Difference between revisions of "September 11, 2018 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name'''  
 
!x||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name'''  
 
|-
 
|-
||  .|| [mailto:JohnMoerke@gmail.com John Moehrke] Security Co-chair
+
||  x|| [mailto:JohnMoerke@gmail.com John Moehrke] Security Co-chair
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-chair  
 
||||x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-chair  
 
||||.|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
 
||||.|| [mailto:mense@fhtw.onmicrosoft.com Alexander Mense] Security Co-chair
Line 14: Line 14:
 
||  x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] Security Co-chair
 
||  x|| [mailto:Christopher.Shawn2@va.gov Christopher Shawn] Security Co-chair
 
||||x|| [mailto:Suzanne.Webb@bookzurman.com Suzanne Gonzales-Webb]
 
||||x|| [mailto:Suzanne.Webb@bookzurman.com Suzanne Gonzales-Webb]
||||.|| [mailto:mike.davis@va.gov Mike Davis]
+
||||x|| [mailto:mike.davis@va.gov Mike Davis]
 
||||x|| [mailto:david.staggs@bookzurman.com David Staggs]
 
||||x|| [mailto:david.staggs@bookzurman.com David Staggs]
 
   
 
   
 
|-
 
|-
||  .|| [mailto:Diana.Proud-Madruga@electro-soft.com Diana Proud-Madruga]
+
||  x|| [mailto:Diana.Proud-Madruga@electro-soft.com Diana Proud-Madruga]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
||||x|| [mailto:fjaureui@electrosoft-inc.com Francisco Jauregui]
+
||||.|| [mailto:fjaureui@electrosoft-inc.com Francisco Jauregui]
 
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
|-
 
|-
Line 51: Line 51:
 
#*[http://wiki.hl7.org/index.php?title=September_04,_2018_Security_Conference_Call Security Conference Call September 04, 2018 ]
 
#*[http://wiki.hl7.org/index.php?title=September_04,_2018_Security_Conference_Call Security Conference Call September 04, 2018 ]
 
#* Note: August 28 Meeting Minutes updated as indicated per vote on 9/4/2018
 
#* Note: August 28 Meeting Minutes updated as indicated per vote on 9/4/2018
#''(5 min)'' '''[http://confluence.hl7.org/display/SEC/FHIR+-+GDPR GDPR whitepaper on FHIR]''' Update -  Alex, John, Kathleen
+
#''(5 min)'' '''GDPR whitepaper on FHIR''' Update -  Alex, John, Kathleen
 
#''(5 min)'' '''TF4FA Normative Ballot reconciliation (formerly PSAF)''' - Mike, Chris'''
 
#''(5 min)'' '''TF4FA Normative Ballot reconciliation (formerly PSAF)''' - Mike, Chris'''
 
#* '''Meetings: Tuesdays, 11:00 AM Eastern; freeconference.com same as Security call
 
#* '''Meetings: Tuesdays, 11:00 AM Eastern; freeconference.com same as Security call
Line 72: Line 72:
 
Role Taken, Agenda reviewed
 
Role Taken, Agenda reviewed
  
==Meeting Materials==
+
Meeting minutes approved ( Mike/Beth )  
*HL7 PAC Request RE: 21st Century Cures EHR Reporting Program
+
Objections: none; Abstentions: none; Approved: 8
Dear HL7 Work Group Chairs:
 
ONC released a Request for Information (RFI) on August 24 related to the [https://www.federalregister.gov/documents/2018/08/24/2018-18297/request-for-information-regarding-the-21st-century-cures-act-electronic-health-record-reporting 21st Century Cures EHR Reporting Program requirements.]  HL7 will be commenting and our Policy Advisory Committee (PAC) is currently gathering feedback.
 
Comments are due to ONC by October 17, 2018.  We ask that you send any comments you would like considered for inclusion in the HL7 response by Thursday, September 20.  Please send comments to PAC Chair Mark Segal at msegal@dig-hpa.com and Ticia Gerber at tgerber@hl7.org.  
 
