WGM Minutes approved 2020-05-26 Security WG Agenda/Minutes
Q3 (1:30 - 3:00 PM ET)
Security Joint with Biomedical Research and Regulation (BR&B) - Research Provenance Use Cases, collaboration
Kathleen presented background about PSAF Provenance DAM based on W3C PROV and IVOA.
She referred the group to Relationship of PSAF Provenance with Other Provenance Standards and Profiles for more detail.
Now working with implementers looking for real research use cases to test.
VA and health system vendors had prepped a Provenance demonstration for HIMSS.
The planned vignette involved the Million Veteran Program research project.
Looking for another opportunity to demonstrate research provenance.
Security WG is interested in collaborating with BR&R on use cases and development of a FHIR Research Provenance profile.
Possibly a Connectathon Provenance Track to test a FHIR Research Provenance profile being exchanged via a Federated Provenance Server with perhaps a blockchain component.
Possible research use cases discussed:
Peter Bromberg has been emphasizing the importance of tracking status changes wrt 5 Ws (who, what, where, when, and why).
Craig Andersen - Canadian product labeling use case for chaining provenance of product label version changes.
Matt Natter Boston's Children's Hospital FDA Patient Reported Outcomes [PRO] provenance from clinical trials - whether the patient or someone on behalf of the patient - using audit log to check the hash of sender signature
Other FDA participants - Mark Gray, Norman Gregory
John Moehrke joined to discuss possible research provenance profile that could be tested at Connectathon.
Topic will be followed up at FHIR Security.
Quarter: 5 (5pm - 6:30 pm EST)
Chair: Alex Mense
Scribe: Alex Mense
- Mohammad reported about the very successful virtual Connectathon track about security labeling. See Report Out.
- Discussion about an update of the HL7 GDPR paper (FHIR - GDPR) based on the Guidelines 05/2020 on consent under Regulation 2016/679 from "The European Data Protection Board" (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf).
- Alex reported from Europe: ENISA - PROCUREMENT GUIDELINES FOR CYBERSECURITY IN HOSPITALS https://www.enisa.europa.eu/publications/good-practices-for-the-security-of-healthcare-services
No more international reports, no liaison reports at all because of lack of people.
No motions, no decisions.
Minutes Approved as Presented
Approved with addition of WG Health discussion
|Work Group Health|
The 2020May WG Health reports and the Project and Ballot Health report have been posted here: https://confluence.hl7.org/display/TSC/2020May+Final+Reports
Links to individual reports:
Project and Ballot Health Metrics Report:
WG Health Reports:
|Kathleen cleaned up deficiencies so Security now has clean bill of health. Virtual Stars to all.|
|FHIR DS4P IG Ballot Outcome|
Quorum met - 107 voters, FHIR DS4P IG Ballot Passed
Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is. Only the profiles are implementable.
Sept NIB by July 5 per Security WG Admin
|SMART Web Messaging PSS|
Brett Marquard - Request that Security co-sponsor
|Deferred until 2020-05-26 Security WG Agenda/Minutes|
|Security and Privacy Information Model (S&P DAM REFRESH)|
Review and seek approval of the HL7 Privacy and Security Information Model PSS
Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models) mapped to Access Control services.
Security WG approval June 5, 2020
ISD approval - by July
TSC before August 23, 2020
Motion to Approve HL7 Privacy and Security Information Model PSS
Vote - Approve/Abstain/Oppose: #- 0 - 0
WG decided that PSS needs revisions shown below
1a. Project Name
HL7 Privacy and Security Information Model PSS
1b. Project ID
1c. Is Your Project an Investigative Project (aka PSS-Lite)?
1d. Is your Project Artifact being Reaffirmed or proceeding to Normative directly after being either Informative or STU?
1e. Today's Date
1f. Name of standard being reaffirmed
1g. Project Artifact Information
1h. ISO/IEC Standard to Adopt
1i. Does the standard include excerpted text from one or more ISO, IEC or ISO/IEC standards, but is not an identical or modified adoption?
1j. Unit of Measure
2a. Primary/Sponsor WG
2b. Co-Sponsor WG
Community Based Care and Privacy
2c. Co-Sponsor Level of Involvement
Request formal content review prior to ballot
2d. Project Facilitator
2e. Other Interested Parties (and roles)
2f. Modeling Facilitator
2g. Publishing Facilitator
2h. Vocabulary Facilitator
2i. Domain Expert Representative
Suzanne Gonzales-Webb Alexander Mense Mohammad Jafari Beth Pumo [Need more diverse and international input here.]
