Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  


Mondays at 12:00 pm Eastern Time 

Zoom Client Download 

https://zoom.us/j/6754075337

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet

Attendees


Minutes Approved as Presented 2020-06-29 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."


Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes Approvalapproved by general consent

news

ACTION: please review http://build.fhir.org/valueset-provenance-activity-type.html as the full codesystem for v3-ActCode seems excessive and inappropriate for provenance activity







FHIR Fine Grained Security beyond OAuth2 - led by Josh Mandel

https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Fine-grained.20Security.20Policies

  • Presentation decks available 
  • play back of the meeting 
  •  

Discussion of impressions.

Note the whole thing is recorded and can be reviewed from the youtube link

Good to get a set of those trying to implement engaged

Many diverse solutions discussed. Most of them are detailed on their mechanics, but not detailed on what problem they are solving.

Some solutions have seen some success outside of healthcare. Not clear they can handle the additional vectors that healthcare needs

Many leveraged attribute based access control and compartments.  All focus on compartments were on how to make a configurable compartment in the spirit of REST compartment. No one mentioned the abstraction of compartment that already exists using codes for compartments. Codes for compartments leaves the definition of the mechanics out-of-scope for interoperability, as that tends to be a local problem that does not need to be externalized.

Josh point on pre-processing and post-processing is a good mechanic, but is also a systems design aspect, not an interop aspect. However this systems design aspect is useful in that it allows compartments to be more simple, as post processing can remove fine grain resource/elements that are further needed to be removed by policy.

Leading with a technical solution may be fast, but it will likely lead to a system that is not future proof. Need complete perspective even if we solve issues incrementally.

Need a way to describe overall rules, and the variations allowed within a sub-policy (e.g. consent) 

Many solutions did recognize ConfidentialityCode as a good first step toward more fine grain.



FAST - Luis Maas



Projects

Permission Resource

http://build.fhir.org/permission is prototyped

FHIR Permission - for use-case submission and analysis

Jose added:

  1. Example: There is a policy somewhere that states e.g. "all primary teams may have access to the patient administrative and non-sensitive health data"
  2. Example 2: Access to clinical data by all Care team members.
    1. in Belgium the patient currently needs to allow the hospital to distribute the data. From this on, the hospital grants permission to the team members
  3. Need to refine who has access to the report for which purposes for how long. (what is "the report"? Only diagnosticReport? Or related Condition or treatment?)

Need to get use-cases defined so that we can do use-case analysis. Note this analysis is done on the confluence page FHIR Permissions




FHIR IG Proposal for gov work (confluence and build shown in github readme)

https://github.com/HL7/us-security-label-regs 

will discuss tuesday and bring to the group next week Kathleen Connor




FHIR IG for DS4P 

https://github.com/HL7/fhir-security-label-ds4p

Confluence: FHIR DS4P IG

will discuss tuesday and bring to the group next week Kathleen Connor




discussion of next generation of SMART

https://chat.fhir.org/#narrow/stream/179175-argonaut/topic/Scopes.20for.20data.20access


discussion document bit.ly/argo20-granular




In Process




FHIR-24908 - Getting issue details... STATUS

waiting on dicom


FHIR-24907 – Lifecycle event valueset should include HL7 lifecycle event vocabulary (ISO 10781) – bring in HL7 lifecycle event vocabularywaiting on iso


FHIR-24676 - PurposeOfUse vocabulary from ISO 14265 – bring in ISO vocabularywaiting on iso


FHIR-23712 - Getting issue details... STATUS  waiting on ISO

waiting on iso


FHIR-11071 - Getting issue details... STATUS  DS4P and CUI will be creating IG. This exercise will result in update of the FHIR core with informed instructions

moved to DS4P

Block Vote




Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due
Loading...
Refresh









FHIR BlockBlock vote preparation



none







FMMDefined plan to mature


Connectathon Update on Security at FHIR connectathon












Management Next agenda


New Business




 Adjournment

55 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval

 


Tasks