We have attached the RFI document with areas in green that we will be commenting on and areas in yellow that we are considering for HL7 comment.  We look forward to your feedback on these areas or others you feel are relevant for your Work Groups.
 
As background, ONC states that: This request for information (RFI) seeks input from the public regarding the Electronic Health Record (EHR) Reporting Program established as Section 4002 of the 21st Century Cures Act (Cures Act) codified Section 3009A in Title XXX of the Public Health Service Act (PHSA). This RFI is a first step toward implementing the statute. Its responses will be used to inform subsequent discussions among stakeholders and future work toward the development of reporting criteria under the EHR Reporting Program. ONC is looking for cross-cutting and category specific feedback on 21st Century Cures EHR Reporting Program criteria in the areas of: Security.
 
*Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under [https://www.law.cornell.edu/cfr/text/42/part-2 42 CFR part 2].
 
*What information about a certified health IT product's security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users' needs? How has that information helped inform decision-making? What other information would be useful in comparing certified health IT products on security and privacy (e.g., compatibility with newer security technologies such as biometrics)?
 
**Proposed Input Topics:
 
***Support adoption of [https://www.youtube.com/watch?v=fqLJlxt0MSo&list=PLBXgZMI_zqfRUXUZv9oEnIzWXHeW6slbq&index=8&t=0s SAMHSA Consent2Share]
 
***Support adoption of HL7 Data Segmentation for Privacy CDA iG
 
***Support adoption of HL7 Security Labeling Service IG and Healthcare Privacy and Security Classification System
 
***Support adoption of FHIR Security Labeling, FHIR Consent and FHIR Contract Consent Directive for Part 2 Consent Directives
 
  
 
+
'''TF4FA Ballot Reconciliation'''
Meeting minutes approved ( / Beth )
 
approved;
 
 
 
 
 
 
 
 
 
TF4FA Ballot Reconciliation
 
 
The majority of the reconciliation was administrative in nature  
 
The majority of the reconciliation was administrative in nature  
* a set of comments having to do with how we characterize some data as being optional or mandatory--the diagrams were clear, however the text was inconsistent in reporting optional vs manadatory.
+
* a set of comments having to do with how we characterize some data as being optional or mandatory--the diagrams were clear; however, the text was inconsistent in reporting optional vs mandatory.
  
 
* There were no substantial changes needed from the comments
 
* There were no substantial changes needed from the comments
Line 102: Line 83:
 
* definition of Grantor?
 
* definition of Grantor?
 
* addition definition to be added to add sensitivity, confidentiality to be added to appendix A
 
* addition definition to be added to add sensitivity, confidentiality to be added to appendix A
MOTION: Accept changes group made/updates as disposition comments as indicated 73-89 (Mike/Suzanneas
+
MOTION: Accept changes group made/updates as disposition comments as indicated 73-89 (Mike/Suzanne)
 
* Comments 73-89
 
* Comments 73-89
  
Line 113: Line 94:
 
'''Volume 3'''
 
'''Volume 3'''
 
* coming along nicely; hope to have something to present for WGM
 
* coming along nicely; hope to have something to present for WGM
* note: the crux of volume 3 is around provenance.  we have provenance service designated for that purpose--at the same time we don't want to mislead people that the way is implemented (it's a conceptual model) they may infer that we have a centralized system in mind.  We will be putting some text in the document to ensure that its clear--that you may have a centralized system or a system where different entiied provie (schwarming'') or maintain in their own system with extra storage space that they have
+
* note: the crux of volume 3 is around provenance.  we have provenance service designated for that purpose--at the same time we don't want to mislead people that the way is implemented (it's a conceptual model) they may infer that we have a centralized system in mind.  We will be putting some text in the document to ensure that it’s clear--that you may have a centralized system or system where different entities provide (schwarming'') or maintain in their own system with extra storage space that they have
* how the storage is implemented - mentioned that there are vaious options avialalbe - i.e. digital legers etc., its a fairly recently thing and we didnt' want to mislead people into thinking that the service needs to be centralized.
+
* how the storage is implemented - mentioned that there are various options available - i.e. digital legers etc., it’s a fairly recently thing and we didn’t' want to mislead people into thinking that the service needs to be centralized.
* JMoehrke - we also don't wan to be …. block chain compliant
+
* JMoehrke - we also don't want to be …. block chain compliant
 
