September 11, 2018 Security Conference Call
Meeting recording: temporary https://fccdl.in/nPYsXM26ZP
|x||Member Name||x||Member Name||x||Member Name||x||Member Name|
|x||John Moehrke Security Co-chair||x||Kathleen Connor Security Co-chair||.||Alexander Mense Security Co-chair||.||Trish Williams Security Co-chair|
|x||Christopher Shawn Security Co-chair||x||Suzanne Gonzales-Webb||x||Mike Davis||x||David Staggs|
|x||Diana Proud-Madruga||.||Johnathan Coleman||.||Francisco Jauregui||x||Joe Lamy|
|.||Rhonna Clark||.||Greg Linden||.||Grahame Grieve||x||Dave Silver|
|.||Mohammed Jafari||.||Jim Kretz||.||Peter Bachman||.||[mailto: ]|
|x||Beth Pumo||.||Bo Dagnall||.||[mailto: ]||.||[mailto: ]|
Meeting Recording link: https://fccdl.in/05glbvmHlr (temporary)
- (2 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of Minutes
- Security Conference Call September 04, 2018
- Note: August 28 Meeting Minutes updated as indicated per vote on 9/4/2018
- (5 min) GDPR whitepaper on FHIR Update - Alex, John, Kathleen
- (5 min) TF4FA Normative Ballot reconciliation (formerly PSAF) - Mike, Chris
- (10 min) PASS Audit Update on Document - Mike
- assignment of document update?
- (05 min) TF4FA Trust Framework, Volume 3 - Update Mike, Chris
- (10 min) Review of the 21st Century Cures EHR Reporting Program Security & Privacy feedback requested by HL7 PAC - Kathleen
- (10 min) Review of the Proposed Restructuring and Additions to FHIR Implementer’s Safety Check List
- (05 min) Security Working Group - upcoming HL7 Working Group Meeting, Baltimore Maryland
- Additional Agenda items to add?
- DRAFT Agenda Link: http://wiki.hl7.org/index.php?title=September_2018_Security_Working_Group_Meeting_-_Baltimore,_Maryland_USA
Meeting Minutes DRAFT
Chair, Kathleen Connor Role Taken, Agenda reviewed
Meeting minutes approved ( Mike/Beth ) Objections: none; Abstentions: none; Approved: 8
TF4FA Ballot Reconciliation The majority of the reconciliation was administrative in nature
- a set of comments having to do with how we characterize some data as being optional or mandatory--the diagrams were clear; however, the text was inconsistent in reporting optional vs mandatory.
- There were no substantial changes needed from the comments
- definition of Grantor?
- addition definition to be added to add sensitivity, confidentiality to be added to appendix A
MOTION: Accept changes group made/updates as disposition comments as indicated 73-89 (Mike/Suzanne)
- Comments 73-89
abstain: none; opposed: approve: motion approved
PASS AUDIT - Mike
- no update - continues to be on backburner
- coming along nicely; hope to have something to present for WGM
- note: the crux of volume 3 is around provenance. we have provenance service designated for that purpose--at the same time we don't want to mislead people that the way is implemented (it's a conceptual model) they may infer that we have a centralized system in mind. We will be putting some text in the document to ensure that it’s clear--that you may have a centralized system or system where different entities provide (schwarming) or maintain in their own system with extra storage space that they have
- how the storage is implemented - mentioned that there are various options available - i.e. digital legers etc., it’s a fairly recently thing and we didn’t' want to mislead people into thinking that the service needs to be centralized.
- JMoehrke - we also don't want to be …. block chain compliant
- not using block chain so much as we are focused toward digital leger
- Mike would like 1:1 time with JohnM to go over some of the items at the WGM (discussion to occur offline)
PAC (Kathleen’s notes)
*HL7 PAC Request RE: 21st Century Cures EHR Reporting Program Dear HL7 Work Group Chairs: ONC released a Request for Information (RFI) on August 24 related to the 21st Century Cures EHR Reporting Program requirements. HL7 will be commenting and our Policy Advisory Committee (PAC) is currently gathering feedback. Comments are due to ONC by October 17, 2018. We ask that you send any comments you would like considered for inclusion in the HL7 response by Thursday, September 20. Please send comments to PAC Chair Mark Segal at firstname.lastname@example.org and Ticia Gerber at email@example.com. We have attached the RFI document with areas in green that we will be commenting on and areas in yellow that we are considering for HL7 comment. We look forward to your feedback on these areas or others you feel are relevant for your Work Groups. As background, ONC states that: This request for information (RFI) seeks input from the public regarding the Electronic Health Record (EHR) Reporting Program established as Section 4002 of the 21st Century Cures Act (Cures Act) codified Section 3009A in Title XXX of the Public Health Service Act (PHSA). This RFI is a first step toward implementing the statute. Its responses will be used to inform subsequent discussions among stakeholders and future work toward the development of reporting criteria under the EHR Reporting Program. ONC is looking for cross-cutting and category specific feedback on 21st Century Cures EHR Reporting Program criteria in the areas of: Security. *Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under 42 CFR part 2. *What information about a certified health IT product's security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users' needs? How has that information helped inform decision-making? What other information would be useful in comparing certified health IT products on security and privacy (e.g., compatibility with newer security technologies such as biometrics)? **Proposed Input Topics: ***Support adoption of SAMHSA Consent2Share ***Support adoption of HL7 Data Segmentation for Privacy CDA IG ***Support adoption of HL7 Security Labeling Service IG and Healthcare Privacy and Security Classification System ***Support adoption of FHIR Security Labeling, FHIR Consent and FHIR Contract Consent Directive for Part 2 Consent Directives
An effort to develop an approach into getting information on how EHR are being used; pain point facility (see Kathleen notes)
- our specific area was to describe S&P that a certified health IT product should offer.
