Difference between revisions of "September 5, 2017 Security Conference Call"

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (2 min) Roll Call, Agenda Approval
2. (4 min) Review and Approval of Security WG Call Minutes August 29, 2017
3. (15 min) San Diego Sept WGM Agenda - Kathleen
4. (15 min) Security Labels for HL7v.2 See Links below for background - Kathleen
5. (5 min) Security WG Interim Health Metrics - presiding cochair
6. (5 min) ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
7. (5 min) FHIR Security call - cancelled.

News and Review Material

• HIE Bright Spots: Health Information Exchange as a Key Enabler of Care Coordination – Part 1
• HIE Bright Spots: How ADT Messages Support Care Coordination – Part II
• The Regional ADT Exchange Network Infrastructure Models Brief
• Executive Summary on HIEs using ADT
• The nine communities that provided in depth information about their experiences for this Learning Guide are: Bangor Beacon (Maine), Crescent City Beacon (Louisiana), Greater Cincinnati Beacon (Ohio), Keystone Beacon (Pennsylvania), Rhode Island Beacon (Rhode Island), San Diego Beacon (California), Southeast Minnesota Beacon (Minnesota), Tulsa Beacon (Oklahoma), and Western New York Beacon (New York)]
• The Full Learning Guide: Improving Hospital transitions and care coordination using ADT alerts
• Illinois Webinar about ADT Messaging as mainstay HIE transaction
• Need assisteance with PASS Audit Ballot Comments from Bernd Blobel resolved. E.g., Move Figure 1 to Functional Section because it is too detailed. Make references to "client" as source of audit content and "source" as source of audit content consistent.
• NSTC National Privacy Research Strategy
• NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft Comments due Sept. 12. Please add to CBCC and Security WG NIST SP 800-53 Rev 5 Comment Page
• NIST SP Security and Privacy Controls for Information Systems and Organizations Revision 5 Comments due September 12, 2017 See [CBCC and Security WG Comment Page and Security WG Comment Page for NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft ]]
• Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
• Introduction: Digital identities are used in nearly every aspect of our online activities each day. A digital identity is the unique representation of a subject that is engaged in an online transaction. This bulletin outlines updates that NIST recently made in its four-volume Special Publication (SP) 800-63, Digital Identity Guidelines, which provide agencies with technical guidelines regarding the digital authentication of users to federal networked systems. Rather than being a single, monolithic guideline, SP 800-63-3 has been separated in multiple parts – each representing a distinct component of digital identity services. This way, organizations can choose the document that applies to the digital identity services they want to offer. This approach makes applying the guidelines easier for agencies—and also sets the stage for a nimble continuous improvement process. Also, NIST can quickly release key updates, rather than delivering in two or three year cycles.
• This bulletin will describe the components of digital identity – identity proofing, authentication, and federation – and explain how federal agencies can use them to protect the digital identities of their employees. It also provides an overview of the NIST documents that describe these digital identity components and explains how the information in them is organized.

Understanding Digital

• Identity proofing is the process used to verify a subject’s association with their real-world

identity, establishing that a subject is who they claim to be.

• An authenticator is something the subject possesses and controls (typically, a cryptographic

module or password) that is used to authenticate the subject’s identity.

• Digital authentication is the process of determining the validity of one or more authenticators

used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same that previously accessed the service.

• Federation is when the relying party (RP) and identity provider (IdP) are not a single entity or

not under common administration. Federation enables an IdP to proof and authenticate an individual and provide identity assertions that RPs can accept and trust. How has SP 800-63-3 evolved? Since the last revision of this document in 2013, NIST SP 800-63-2, digital identity components have evolved substantially. To better align with market-driven business models and innovation, the new revision replaces levels of assurance (LOAs) with ordinals for individual parts of the digital identity flow, providing implementers with more flexibility in their design and operations:

• • Identity Assurance Level (IAL): the identity proofing process and the binding between one or

more authenticators and the records pertaining to a specific subscriber;

• Authenticator Assurance Level (AAL): the authentication process, including how additional

factors and authentication mechanisms can impact risk mitigation; and

• Federation Assurance Level (FAL): the assertion used in a federated environment to

communicate authentication and attribute information to a RP.