* not using block chain so much as we are focused toward digital leger
 
* not using block chain so much as we are focused toward digital leger
** Mike would like 1:1 time with JohnM to go over some of the items at the WGM
+
** Mike would like 1:1 time with JohnM to go over some of the items at the WGM (discussion to occur offline)
 +
 
  
 +
PAC (Kathleen’s notes)
 +
*HL7 PAC Request RE: 21st Century Cures EHR Reporting Program
 +
Dear HL7 Work Group Chairs:
 +
ONC released a Request for Information (RFI) on August 24 related to the [https://www.federalregister.gov/documents/2018/08/24/2018-18297/request-for-information-regarding-the-21st-century-cures-act-electronic-health-record-reporting 21st Century Cures EHR Reporting Program requirements.]  HL7 will be commenting and our Policy Advisory Committee (PAC) is currently gathering feedback.
 +
Comments are due to ONC by October 17, 2018.  We ask that you send any comments you would like considered for inclusion in the HL7 response by Thursday, September 20.  Please send comments to PAC Chair Mark Segal at msegal@dig-hpa.com and Ticia Gerber at tgerber@hl7.org. 
 +
We have attached the RFI document with areas in green that we will be commenting on and areas in yellow that we are considering for HL7 comment.  We look forward to your feedback on these areas or  others you feel are relevant for your Work Groups.
 +
As background, ONC states that: This request for information (RFI) seeks input from the public regarding the Electronic Health Record (EHR) Reporting Program established as Section 4002 of the 21st Century Cures Act (Cures Act) codified Section 3009A in Title XXX of the Public Health Service Act (PHSA).  This RFI is a first step toward implementing the statute. Its responses will be used to inform subsequent discussions among stakeholders and future work toward the development of reporting criteria under the EHR Reporting Program. ONC is looking for cross-cutting and category specific feedback on 21st Century Cures EHR Reporting Program criteria in the areas of: Security.
 +
*Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under [https://www.law.cornell.edu/cfr/text/42/part-2 42 CFR part 2].
 +
*What information about a certified health IT product's security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users' needs? How has that information helped inform decision-making? What other information would be useful in comparing certified health IT products on security and privacy (e.g., compatibility with newer security technologies such as biometrics)?
 +
**Proposed Input Topics:
 +
***Support adoption of [https://www.youtube.com/watch?v=fqLJlxt0MSo&list=PLBXgZMI_zqfRUXUZv9oEnIzWXHeW6slbq&index=8&t=0s SAMHSA Consent2Share]
 +
***Support adoption of HL7 Data Segmentation for Privacy CDA IG
 +
***Support adoption of HL7 Security Labeling Service IG and Healthcare Privacy and Security Classification System
 +
***Support adoption of FHIR Security Labeling, FHIR Consent and FHIR Contract Consent Directive for Part 2 Consent Directives
  
PAC
+
An effort to develop an approach into getting information on how EHR are being used; pain point facility (see Kathleen notes)
an effort to delvelopt an approach into getting information on how EHR are bein gused; pain point facility (see Kathleen notes)
+
* our specific area was to describe S&P that a certified health IT product should offer.
* our specific area was to describe S&P that a scertified healthIT product should offer.
+
* what certified technologies of acquisition decision makers to inform their decisions (buy, upgrade, etc.) for user needs
* what certified technologies of acquisition decision makers to inform their decsions (buy, upgrade, etc) for user needs
+
** how has that information informed the decision making in comparing S&P  
** how has that inforamton informed the decision making
 
in comparing S&P  
 
  
* consent to share seesm to be astrong candidate
+
* consent to share seems to be a strong candidate
* concerned in violatiolate of policy of picking products.  
+
* concerned in violation of policy of picking products.  
  
 
Timeline due : middle of the month....
 
Timeline due : middle of the month....
  