2j. Business Requirements Analyst
2k. Conformance Facilitator
2l. Other Facilitators
Department of Veterans Affairs NEED More implementers
3a. Project Scope
Develop and publish up-to-date Security and Privacy Information Model NEED to define Information Model. Can't just reference v3 DMIMs as those are specific to a particular syntax, which uses v3 RIM classes, attributes, datatypes, and semantics (vocabulary) - absolutely not applicable in a conceptual model. Need to clearly make Behavioral Model out of scope since the DAM and PSAF include behavioral models.
3b. Project Need
Current Wording: The current HL7 Security Information models is out of date (dates back to 2014). Since that time significant changes to class relationships including new relationships and need to connect more holistically to modern HL7 standards have emerged.
The current HL7 Composite Security and Privacy Domain Analysis Model information models is out of date (dates back to were completed in 2014). Since that time significant changes to class relationships including new relationships to other Security models have been developed such as Security Labeling, Audit, Trust and Provenance. These models need to connect more holistically in an updated, overarching conceptual model.
[KC - No changes have been made to the DAM models in TF4FA - mostly because BB raised a fuss whenever the TF4FA strayed from ISO 22600 S&P DAM models have NOT been deprecated or overridden by PSAF - so best to characterize this as an enhancement.]
3c. Security Risk
3d. External Drivers
3e. Objectives/Deliverables and Target Dates
For comment ballot. STU in May 2021
3f. Common Names / Keywords / Aliases:
Security and Privacy Information Model
Builds upon previous 2014 model
3h. Project Dependencies
3i. HL7-Managed Project Document Repository URL:
3j. Backwards Compatibility
3k. Additional Backwards Compatibility Information (if applicable)
3l. Using Current V3 Data Types?
3l. Reason for not using current V3 data types?
3m. External Vocabularies
3n. List of Vocabularies
3o. Earliest prior release and/or version to which the compatibility applies
V3 Conceptual Information Model Domain Information Model (DIM / DMIM) You may want to meet with ARB to ask for guidance on how to characterize the model you are proposing. Pretty sure it is not a V3 DIM/DDMIM
4b. For FHIR IGs and FHIR Profiles, what product version(s) will the profiles apply to?
4c. FHIR Profiles Version
4d. Please define your New Product Definition
4d. Please define your New Product Family
5a. Project Intent
Revise current standard
5a. White Paper Type
5a. Is the project adopting/endorsing an externally developed IG?
5a. Externally developed IG is to be (select one)
5a. Specify external organization
5a. Revising Current Standard Info
Composite Security and Privacy Domain Analysis Model
5b. Project Ballot Type
Normative (no STU)
5c. Additional Ballot Info
5d. Joint Copyright
5e. I understand I must submit a Joint Copyright Letter of Agreement to the TSC in order for the PSS to receive TSC approval.
6a. External Project Collaboration
6b. Content Already Developed
6c. Content externally developed?
6d. List Developers of Externally Developed Content
6e. Is this a hosted (externally funded) project?
Clinical and Public Health Laboratories, Immunization Registries, Quality Reporting Agencies, Regulatory Agency, Standards Development Organizations (SDOs), Payors
6f. Other Stakeholders
EHR, PHR, Health Care IT, Clinical Decision Support Systems, Lab
6g. Other Vendors
Clinical and Public Health Laboratories, Emergency Services, Local and State Departments of Health
6h. Other Providers
7d. US Realm Approval Date
7a. Management Group(s) to Review PSS
7b. Sponsoring WG Approval Date
7c. Co-Sponsor Approval Date
7c. Co-Sponsor 2 Approval Date
7c. Co-Sponsor 3 Approval Date
7c. Co-Sponsor 4 Approval Date
7c. Co-Sponsor 5 Approval Date
7c. Co-Sponsor 6 Approval Date
7c. Co-Sponsor 7 Approval Date
7c. Co-Sponsor 8 Approval Date
7c. Co-Sponsor 9 Approval Date
7c. Co-Sponsor 10 Approval Date
7e. CDA MG Approval Date
7f. FMG Approval Date
7g. V2 MG Approval Date
7h. Architecture Review Board Approval Date
7i. Steering Division Approval Date
7j. TSC Approval Date
This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."
Set goals, objectives or some context for this meeting.