• SP 800-63 is a suite of four documents: SP 800-63-3 (the parent document; your starting point for all things digital identity and risk) and three additional documents – SP 800-63A, 800-63B, and 800-63C –which cover the various components of a digital identity system. These documents are described below:
• SP 800-63-3, Digital Identity Guidelines, provides an overview of general identity frameworks,

guidance regarding use of authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels;

• • SP 800-63A, Enrollment and Identity Proofing;
  • SP 800-63B, Authentication and Lifecycle Management; and
  • SP 800-63C, Federation and Assertions.
• See links @ *[ https://pages.nist.gov/800-63-3/NIST SP 800-63, Digital Identity Guidelines - 4 Volumes]
• NSTC National Privacy Research Strategy and Comment Page
• PEW Report - The Internet of Things and Future Shock: Too Much Change Too Fast?Lee Rainie, director of Internet, Science and Technology Research at the Pew Research Center, spoke on May 10, 2017 to the American Bar Association’s Section of Science and Technology Law about the rise of the Internet of Things and its implications for privacy and cybersecurity. The velocity of change today is remarkable and increasingly challenging to navigate. Rainie discussed Pew Research Center’s reports about “Digital Life in 2025”and “The Internet of Things Will Thrive by 2025,” which present the views of hundreds of “technology builders and analysts” on the future of the internet.
  • PEW Report - The public and cybersecurity practices and knowledge Lee Rainie, director of internet, science and technology research at Pew Research Center, presented the Center’s findings about public practices and knowledge related to cybersecurity to the advisory board of the National Cybersecurity Alliance on May 5, 2017. He discussed the wide variance in what the public knows about key cybersecurity issues and concepts and people’s habits when it comes to handling the passwords to their online accounts and their use of public Wi-Fi networks.

Minutes =

• Chaired by Alex
• Agenda approved (Kathleen, John)
• Deferred to next call Security WG Call Minutes August 29, 2017
• San Diego Sept WGM Agenda - Kathleen
  • Please review the News posted by Kathleen
  • Agenda was updated by Kathleen and schedule was reviewed
  • CBCC, SOA are included in Agenda
  • Mike Comment (1): Recommends we speak to SOA on Burts comments Pass Audit, t
  • Mike Comment (2): joint meeting with SOA may help with Burts comments
  • Mobile Health is included in joint
  • Comment (3) Diana: We should make participants aware of NISP changes and ballot reconciliation
  • Comment Mike (4): Security will no longer have a SOA Chair
  • Comment Kathleen (5): notified John she will include FHIR perimeters in Agenda, FHIR Ballot is out
    • will give the opportunity to discuss the SMART on FHIR and our role in the future (John)
  • Proposal: Mike proposed to remove Cascading OATH

• Security Labels for HL7v.2 See Links below for background - Kathleen
  • Highlights and presentation still in progress and will be provided for group
  • Currently working on the following:
  • HIE using two message and connection with Trust Framework
  • HL7 Security Labels
  • Reviewing work of ONC on Security Labels and HIE
  • Privacy risk on HIE use of security labels
  • Links to HIE reports to ONC included under News
  • Can be a topic for joint meeting with CBCC
  • CBCC agenda is not yet updated
  • HL7 21st Cent. Cures act should also be included in Agenda (Mike)
• Security WG Interim Health Metrics - presiding cochair
  • Reviewed during call and does not need any changes
• ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
  • Reviewed under "Security Labels for HL7v.2 See Links below for background" agenda item
  • Unsure of Jonathan will be attending
• FHIR Security call - cancelled.
  • Call Adjourned