Security January 2016 Orlando WGM MinutesFrom HL7WikiJump to: navigation, search

Minutes from Security WG

Links

Return to: WGM Minutes > 2016 > January Orlando

Contents [hide] 

1 Overall Attendees 2 Tuesday Q1 3 Tuesday Q2 4 Tuesday Q3 5 Tuesday Q4 6 Wednesday Q1 7 Wednesday Q2 8 Wednesday Q3 9 Wednesday Q4 10 Thursday Q1 11 Thursday Q2

Overall Attendees Mike Davis mike.davis@va.gov John Moehrke john.moehrke@med.ge.com Alexander Mense alexander.mense@hl7.at Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Kathleen Connor Kathleen.connor@comcast.net Diana Proud-Madruga diana.proud-madruga@va.gov Dennis Patterson dennis.patterson@cerner.com Michael Donnelly michael.donnelly@epic.com Kevin Riley kevin.riley@infor.com Prareen Ekkati Praveen.Ekkati@infor.com Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov

Joshua Mendel childlens.harvard.edu Graham Grieve grahame@healthintersections.com.au Paul Knapp Pknapp@Pknapp.com Nancy Orvis nancy.j.orvis.civ@mail.mil Chris Shawn christopher.shawn2@va.gov Beth Pumo beth.pumo@kp.org Johnathan Coleman jc@securityrs.com

Tuesday Q1Attendees:

Mike Davis mike.davis@va.gov John Moehrke john.moehrke@med.ge.com Alexander Mense alexander.mense@hl7.at Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Kathleen Connor Kathleen.connor@comcast.net Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov Chris Shawn christopher.shawn2@va.gov Beth Pumo beth.pumo@kp.org Johnathan Coleman jc@securityrs.com

Notes: Opening Security WG Meeting Introductions

Agenda HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG o John/Trish: 10/0/0

IHE Report o Advanced Patient Privacy Consents Profile -- will leverage CDA Consent

Directive o Internet User Assertion (IUA) -- will leverage HEART OAuth profiles

ISO Report o ???

ONC - API taskforce HEART http://openid.bitbucket.org/HEART/

o UMA o OAuth Scopes o Consent Receipt

Healthcare Access Control Catalog o ballot reconciliation done, just waiting on agreement

FHIR Consent -- see us in Q3 at CBCC Workgroup responsibilities

o Future work items (Trish action item)

Tuesday Q2[edit]Attendees:

Mike Davis mike.davis@va.gov John Moehrke john.moehrke@med.ge.com Alexander Mense alexander.mense@hl7.at Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Chris Shawn christopher.shawn2@va.gov Beth Pumo beth.pumo@kp.org

Notes:

Security/EHR Verb/Provenance/Lifecycle Vocabulary o Work space Record Lifecycle, Security, Privacy, and Provenance Vocabulary

Alignment o Struggling greatly o three months have produced 4 terms o Principle to find a good-enough definition, focus on describing the functionality, o Note IHE has published a White Paper on "Health Information Management".

Written primarily by AHIMA individuals working within IHE. http://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_WP_HITStdsforHIMPratices_Rev1.1_2015-09-18.pdf

Worked on 3 year plan for Security WG

Tuesday Q3[edit]Attendees:

Mike Davis mike.davis@va.gov Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Kathleen Connor Kathleen.connor@comcast.net Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Chris Shawn christopher.shawn2@va.gov Diana Proud-Madruga diana.proud-madruga@va.gov

Security WG Project Meeting - Notes

SOA Audit o Diana started PSS. Group worked on formulation of PSS in preparation for joint

meeting with SOA Q2 Wed.

Discussion on Future work items o Future security tutorials (free or paid) future planning?

New topic for tutorial would be to cover the security aspects of FHIR. This could cover the different resources:

Questionnaire, contract and C-CDA composition, security vocabularies supporting the labeling. To be considered for HL7 WGM Sept 2016 or May if possible. This would be a free tutorial. Kathleen will inquire about opportunities to deliver such tutorial close the the FHIR Connectathon.

Workgroup Health o Email communication with TSC revealed that the WG is penalized for missing

TSC election last year. This penalty applied to the workgroup health for the following 3 meetings.

o Three-Year Plan last updated Sept 2012. To be updated at this meeting. Trish updated Three-Year Plan in preparation for approval by WG.

o Mission and Charter last updated May 2015 o SWOT last updated May 2015 o Decision Making Processes last updated Sept 2014 o Post WGM Effectiveness Survey completed by Trish 13/01/2016 o Room bookings for next WGM in May completed by Trish 13/01/2016

Actions: o New Facilitator Publishing needs to be selected with the retirement of Mike Davis

as Co-Chair. The HL7 Security Leadership page will need to be updated. o New Three-Year Plan to be circulated and approved by WG. o Next WGM (May) agenda to be posted to Wiki by 01 April 2016

Tuesday Q4[edit]Attendees:

Mike Davis mike.davis@va.gov Alexander Mense alexander.mense@hl7.at Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Kathleen Connor Kathleen.connor@comcast.net Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Chris Shawn christopher.shawn2@va.gov Beth Pumo beth.pumo@kp.org Don Jorgenson

Security WG Project Meeting Notes:

Trust Framework o Establishing a level that exchange between two or more entities can communicate.

o The current methods of common contract is inflexible and often technology specific. How this architecture applies to FHIR is (as yet) undetermined.

o The negotiation of the policies can happen at run-time, but these are computer negotiated contract that drives the policy.

o Using Trust Frameworks allows run time flexibility (and technology independent).

o Possible future project for Sec WG. Kathleen to advise on drafted initial material previously presented to assess possible directions.

o It is in the Security Labeling Service (SLS) but is not fully defined.

