theresa.ardal.connor@protonmail.com Theresa Ardal Connor]
 
||||.|| [mailto:  ]
 
||||.|| [mailto:  ]
 
||||.|| [mailto:  ]
 
||||.|| [mailto:  ]
Line 48: Line 48:
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(2 min)'' '''Roll Call, Agenda Approval'''  
 
#''(5 min)'' Review and Approval of Minutes
 
#''(5 min)'' Review and Approval of Minutes
#*[http://wiki.hl7.org/index.php?title=September_11,_2018_Security_Conference_Call Security Conference Call September 11, 2018 ]
+
#*[http://wiki.hl7.org/index.php?title=September_18,_2018_Security_Conference_Call Security Conference Call September 18, 2018] WGM minutes in process.
#''(5 min)'' '''GDPR whitepaper on FHIR''' Update - meeting cancelled
 
 
#''(10 min)'' '''TF4FA Normative Ballot reconciliation (formerly PSAF)''' - Mike, Chris'''
 
#''(10 min)'' '''TF4FA Normative Ballot reconciliation (formerly PSAF)''' - Mike, Chris'''
#* '''Meetings: Tuesdays, 11:00 AM Eastern; freeconference.com same as Security call
+
#*'''Meetings: Tuesdays, 11:00 AM Eastern; freeconference.com same as Security call
#* [http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF)#Trust_Framework_for_Federated_Authorization_.28TF4FA.29  TF4FA Ballot Reconciliation (wiki)]
+
#*[http://wiki.hl7.org/index.php?title=Privacy_and_Security_Framework_Architecture_(PSAF)#Trust_Framework_for_Federated_Authorization_.28TF4FA.29  TF4FA Ballot Reconciliation (wiki)]
#* [https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot Ballot Reconciliation Sheet]
+
#*[https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot/ TF4FA Vol.1 & 2 Ballot Reconciliation Sheet]
#** Comments to be voted on this week: Comments 129 - 146 + 10/13 recon call 147 - 161 (last comment)
+
#**Comments to be voted on this week: Comments 129 - 146 (last comment)
#** Next week: Review and vote on comments 129 - 161, which will conclude recon.  
+
#**Next week: Review and vote on comments 147 - 161(last comment), which will conclude recon.  
#* assignment of document update?
+
#*Assignment of document update?
#* http://wiki.hl7.org/index.php?title=PASS_Healthcare_Audit_Services
+
#*[http://wiki.hl7.org/index.php?title=PASS_Healthcare_Audit_Services Update on revision of PASS Audit]
 
#''(05 min)'' '''TF4FA Trust Framework, Volume 3''' - Update Mike, Chris
 
#''(05 min)'' '''TF4FA Trust Framework, Volume 3''' - Update Mike, Chris
#''(10 min)'' '''Review '''[https://gforge.hl7.org/gf/project/security/docman/ Security WG 3 Year Plan]''' - Kathleen
+
#''(05 min)'' '''Vote to approve NIB submission on three reaffirmation ballots: HCS, S&P Ontology, and SLS''' - Kathleen
#''(10 min)'' '''Check out [https://confluence.hl7.org/display/SEC/Security+Work+Group Security WG Confluence site]''' - Kathleen
+
#''(05 min)'' '''Review '''[https://gforge.hl7.org/gf/project/security/docman/ Security WG 3 Year Plan]''' - Kathleen
# Review of prepared comments (below) Kathleen  
+
#''(05 min)'' Check out [https://confluence.hl7.org/display/SEC/Security+Work+Group Security WG Confluence site] - Kathleen
#''(10 min)'' '''FHIR Security Update'''
+
#''(10 min)'' Vote to approve submission of November initial harmonization proposals: [https://gforge.hl7.org/gf/project/security/docman/Harmonization/July%202018%20Harmonization/ Revise HL7 ActPrivacyPolicy], Privacy Marks for CUI, Copy, Prohibition against Redisclosure with definition describing how to render, Add COPY as an integrity code per John,  fixes Security Role code definition for grantor, healthcare power of attorney.
#* Additional Agenda items to add?
+
#''(05 min)'' '''GDPR whitepaper on FHIR''' Update - Alex
#*[http://wiki.hl7.org/index.php?title=September_2018_Security_Working_Group_Meeting_Agenda-_Baltimore_(DRAFT) DRAFT Agenda Link]
 