 
<<Kathleen to find exact dates>>
 
<<Kathleen to find exact dates>>
 
  
 
'''Baltimore Agenda'''
 
'''Baltimore Agenda'''
 
Review of current listed items
 
Review of current listed items
* Mike is looking for time to continue the TF4FA ballot reconciliation and exisiting work
+
* Mike is looking for time to continue the TF4FA ballot reconciliation and existing work
 
** add to Tuesday Q2 -  
 
** add to Tuesday Q2 -  
  
Line 144: Line 137:
 
* 3-year plan - needs to be refreshed
 
* 3-year plan - needs to be refreshed
 
** recommend that we use the spreadsheet that was used/more descriptive
 
** recommend that we use the spreadsheet that was used/more descriptive
** want to see that the plan is reflected in project insight; need to add tf4fa, more information with what we are doing with fhir, audit, etc...  
+
** want to see that the plan is reflected in project insight; need to add tf4fa, more information with what we are doing with FHIR, audit, etc...  
 
* update to DAM - Alex is working on
 
* update to DAM - Alex is working on
  
 
+
Do we have how we are going integrate CUI into the messaging - Kathleen is working on; fairly simple describes how controlled/classified marking should be done with v2, v3 and FHIR; askic approach is to use the SL field in TEFCA for privacy markers and have the CUI//H... as one of the privacy markers… you need to render them as the
 
+
rendering to end users’ needs to be standalone... it has to be its own label.
Do we have how we are going integrate CUI into the messageing - Kathleen is working on; fairly siple describes how controleed/classified marking should be done with v2, v3 and fhir; askic approach is to use the SL field in TEFCA for privacy markes and have the CUI//H... as one of the privacy markes… you need to render them as the
+
* so, the industry knows how to apply
rendiering to end users needs to be standalone... it has to be its own label.
+
** mike just off call from internal WG - other agencies are moving forward with labeling , CUI; they are not as aware of what the HL7 messaging looks like. agencies are thinking about the content they're sharing--not necessary the specialized content.  we need a labeling service that handles the CUI in additional to the HCS;
* so the industry knows how to apply
+
* we need to have guidance if we are going to do that...how its managed over time as well. we have CUI inside of our content, we need to declassify messages/message content. how do we do that (at a later time?)  ; how do you do that in an HL7 message.
** mike just off call from internal WG - other agencies are moving forwad with labeling , CUI; they are not as aware of what the HL7 messaging looks like. agencies are thinking about the content they're sharing--not necessary the specialized content.  we need a labeling service that handliens the cui in additional to the hcs;
+
** you'd want to track it in provenance or...    we do have those codes. there are codes for obligation.  
* we need to have guidance if we are going to do that..how its managed over time as ell. we have cui inside of our content, we need to declassily messagae message/content.. how do we do that (at a later time?)  ; how do you do tha tin an hl7 message.
+
it’s part of --cross-paradigm project which is also featuring security labels.  
** you'd want to track it in provenace or...    we do have those codes. theyr are coes ofor bolication.  
+
JohnM  - another torugh. what I’m hearing is a specific policy, an environmental constrain that this work you’re describing  operates inside of. once you explain that, it becomes clear that we're in an environment for which this labeling is detectable and mandatory and for which all actors have agreed to abide by and enforce.  then what you're describes is the 'how' the communication happens.  I agree... would like to see it laid out for clarification sake.  All the mechanics are there but orchestrating them on paper... where, when this happens, is a nice thing to lay out.   
its part of --cross-paradigm project which is also featuring security lables.  
+
Kathleen 0 that's the plan and am doing that in the x-paradigm.  NIST 198(?) and here would be the way we reflected the syntax in the hs]cs..  name tags here are the tags that name/abstract codes--to which there are rules around them... privacy markers are down here in text that hasn't been moved into harmonization.  it will describe the ag found in messages.  I=we do this already in ds4p.  this would be turning the items into code...the one place that doesn’t support this well right now is FHIR.  this uncontrolled can be CUI//hit a definition in the usage note, must be rendered independently with its marking.
JohnM  - another torugh. what i' hearning is a specific policy, an environmental constrain that this work yo're descries poperates inside of. once you explain that, it becomes clar that we're in an environment for whih this labelingis detectable and manadatory and for which all actors have ageed to abide by and enforce.  then what you're decribes is the 'how' the communication happens.  I agree... would like to see it laid out for clairification sake.  All the mechanicas are there but orchestrating them on paper... where, when this happens, is a nice thing to lay out.   
+
* when complete, Kathleen will send it out
Kathllen 0 that's the plan and am doing that in the x-paradigm.  nist 198(?) and here would be the way we reflected the syntax int eh hs]cs..  name tabgs here are the tags that name/abstract dcodes--to which ther are rules around them... privacy markes ar down here in text that hasn't been moved into harmonization.  it will describe the ag found in messages.  I=we do this already in ds4p.  this would be turning the items into code...the one place that oesnt support this well right now is fhir.  this uncontrolled can be CUI//hlth a definition in the usage note, must be rendered independatnly with its marking.
+
** mike says we also needs this for security labeling. we're already talking about high water mark, and there are potions high water mark, disaggregated.  that probably can be part of an update to HCS.  
* when complete, kathleen will send it out
+
JohnM I am very supportive of this and hope to have a nice to see it.  I think If you coach this as within a domain that has adopted this value set for these meanings, you’ve already got the enforcement mechanism the definition--- if you don’t' do that you're going to say things that are unforce able and argumentative.  The point is there will be environments that choose that fit particular policies.  i.e. ds4p... those who chose, are accepted by the agreement to participate and therefore take on meaning.  just trying to point out the order of governance.
** mike says we also needs this for security labeling. we're alrady taklkingabout high ater mkare, and ther eare potions high water mark, disagreegated.  that probably can be part of an update to HCS.  
 