Wednesday Q1[edit]Hosted by EHR

Topics Discussed

Patient Choice Project - Johnathan Coleman o ONC recently launch this project. Will look at basic choice offered to the

individual to prevent their PHI from being available for electronic exchange. Project to run Sept 2015 to March 2020. Refer to presentation.

Vocabulary Alignment o 30 terms to align. o Originateand Receive working definitions agreed. Verify and validate definitions

not yet stable. o New PSS required as original PSS did not indicate that the work would go to

ballot.

Report on revisions for Harmonize provenance and audit event resource with the W3C in FHIR, from John Moehrke.

Pain points in workflow project. FHIR W5 Report - Lloyd

Refer to EHR minutes for more detail

Wednesday Q2[edit]Hosted by SOA

Wednesday Q3Hosting FHIR

Attendees:

John Moehrke john.moehrke@med.ge.com Alexander Mense alexander.mense@hl7.at Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Joshua Mandel Joshua.Mandel@childrens.harvard.edu Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Peter Jordan pkjordon@xtra.co.nz Yunwei Wang ywang@imo-online.com Amlan Dasgupta amlan@epic.com Steve Baumann steve.baumann@mckesson.com Kathleen Connor Kathleen.connor@comcast.net Chuck Gerlach chuck.gerlach@mckesson.com Kevin Shekleton kshekleton@cerner.com Chris Greni chris.greni@analysts.com

Notes: Comment resolution.

Wednesday Q4Attendees:

John Moehrke john.moehrke@med.ge.com Alexander Mense alexander.mense@hl7.at Princess Trish Williams trish.williams@ecu.edu.au Duane DeCouteau ddecouteau@edmondsci.com Hideyuki Miyohara miyohara.hideyuki@ap.mitsubishi-electric.co.jp Suzanne Gonzales-Webb suzanne.gonzales-webb@va.gov

Agenda

Discussion - Privacy Protection for the Internet of Things HEART, emerging vocabularies Approval of Three-Year Plan. Proposed John Moerhke, Seconded Alex Mense. Approved

unanimously.

Notes:

Participants present did not have information on the Agenda items

Duane -- How can we work toward better security testing at FHIR Connectathon

John - Following the agreement from EHR Q1 today. We focus on helping DAF, SDC, and a new Document Sharing project to integrate security into their testing plans. They already include the security parts, they just don't have testing.

o Request has been sent to Lloyd (SDC), Dragon (DAF), and John (DS) Discussed possible phasing, as requiring full implementation in one shot would not be

good. So we bring this in in phases so that the community accept and implement it. First phase -- AuditEvent recording - Focus on testing that actors in those IGs produce

the appropriate AuditEvent. This can be tested at the audit service Second phase -- Provenance is recorded - on all items created or updated Third phase -- automatic security labeling (e.g. declared policy that causes labeling that

causes good spectrium of lables. for example label all observations that have a code with a "d" in the display name as "Restricted". This is not a useful policy except it is computable and produces a testable result. If systems can do this, they likely can do expected realistic policies).

Fourth phase -- require authentication sent with all requests (contingent on having a model)

Fifth phase -- support for patient Authorization (Privacy Consent Directive) Sixth phase -- privacy protecting services (e.g. redacting based on security labels and

consent policy) Seventh phase -- attribute based access control (ABAC) across the full lifecycle (IG)

Thursday Q1Hosting FHIR

Attendees

MANY people present... Paper sent around, I didn't get it back... John Moehrke Mike Davis Suzanne Kathleen Alex Grahame Josh ???

Intended agenda

Given CBCC didn't have a joint with FHIR, Security offered our second joint with FHIR Although this was agreed to, there was concern raised No decisions were made due to this concern. CBCC will request a Joint with FHIR at next WGM But CBCC likely will not be present at next WGM due to travel restrictions all co-chairs

are under

Notes:

Discussion recorded in gForge Overview of Privacy Consent Directive Current IG http://hl7-fhir.github.io/pcd/pcd.html Discussion around the inclusion of the word "Directive".

o This is the word used in the legal space o This is the word used in the CDA Privacy Consent Directive work o Keep the title as is.

Grahame asked that we walk through an example o Discussion on various parts. No decisions made o Observed that there is a lack of vocabulary, o Kathleen points out that there is vocabulary available.

Thursday Q2All agenda items have been closed, so no meeting held.