  
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]
  
 
==Meeting Materials==
 
==Meeting Materials==
*HL7 PAC Request RE: 21st Century Cures EHR Reporting Program
+
*[https://www.youtube.com/watch?v=1Fk6sagQRXg 201809 Connectathon video] for the integrated Care Plan, Clinical Reasoning, and Consumer Mediated Exchange tracks, which featured a Break the Glass scenario. Break glass scenario demonstrated a technical approach to balancing patient safety with patient privacy. Betsy, the starring persona, used a FHIR consent directive to restrict access to her mental health care plan by all of her multiple distributed care teams other than her mental health provider and CDS'.
*ONC released a Request for Information (RFI) on August 24 related to the [https://www.federalregister.gov/documents/2018/08/24/2018-18297/request-for-information-regarding-the-21st-century-cures-act-electronic-health-record-reporting 21st Century Cures EHR Reporting Program requirements.]  HL7 will be commenting and our Policy Advisory Committee (PAC) is currently gathering feedback.
 
*Comments are due to ONC by October 17, 2018.  We ask that you send any comments you would like considered for inclusion in the HL7 response by Thursday, September 20.  Please send comments to PAC Chair Mark Segal at msegal@dig-hpa.com and Ticia Gerber at tgerber@hl7.org. 
 
*As background, ONC states that: This request for information (RFI) seeks input from the public regarding the Electronic Health Record (EHR) Reporting Program established as Section 4002 of the 21st Century Cures Act (Cures Act) codified Section 3009A in Title XXX of the Public Health Service Act (PHSA). This RFI is a first step toward implementing the statute. Its responses will be used to inform subsequent discussions among stakeholders and future work toward the development of reporting criteria under the EHR Reporting Program. ONC is looking for cross-cutting and category specific feedback on 21st Century Cures EHR Reporting Program criteria in the areas of: Security.
 
*Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under [https://www.law.cornell.edu/cfr/text/42/part-2 42 CFR part 2].
 
*What information about a certified health IT product's security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users' needs? How has that information helped inform decision-making? What other information would be useful in comparing certified health IT products on security and privacy (e.g., compatibility with newer security technologies such as biometrics)?
 
*Proposed Input Topics:
 
**Support adoption of [https://www.youtube.com/watch?v=fqLJlxt0MSo&list=PLBXgZMI_zqfRUXUZv9oEnIzWXHeW6slbq&index=8&t=0s SAMHSA Consent2Share]
 
**Support adoption of HL7 Data Segmentation for Privacy CDA IG
 
**Support adoption of HL7 Security Labeling Service IG and Healthcare Privacy and Security Classification System
 
**Support adoption of FHIR Security Labeling, FHIR Consent and FHIR Contract Consent Directive for Part 2 Consent Directives
 
  
[[Security|Back to Security Main Page]]
+
*Betsy's endocrinologist is about to order an opioid to treat her diabetic neuropathy pain based on her medication list, which masked the mental health medication, Xanax based on her consent directive.  The endocrinologist's CDS throws a drug-drug counter indication warning based on a CDS Hooks card.
==Meeting Minutes DRAFT==
 
Chair, Kathleen Connor
 
  
Roll Taken, Agenda reviewed, updates made as requested
+
*The warning gives two options to the endocrinologist, either Break the Glass with notice about being audited or to ask the patient if there are medications that are not shown on the medication list. If the provider takes the Break the Glass option, the endocrinologist will be shown her mental medication list, which includes Xanax and a recommendation to prescribe Gabapentin instead. 
  