JOhnM I am very supportive of this and hope to have a nce to see it.  I think I fyou coach this as within a domain that has acdpted this value set for these meanings, yo've already got the enfocement mechanism th definition--- if you dont' do that you're gonna say things that are unforceable and argumentative.  thepont is there will be enviroments that choose that fit in particular polcies.  i.e. ds4p... those who chose, are accepted by the agreement o participate and therefore take on emanng.  just rying to point out the order of governance.
 
 
* that makes sense... on the flip side, if people put uis anywhere... it will not be interoperable.
 
* that makes sense... on the flip side, if people put uis anywhere... it will not be interoperable.
 
** need to confirm who is going to adopt it.
 
** need to confirm who is going to adopt it.
** by legal agreement is going to be y agreement, the originators of CUI is alwaysgoing to be a federal agency.   
+
** by legal agreement is going to be y agreement, the originators of CUI are always going to be a federal agency.   
john m., its policy first then actions and behaviors
+
JohnM its policy first then actions and behaviors
 
 
  
additional items?  hearing none
+
No additional items brought forward for discussion
  
meeting adjorned at 1242 Arizona Time--[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 15:42, 11 September 2018 (EDT)
+
Meeting adjourned at 1242 Arizona Time--[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 15:42, 11 September 2018 (EDT)

Latest revision as of 18:49, 18 September 2018

Back to Security Main Page

Attendees

Meeting recording: temporary https://fccdl.in/nPYsXM26ZP 
x Member Name x Member Name x Member Name x Member Name
x John Moehrke Security Co-chair x Kathleen Connor Security Co-chair . Alexander Mense Security Co-chair . Trish Williams Security Co-chair
x Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis x David Staggs
x Diana Proud-Madruga . Johnathan Coleman . Francisco Jauregui x Joe Lamy
. Rhonna Clark . Greg Linden . Grahame Grieve x Dave Silver
. Mohammed Jafari . Jim Kretz . Peter Bachman . [mailto: ]
x Beth Pumo . Bo Dagnall . [mailto: ] . [mailto: ]

Back to Security Main Page

Agenda

Meeting Recording link: https://fccdl.in/05glbvmHlr (temporary)

