This wiki has undergone a migration to Confluence found Here

Difference between revisions of "September 11, 2018 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
Line 51: Line 51:
#*[,_2018_Security_Conference_Call Security Conference Call September 04, 2018 ]
#*[,_2018_Security_Conference_Call Security Conference Call September 04, 2018 ]
#* Note: August 28 Meeting Minutes updated as indicated per vote on 9/4/2018
#* Note: August 28 Meeting Minutes updated as indicated per vote on 9/4/2018
#''(5 min)'' '''[ GDPR whitepaper on FHIR]''' Update -  Alex, John, Kathleen
#''(5 min)'' '''[ GDPR whitepaper on FHIR]''' Update -  Alex, John, Kathleen
#''(5 min)'' '''TF4FA Normative Ballot reconciliation (formerly PSAF)''' - Mike, Chris'''
#''(5 min)'' '''TF4FA Normative Ballot reconciliation (formerly PSAF)''' - Mike, Chris'''
#* '''Meetings: Tuesdays, 11:00 AM Eastern; same as Security call
#* '''Meetings: Tuesdays, 11:00 AM Eastern; same as Security call

Revision as of 20:26, 11 September 2018

Back to Security Main Page


Meeting recording: temporary 
x Member Name x Member Name x Member Name x Member Name
. John Moehrke Security Co-chair x Kathleen Connor Security Co-chair . Alexander Mense Security Co-chair . Trish Williams Security Co-chair
x Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb . Mike Davis x David Staggs
. Diana Proud-Madruga . Johnathan Coleman x Francisco Jauregui x Joe Lamy
. Rhonna Clark . Greg Linden . Grahame Grieve x Dave Silver
. Mohammed Jafari . Jim Kretz . Peter Bachman . [mailto: ]
x Beth Pumo . Bo Dagnall . [mailto: ] . [mailto: ]

Back to Security Main Page


Meeting Recording link: (temporary)

  1. (2 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of Minutes
  3. (5 min) GDPR whitepaper on FHIR Update - Alex, John, Kathleen
  4. (5 min) TF4FA Normative Ballot reconciliation (formerly PSAF) - Mike, Chris
  5. (10 min) PASS Audit Update on Document - Mike
  6. (05 min) TF4FA Trust Framework, Volume 3 - Update Mike, Chris
  7. (10 min) Review of the 21st Century Cures EHR Reporting Program Security & Privacy feedback requested by HL7 PAC - Kathleen
  8. (10 min) Review of the Proposed Restructuring and Additions to FHIR Implementer’s Safety Check List
  9. (05 min) Security Working Group - upcoming HL7 Working Group Meeting, Baltimore Maryland

Meeting Minutes DRAFT

Chair, Kathleen Connor Role Taken, Agenda reviewed

Meeting Materials

  • HL7 PAC Request RE: 21st Century Cures EHR Reporting Program

Dear HL7 Work Group Chairs: ONC released a Request for Information (RFI) on August 24 related to the 21st Century Cures EHR Reporting Program requirements.  HL7 will be commenting and our Policy Advisory Committee (PAC) is currently gathering feedback. Comments are due to ONC by October 17, 2018.  We ask that you send any comments you would like considered for inclusion in the HL7 response by Thursday, September 20.  Please send comments to PAC Chair Mark Segal at and Ticia Gerber at   We have attached the RFI document with areas in green that we will be commenting on and areas in yellow that we are considering for HL7 comment.  We look forward to your feedback on these areas or others you feel are relevant for your Work Groups. As background, ONC states that: This request for information (RFI) seeks input from the public regarding the Electronic Health Record (EHR) Reporting Program established as Section 4002 of the 21st Century Cures Act (Cures Act) codified Section 3009A in Title XXX of the Public Health Service Act (PHSA). This RFI is a first step toward implementing the statute. Its responses will be used to inform subsequent discussions among stakeholders and future work toward the development of reporting criteria under the EHR Reporting Program. ONC is looking for cross-cutting and category specific feedback on 21st Century Cures EHR Reporting Program criteria in the areas of: Security.

  • Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under 42 CFR part 2.
  • What information about a certified health IT product's security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users' needs? How has that information helped inform decision-making? What other information would be useful in comparing certified health IT products on security and privacy (e.g., compatibility with newer security technologies such as biometrics)?
    • Proposed Input Topics:
      • Support adoption of SAMHSA Consent2Share
      • Support adoption of HL7 Data Segmentation for Privacy CDA iG
      • Support adoption of HL7 Security Labeling Service IG and Healthcare Privacy and Security Classification System
      • Support adoption of FHIR Security Labeling, FHIR Consent and FHIR Contract Consent Directive for Part 2 Consent Directives

Meeting minutes approved ( / Beth ) approved;

TF4FA Ballot Reconciliation The majority of the reconciliation was administrative in nature

  • a set of comments having to do with how we characterize some data as being optional or mandatory--the diagrams were clear, however the text was inconsistent in reporting optional vs manadatory.
  • There were no substantial changes needed from the comments
  • definition of Grantor?
  • addition definition to be added to add sensitivity, confidentiality to be added to appendix A