Motion to approve 9/11 meeting minutes
+
*If the endocrinologist takes the second option, he will explain to Betsy that there is a potential drug-drug counter indication. The endocrinologist then asks if there are some medications that Betsy hasn't authorized him to see. Betsy decides to tell him about her mental health prescription for Xanax.  Using her mobile app for Right of Access directives, she directs the app to only retrieve her mental health medications from either her mental health provider's EHR or optionally from those records that are accessible through the mental health provider's HIE.  Because Betsy is exercising her Right of Access on her own behalf rather than delegating that right to a third party app to exercise on her behalf, she does not need a signed Right of Access directive.  So in this case, a simple click on the app's OAuth authorization button is sufficient.  The app returns her mental health medication list, which indicates that Xanax is her currently prescribed anti-anxiety and antidepression medication to treat late onset PTSD related to combat.  The provider then requests a list of alternative non-opioid medications for diabetic neuropathy pain. CDS-Hooks returns Gabapentin as a recommended alternative pain medication.  The endocrinologist discusses this with Betsy and she agrees to try Gabapentin instead.
(Suzanne to add link to ballot spreadsheet)
 
Vote: Abstain: none; oppose: none approve: 9
 
  
 +
[[Security|Back to Security Main Page]]
  
'''GDPR whitepaper on FHIR Update'''
+
==Meeting Minutes DRAFT==
* weekly Monday meeting cancelled this week
+
Chair, Kathleen
* meeting to be held at WGM on Sunday
+
Roll Taken, Agenda reviewed, updates made as requested
 
+
*Security 9/18 meeting minutes approved - Diana Moved/Theresa Second 9-0-0
 +
*'''Submission of 3 Reaffirmation NIBs''' approved - Theresa Moved/Mike Second, Peter abstained 8-1-0
 
'''TF4FA Ballot Reconciliation'''  
 
'''TF4FA Ballot Reconciliation'''  
* [https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot/ballotcomments_V3_PSAF_R1_N1_2018MAY%20amalgamated_20180918_sgw.xlsm Spreadsheet for 9/18]
+
* [https://gforge.hl7.org/gf/project/security/docman/HL7%20Security%20SOA/TF4FA%20(formerly%20PSAF)/TF4FA%20-%20Ballot%20Reconciliation%20May%202018%20ballot/ballotcomments_V3_PSAF_R1_N1_2018MAY%20amalgamated_20181016.xlsm Spreadsheet for 10/16] Comment dispositions 130 - 146 approved. Mike Moved/Theresa Suzanne abstained Second 8-1-0
Reviewed Ballot comments: 90-99
+
Next block are Ballot comments: 147 - 161 for TF4FA Recon call and Security WG review on 10/23. Final vote on the last of the dispositions is scheduled for 10/30.
* Motion to approve ballot comments #90-99 as presented) Mike / Suzanne
+
*'''PASS Audit document update''' - Mike had no updates
** Vote: Abstain: none  Oppose: none  Approve: 9
+
*'''Volume 3''' - Mike had no updates
* Please review ballot comments #100-106 for vote next week
+
*'''Security WG 3 Year Plan''' - Work in progress. Will be adding milestones, e.g., NIB submissions to tie more closely with Project Insights for project management and WG health purposes.
 
+
*'''Securithy Confluence ''' - Quick review. Suzanne and Kathleen met with Joshua Procious about CBCP and Security wiki set up, migration of wiki materials, and cut-over to only using Confluence after the January WGM while continuing to use wiki for archived material.  
 
+
*'''Submission of November Initial Harmonization Proposals approved''' Diana Moved/Theresa, Mike abstained. 8-1-0
'''PASS Audit document update'''
+
*'''FHIR Security Update''' - Call Cancelled and John sent his regrets.
* no update
+
*'''GDPR whitepaper on FHIR Update''' - Alex and John were absent so no report.
* plan to work on document post ballot reconciliation during WGM
 
 
 
'''Volume 3'''
 
* Document progress made
 
* Draft will be ready to discuss at the WGM
 
* Kathleen mentioned that digital ledger technology may be introduced---wherein Volume 3 may shed some light on that (whether we need an ISO V2 Provenance)
 
* 21 century CURES
 
* see outline above in Meeting Materials
 
** finding a way to satisfy 21 CURES....
 
** Privacy and Security capability/ to assist making decision to approach privacy and security for systems they would buy
 
* the reason Kathleen is pushing is because its recognized in ISA; someone in IHE, vendor or other could look this as embedding privacy and security…
 
 
 
==(see 19:00)==
 
* ONC is implementing this comment agreement....
 