  1. (2 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of Minutes
  3. (5 min) GDPR whitepaper on FHIR Update - Alex, John, Kathleen
  4. (5 min) TF4FA Normative Ballot reconciliation (formerly PSAF) - Mike, Chris
  5. (10 min) PASS Audit Update on Document - Mike
  6. (05 min) TF4FA Trust Framework, Volume 3 - Update Mike, Chris
  7. (10 min) Review of the 21st Century Cures EHR Reporting Program Security & Privacy feedback requested by HL7 PAC - Kathleen
  8. (10 min) Review of the Proposed Restructuring and Additions to FHIR Implementer’s Safety Check List
  9. (05 min) Security Working Group - upcoming HL7 Working Group Meeting, Baltimore Maryland

Meeting Minutes DRAFT

Chair, Kathleen Connor Role Taken, Agenda reviewed

Meeting minutes approved ( Mike/Beth ) Objections: none; Abstentions: none; Approved: 8

TF4FA Ballot Reconciliation The majority of the reconciliation was administrative in nature

  • a set of comments having to do with how we characterize some data as being optional or mandatory--the diagrams were clear; however, the text was inconsistent in reporting optional vs mandatory.
  • There were no substantial changes needed from the comments
  • definition of Grantor?
  • addition definition to be added to add sensitivity, confidentiality to be added to appendix A

MOTION: Accept changes group made/updates as disposition comments as indicated 73-89 (Mike/Suzanne)

  • Comments 73-89

abstain: none; opposed: approve: motion approved

PASS AUDIT - Mike

  • no update - continues to be on backburner


Volume 3

  • coming along nicely; hope to have something to present for WGM
  • note: the crux of volume 3 is around provenance. we have provenance service designated for that purpose--at the same time we don't want to mislead people that the way is implemented (it's a conceptual model) they may infer that we have a centralized system in mind. We will be putting some text in the document to ensure that it’s clear--that you may have a centralized system or system where different entities provide (schwarming) or maintain in their own system with extra storage space that they have
  • how the storage is implemented - mentioned that there are various options available - i.e. digital legers etc., it’s a fairly recently thing and we didn’t' want to mislead people into thinking that the service needs to be centralized.
  • JMoehrke - we also don't want to be …. block chain compliant
  • not using block chain so much as we are focused toward digital leger
    • Mike would like 1:1 time with JohnM to go over some of the items at the WGM (discussion to occur offline)


PAC (Kathleen’s notes)

*HL7 PAC Request RE: 21st Century Cures EHR Reporting Program
Dear HL7 Work Group Chairs:
ONC released a Request for Information (RFI) on August 24 related to the 21st Century Cures EHR Reporting Program requirements.  HL7 will be commenting and our Policy Advisory Committee (PAC) is currently gathering feedback.
Comments are due to ONC by October 17, 2018.  We ask that you send any comments you would like considered for inclusion in the HL7 response by Thursday, September 20.  Please send comments to PAC Chair Mark Segal at msegal@dig-hpa.com and Ticia Gerber at tgerber@hl7.org.   
We have attached the RFI document with areas in green that we will be commenting on and areas in yellow that we are considering for HL7 comment.  We look forward to your feedback on these areas or  others you feel are relevant for your Work Groups.
As background, ONC states that:	This request for information (RFI) seeks input from the public regarding the Electronic Health Record (EHR) Reporting Program established as Section 4002 of the 21st Century Cures Act (Cures Act) codified Section 3009A in Title XXX of the Public Health Service Act (PHSA).  This RFI is a first step toward implementing the statute. Its responses will be used to inform subsequent discussions among stakeholders and future work toward the development of reporting criteria under the EHR Reporting Program. ONC is looking for cross-cutting and category specific feedback on 21st Century Cures EHR Reporting Program criteria in the areas of: Security. 
*Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under 42 CFR part 2.
*What information about a certified health IT product's security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users' needs? How has that information helped inform decision-making? What other information would be useful in comparing certified health IT products on security and privacy (e.g., compatibility with newer security technologies such as biometrics)?
**Proposed Input Topics:
***Support adoption of SAMHSA Consent2Share
***Support adoption of HL7 Data Segmentation for Privacy CDA IG
***Support adoption of HL7 Security Labeling Service IG and Healthcare Privacy and Security Classification System
***Support adoption of FHIR Security Labeling, FHIR Consent and FHIR Contract Consent Directive for Part 2 Consent Directives