MOTION: Accept changes group made/updates as disposition comments as indicated 73-89 (Mike/Suzanneas

  • Comments 73-89

abstain: none; opposed: approve: motion approved


  • no update - continues to be on backburner

Volume 3

  • coming along nicely; hope to have something to present for WGM
  • note: the crux of volume 3 is around provenance. we have provenance service designated for that purpose--at the same time we don't want to mislead people that the way is implemented (it's a conceptual model) they may infer that we have a centralized system in mind. We will be putting some text in the document to ensure that its clear--that you may have a centralized system or a system where different entiied provie (schwarming) or maintain in their own system with extra storage space that they have
  • how the storage is implemented - mentioned that there are vaious options avialalbe - i.e. digital legers etc., its a fairly recently thing and we didnt' want to mislead people into thinking that the service needs to be centralized.
  • JMoehrke - we also don't wan to be …. block chain compliant
  • not using block chain so much as we are focused toward digital leger
    • Mike would like 1:1 time with JohnM to go over some of the items at the WGM

PAC an effort to delvelopt an approach into getting information on how EHR are bein gused; pain point facility (see Kathleen notes)

  • our specific area was to describe S&P that a scertified healthIT product should offer.
  • what certified technologies of acquisition decision makers to inform their decsions (buy, upgrade, etc) for user needs
    • how has that inforamton informed the decision making
in comparing S&P 
  • consent to share seesm to be astrong candidate
  • concerned in violatiolate of policy of picking products.

Timeline due : middle of the month....

<<Kathleen to find exact dates>>

Baltimore Agenda Review of current listed items

  • Mike is looking for time to continue the TF4FA ballot reconciliation and exisiting work
    • add to Tuesday Q2 -

WG Health for co-chairs

  • 3-year plan - needs to be refreshed
    • recommend that we use the spreadsheet that was used/more descriptive
    • want to see that the plan is reflected in project insight; need to add tf4fa, more information with what we are doing with fhir, audit, etc...
  • update to DAM - Alex is working on

Do we have how we are going integrate CUI into the messageing - Kathleen is working on; fairly siple describes how controleed/classified marking should be done with v2, v3 and fhir; askic approach is to use the SL field in TEFCA for privacy markes and have the CUI//H... as one of the privacy markes… you need to render them as the rendiering to end users needs to be standalone... it has to be its own label.

  • so the industry knows how to apply
    • mike just off call from internal WG - other agencies are moving forwad with labeling , CUI; they are not as aware of what the HL7 messaging looks like. agencies are thinking about the content they're sharing--not necessary the specialized content. we need a labeling service that handliens the cui in additional to the hcs;
  • we need to have guidance if we are going to do its managed over time as ell. we have cui inside of our content, we need to declassily messagae message/content.. how do we do that (at a later time?) ; how do you do tha tin an hl7 message.
    • you'd want to track it in provenace or... we do have those codes. theyr are coes ofor bolication.

its part of --cross-paradigm project which is also featuring security lables. JohnM - another torugh. what i' hearning is a specific policy, an environmental constrain that this work yo're descries poperates inside of. once you explain that, it becomes clar that we're in an environment for whih this labelingis detectable and manadatory and for which all actors have ageed to abide by and enforce. then what you're decribes is the 'how' the communication happens. I agree... would like to see it laid out for clairification sake. All the mechanicas are there but orchestrating them on paper... where, when this happens, is a nice thing to lay out. Kathllen 0 that's the plan and am doing that in the x-paradigm. nist 198(?) and here would be the way we reflected the syntax int eh hs]cs.. name tabgs here are the tags that name/abstract dcodes--to which ther are rules around them... privacy markes ar down here in text that hasn't been moved into harmonization. it will describe the ag found in messages. I=we do this already in ds4p. this would be turning the items into code...the one place that oesnt support this well right now is fhir. this uncontrolled can be CUI//hlth a definition in the usage note, must be rendered independatnly with its marking.

  • when complete, kathleen will send it out
    • mike says we also needs this for security labeling. we're alrady taklkingabout high ater mkare, and ther eare potions high water mark, disagreegated. that probably can be part of an update to HCS.

JOhnM I am very supportive of this and hope to have a nce to see it. I think I fyou coach this as within a domain that has acdpted this value set for these meanings, yo've already got the enfocement mechanism th definition--- if you dont' do that you're gonna say things that are unforceable and argumentative. thepont is there will be enviroments that choose that fit in particular polcies. i.e. ds4p... those who chose, are accepted by the agreement o participate and therefore take on emanng. just rying to point out the order of governance.

  • that makes sense... on the flip side, if people put uis anywhere... it will not be interoperable.
    • need to confirm who is going to adopt it.
    • by legal agreement is going to be y agreement, the originators of CUI is alwaysgoing to be a federal agency.

john m., its policy first then actions and behaviors

additional items? hearing none

meeting adjorned at 1242 Arizona Time--Suzannegw (talk) 15:42, 11 September 2018 (EDT)