** article 4000? 4002 (per Mike)
 
** in response to that ONC has responded with comments to TEFCA
 
** V2 is imminent - the response should be coming soon. possibly around the time of the WGM we have may have available for release
 
* we have comments from first TEFCA version
 
** federal partners WG joined to provide comments for TEFCA for where we would like to see it go.
 
** we know that the original TEFCA is out and comments made, we need to see the next version based on the comments received
 
* Kathleen in RFI looks like they are asking for a particular portion of the RFI for reporting on EHR programs.  that is complementary probably--does anyone--are people okay with this list going in the PAC as recommendations for this WG (security)
 
* see bulleted section at bottom
 
** where to look for security and privacy support
 
** the response from 'us' is in security labeling --we need more than just to support it---but why we feel this is relative.
 
** the bullet points could use a little more justification
 
* Kathleen feels we should also add maybe: RBAC, audit, ABAC, … others
 
==(see 25:00)==
 
 
 
We are supporting the adoption of SAMHSA consent2share - but we didn’t' say support adoption of questionnaire or contracts... an HL7 thing (this is a SAMHSA thing); you need to add an HL7 hook
 
 
 
'''Confluence site'''
 
* front page of confluence will tell you how to get in, etc.,
 
* there are other WGs who have templates, etc. for meeting minutes
 
* Agendas are using it... attempt to migrate out of wiki;
 
* should be easier for collaborations, edits can be done directly, etc.
 
* Questions?
 
* will add agenda item at WGM
 
 
 
'''ISA Comments: '''
 
===Review ISA for Security and Privacy Concerns PPT <<add link>>===
 
* HealthIT.gov; Remote Patient Authorization and Submission of EHR Data for Research aka "Right of Access"
 
 
 
'''Update to Baltimore Agenda'''
 
Tuesday Q4 - update to MiHIN presentation on how they are using Consent, Lloyd and Grahame have been invited as they would like to bring up the three statements that David brought forward in CBCP.
 
 
 
* moving Tuesday Q4 - Update of Volume 3 Draft (Mike) to TUES Q2 (replacing PASS Audit Ballot Reconciliation document updates which can be done offline
 
 
 
 
No additional discussion items brought forward
 
No additional discussion items brought forward
 
+
Meeting adjourned at 1258?
+
Temporary Recording https://fccdl.in/4EMYgsorg0
Note: No meeting on the 25th
+
--[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 21:55, 19 September 2018 (EDT)
 
 
 
Meeting adjourned at 1258 --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 21:55, 19 September 2018 (EDT)
 
  
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]

Latest revision as of 02:51, 23 October 2018

Back to Security Main Page

Attendees

Back to Security Main Page

x Member Name x Member Name x Member Name x Member Name
. John Moehrke Security Co-chair x Kathleen Connor Security Co-chair . Alexander Mense Security Co-chair . Trish Williams Security Co-chair
. Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis . David Staggs
x Diana Proud-Madruga . Johnathan Coleman x Francisco Jauregui x Joe Lamy
. Rhonna Clark . Greg Linden . Grahame Grieve x Dave Silver
. Beth Pumo x Jim Kretz . Peter Bachman . Bo Dagnall
x Peter van Liesdonk x Theresa Ardal Connor . [mailto: ] . [mailto: ]

Back to Security Main Page

Agenda

  1. (2 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of Minutes
  3. (10 min) TF4FA Normative Ballot reconciliation (formerly PSAF) - Mike, Chris
  4. (05 min) TF4FA Trust Framework, Volume 3 - Update Mike, Chris
  5. (05 min) Vote to approve NIB submission on three reaffirmation ballots: HCS, S&P Ontology, and SLS - Kathleen
  6. (05 min) Review Security WG 3 Year Plan - Kathleen
  7. (05 min) Check out Security WG Confluence site - Kathleen
  8. (10 min) Vote to approve submission of November initial harmonization proposals: Revise HL7 ActPrivacyPolicy, Privacy Marks for CUI, Copy, Prohibition against Redisclosure with definition describing how to render, Add COPY as an integrity code per John, fixes Security Role code definition for grantor, healthcare power of attorney.
  9. (05 min) GDPR whitepaper on FHIR Update - Alex