- what certified technologies of acquisition decision makers to inform their decisions (buy, upgrade, etc.) for user needs
- how has that information informed the decision making in comparing S&P
- consent to share seems to be a strong candidate
- concerned in violation of policy of picking products.
Timeline due : middle of the month....
<<Kathleen to find exact dates>>
Baltimore Agenda Review of current listed items
- Mike is looking for time to continue the TF4FA ballot reconciliation and existing work
- add to Tuesday Q2 -
WG Health for co-chairs
- 3-year plan - needs to be refreshed
- recommend that we use the spreadsheet that was used/more descriptive
- want to see that the plan is reflected in project insight; need to add tf4fa, more information with what we are doing with FHIR, audit, etc...
- update to DAM - Alex is working on
Do we have how we are going integrate CUI into the messaging - Kathleen is working on; fairly simple describes how controlled/classified marking should be done with v2, v3 and FHIR; askic approach is to use the SL field in TEFCA for privacy markers and have the CUI//H... as one of the privacy markers… you need to render them as the rendering to end users’ needs to be standalone... it has to be its own label.
- so, the industry knows how to apply
- mike just off call from internal WG - other agencies are moving forward with labeling , CUI; they are not as aware of what the HL7 messaging looks like. agencies are thinking about the content they're sharing--not necessary the specialized content. we need a labeling service that handles the CUI in additional to the HCS;
- we need to have guidance if we are going to do that...how its managed over time as well. we have CUI inside of our content, we need to declassify messages/message content. how do we do that (at a later time?) ; how do you do that in an HL7 message.
- you'd want to track it in provenance or... we do have those codes. there are codes for obligation.
it’s part of --cross-paradigm project which is also featuring security labels. JohnM - another torugh. what I’m hearing is a specific policy, an environmental constrain that this work you’re describing operates inside of. once you explain that, it becomes clear that we're in an environment for which this labeling is detectable and mandatory and for which all actors have agreed to abide by and enforce. then what you're describes is the 'how' the communication happens. I agree... would like to see it laid out for clarification sake. All the mechanics are there but orchestrating them on paper... where, when this happens, is a nice thing to lay out. Kathleen 0 that's the plan and am doing that in the x-paradigm. NIST 198(?) and here would be the way we reflected the syntax in the hs]cs.. name tags here are the tags that name/abstract codes--to which there are rules around them... privacy markers are down here in text that hasn't been moved into harmonization. it will describe the ag found in messages. I=we do this already in ds4p. this would be turning the items into code...the one place that doesn’t support this well right now is FHIR. this uncontrolled can be CUI//hit a definition in the usage note, must be rendered independently with its marking.
- when complete, Kathleen will send it out
- mike says we also needs this for security labeling. we're already talking about high water mark, and there are potions high water mark, disaggregated. that probably can be part of an update to HCS.
JohnM I am very supportive of this and hope to have a nice to see it. I think If you coach this as within a domain that has adopted this value set for these meanings, you’ve already got the enforcement mechanism the definition--- if you don’t' do that you're going to say things that are unforce able and argumentative. The point is there will be environments that choose that fit particular policies. i.e. ds4p... those who chose, are accepted by the agreement to participate and therefore take on meaning. just trying to point out the order of governance.
- that makes sense... on the flip side, if people put uis anywhere... it will not be interoperable.
- need to confirm who is going to adopt it.
- by legal agreement is going to be y agreement, the originators of CUI are always going to be a federal agency.
JohnM its policy first then actions and behaviors
No additional items brought forward for discussion