An effort to develop an approach into getting information on how EHR are being used; pain point facility (see Kathleen notes)

  • our specific area was to describe S&P that a certified health IT product should offer.
  • what certified technologies of acquisition decision makers to inform their decisions (buy, upgrade, etc.) for user needs
    • how has that information informed the decision making in comparing S&P
  • consent to share seems to be a strong candidate
  • concerned in violation of policy of picking products.

Timeline due : middle of the month....

<<Kathleen to find exact dates>>

Baltimore Agenda Review of current listed items

  • Mike is looking for time to continue the TF4FA ballot reconciliation and existing work
    • add to Tuesday Q2 -


WG Health for co-chairs

  • 3-year plan - needs to be refreshed
    • recommend that we use the spreadsheet that was used/more descriptive
    • want to see that the plan is reflected in project insight; need to add tf4fa, more information with what we are doing with FHIR, audit, etc...
  • update to DAM - Alex is working on

Do we have how we are going integrate CUI into the messaging - Kathleen is working on; fairly simple describes how controlled/classified marking should be done with v2, v3 and FHIR; askic approach is to use the SL field in TEFCA for privacy markers and have the CUI//H... as one of the privacy markers… you need to render them as the rendering to end users’ needs to be standalone... it has to be its own label.

  • so, the industry knows how to apply
    • mike just off call from internal WG - other agencies are moving forward with labeling , CUI; they are not as aware of what the HL7 messaging looks like. agencies are thinking about the content they're sharing--not necessary the specialized content. we need a labeling service that handles the CUI in additional to the HCS;
  • we need to have guidance if we are going to do that...how its managed over time as well. we have CUI inside of our content, we need to declassify messages/message content. how do we do that (at a later time?) ; how do you do that in an HL7 message.
    • you'd want to track it in provenance or... we do have those codes. there are codes for obligation.

it’s part of --cross-paradigm project which is also featuring security labels. JohnM - another torugh. what I’m hearing is a specific policy, an environmental constrain that this work you’re describing operates inside of. once you explain that, it becomes clear that we're in an environment for which this labeling is detectable and mandatory and for which all actors have agreed to abide by and enforce. then what you're describes is the 'how' the communication happens. I agree... would like to see it laid out for clarification sake. All the mechanics are there but orchestrating them on paper... where, when this happens, is a nice thing to lay out. Kathleen 0 that's the plan and am doing that in the x-paradigm. NIST 198(?) and here would be the way we reflected the syntax in the hs]cs.. name tags here are the tags that name/abstract codes--to which there are rules around them... privacy markers are down here in text that hasn't been moved into harmonization. it will describe the ag found in messages. I=we do this already in ds4p. this would be turning the items into code...the one place that doesn’t support this well right now is FHIR. this uncontrolled can be CUI//hit a definition in the usage note, must be rendered independently with its marking.

  • when complete, Kathleen will send it out
    • mike says we also needs this for security labeling. we're already talking about high water mark, and there are potions high water mark, disaggregated. that probably can be part of an update to HCS.

JohnM I am very supportive of this and hope to have a nice to see it. I think If you coach this as within a domain that has adopted this value set for these meanings, you’ve already got the enforcement mechanism the definition--- if you don’t' do that you're going to say things that are unforce able and argumentative. The point is there will be environments that choose that fit particular policies. i.e. ds4p... those who chose, are accepted by the agreement to participate and therefore take on meaning. just trying to point out the order of governance.

  • that makes sense... on the flip side, if people put uis anywhere... it will not be interoperable.
    • need to confirm who is going to adopt it.
    • by legal agreement is going to be y agreement, the originators of CUI are always going to be a federal agency.

JohnM its policy first then actions and behaviors

No additional items brought forward for discussion

Meeting adjourned at 1242 Arizona Time--Suzannegw (talk) 15:42, 11 September 2018 (EDT)