Back to Security Main Page

Meeting Materials

  • 201809 Connectathon video for the integrated Care Plan, Clinical Reasoning, and Consumer Mediated Exchange tracks, which featured a Break the Glass scenario. Break glass scenario demonstrated a technical approach to balancing patient safety with patient privacy. Betsy, the starring persona, used a FHIR consent directive to restrict access to her mental health care plan by all of her multiple distributed care teams other than her mental health provider and CDS'.
  • Betsy's endocrinologist is about to order an opioid to treat her diabetic neuropathy pain based on her medication list, which masked the mental health medication, Xanax based on her consent directive. The endocrinologist's CDS throws a drug-drug counter indication warning based on a CDS Hooks card.
  • The warning gives two options to the endocrinologist, either Break the Glass with notice about being audited or to ask the patient if there are medications that are not shown on the medication list. If the provider takes the Break the Glass option, the endocrinologist will be shown her mental medication list, which includes Xanax and a recommendation to prescribe Gabapentin instead.
  • If the endocrinologist takes the second option, he will explain to Betsy that there is a potential drug-drug counter indication. The endocrinologist then asks if there are some medications that Betsy hasn't authorized him to see. Betsy decides to tell him about her mental health prescription for Xanax. Using her mobile app for Right of Access directives, she directs the app to only retrieve her mental health medications from either her mental health provider's EHR or optionally from those records that are accessible through the mental health provider's HIE. Because Betsy is exercising her Right of Access on her own behalf rather than delegating that right to a third party app to exercise on her behalf, she does not need a signed Right of Access directive. So in this case, a simple click on the app's OAuth authorization button is sufficient. The app returns her mental health medication list, which indicates that Xanax is her currently prescribed anti-anxiety and antidepression medication to treat late onset PTSD related to combat. The provider then requests a list of alternative non-opioid medications for diabetic neuropathy pain. CDS-Hooks returns Gabapentin as a recommended alternative pain medication. The endocrinologist discusses this with Betsy and she agrees to try Gabapentin instead.

Back to Security Main Page

Meeting Minutes DRAFT

Chair, Kathleen Roll Taken, Agenda reviewed, updates made as requested

  • Security 9/18 meeting minutes approved - Diana Moved/Theresa Second 9-0-0
  • Submission of 3 Reaffirmation NIBs approved - Theresa Moved/Mike Second, Peter abstained 8-1-0

TF4FA Ballot Reconciliation

  • Spreadsheet for 10/16 Comment dispositions 130 - 146 approved. Mike Moved/Theresa Suzanne abstained Second 8-1-0

Next block are Ballot comments: 147 - 161 for TF4FA Recon call and Security WG review on 10/23. Final vote on the last of the dispositions is scheduled for 10/30.

  • PASS Audit document update - Mike had no updates
  • Volume 3 - Mike had no updates
  • Security WG 3 Year Plan - Work in progress. Will be adding milestones, e.g., NIB submissions to tie more closely with Project Insights for project management and WG health purposes.
  • Securithy Confluence - Quick review. Suzanne and Kathleen met with Joshua Procious about CBCP and Security wiki set up, migration of wiki materials, and cut-over to only using Confluence after the January WGM while continuing to use wiki for archived material.
  • Submission of November Initial Harmonization Proposals approved Diana Moved/Theresa, Mike abstained. 8-1-0
  • FHIR Security Update - Call Cancelled and John sent his regrets.
  • GDPR whitepaper on FHIR Update - Alex and John were absent so no report.

No additional discussion items brought forward Meeting adjourned at 1258? Temporary Recording https://fccdl.in/4EMYgsorg0 --Suzannegw (talk) 21:55, 19 September 2018 (EDT)

Back to Security Main Page