Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  

Mondays at 12:00 pm Eastern Time -

NOTE: This attendance applies if you are present at the related meeting/call, regardless if you have signed a different attendance for your WG. 


Minutes Approved as Presented 2020-01-06 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."

Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes ApprovalMinutes not reviewed

New projects?

Potential (but only if someone steps forward) new projects this committee could take on:

* Basic Provenance in FHIR
* AuditEvent supporting Patient Empowerment
* Additional guidance for the core security pages
Security around FHIR Subscription
Security around bulk-data access
Security around multi-organization interactions (e.g. HIE)
* App dynamic registration
* Updating of SMART-on-FHIR with next kind of use-case (tbd)
* Templating of IG to drive Security Considerations
* Templating of IG to drive consistent use of Provenance, AuditEvent, and Signatures
* Definition of a new Resource for Permission use-cases
* Creation of a library of security/privacy focused IG that can be included in 'other' IG as modular security solutions (similar to how SMART-on-FHIR is used today, but supporting other security models). This might be where the subscription, bulk-data, and multi-organization solutions are organized for easy use.  

some of these are already started. This section should be removed with specific sections on active projects included.

Permission Resource is prototyped

robust discussion on how this might be the basis for more refined redaction such as a permission that allowed a given role to have access to the Patient resource but not the Patient.identifier that holds a given national ID value

This might be by having a Permission.useLimitations that identifies these fine-grain restrictions

Alternative proposed elsewhere is to add a security tag to all elements in all resources; which seems to be more burdensome

FHIR IG Proposal for gov work

IG Proposals

Prototype (unofficial) Government Regulated Security IG

Known issues not yet updated:

  • break the one valueset into many, to be specific to use-cases and transaction
  • unknown code of "COR" is actually "COC"
  • add code for research?
  • Explain that the need for communication of is because the communication channel supports multiple policies, so the selects which of these policies applies to the request and response

Kathleen has made some progress on the confluence pages.

John to look at adding these improvements to the IG build. 

John also has previously agreed to actions to implement

Kathleen noted that the build site seems to not be available. John noted that the build output is only preserved for a week, so would need to be refreshed as this is the continuous build site. Ballots and final are preserved elsewhere

In ProcessSecurity Open Items – now in JIRA

FHIR-24908 - Where vocabulary and valuesets come from DICOM, they should be imported and used from DICOM – elimination of AuditEvent codeSystem duplicaitonwaiting on dicom

FHIR-24907 – Lifecycle event valueset should include HL7 lifecycle event vocabulary (ISO 10781) – bring in HL7 lifecycle event vocabularywaiting on iso

FHIR-24676 - PurposeOfUse vocabulary from ISO 14265 – bring in ISO vocabularywaiting on iso

FHIR-23712 - Getting issue details... STATUS  waiting on ISO

waiting on iso

FHIR-11071 - Getting issue details... STATUS  DS4P and CUI will be creating IG. This exercise will result in update of the FHIR core with informed instructions

moved to DS4P
Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

FHIR BlockBlock vote preparation


FMMDefined plan to mature

Connectathon Update on Security at FHIR connectathonAuditEvent and Provenance have plenty of exercise at FHIR Connectathon and IHE Connectathon. They should be able to be moved to Normative by the R5 timeframe.
SMARTdiscussion of next generation of SMART to gather a group of stakeholders and implementer to work out a plan. Should the improvement be bottom-up or top-down; incremental or comprehensive. We need buyin from argonaut, but the work should not be perceived as specific to argonaut.
Consent servicediscussion of next generation consent service

Management Next agenda

New Business

60 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval