Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  


Mondays at 12:00 pm Eastern Time 

Zoom Client Download 

https://zoom.us/j/6754075337

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet

Attendees


Minutes Approved as Presented 2020-07-06 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."


Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes Approvalapproved by general consent

newsNo meeting next week due to conflict with IHE face-to-face***

ACTION: please review http://build.fhir.org/valueset-provenance-activity-type.html as the full codesystem for v3-ActCode seems excessive and inappropriate for provenance activity







FHIR Fine Grained Security beyond OAuth2 - led by Josh Mandel

https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Fine-grained.20Security.20Policies

  • Presentation decks available 

Discussion of impressions.

.



FAST - Luis Maas



Projects

Permission Resource

http://build.fhir.org/permission is prototyped

FHIR Permission - for use-case submission and analysis

Jose added:

  1. Example: There is a policy somewhere that states e.g. "all primary teams may have access to the patient administrative and non-sensitive health data"
  2. Example 2: Access to clinical data by all Care team members.
    1. in Belgium the patient currently needs to allow the hospital to distribute the data. From this on, the hospital grants permission to the team members
  3. Need to refine who has access to the report for which purposes for how long. (what is "the report"? Only diagnosticReport? Or related Condition or treatment?)

Need to get use-cases defined so that we can do use-case analysis. Note this analysis is done on the confluence page FHIR Permissions

VhDIR use-case analysis would be a good one to get written up. Understanding is that the VhDIR service would not make fine-grain decisions, but would include in the search results as part of the directory resources a contained Consent that had residual rules of use. AND there is an extension in each resource pointing to this contained Consent. 

Discussion around data pointing at policy vs policy pointing at data vs supporting both models. Where both models makes interoperability harder.

Where data pointing at policy is fragile to changes in policy, as a change in policy must touch all the data.

Concern that policy pointing at data might be missed by recipients that don't go looking for policy. One must always have rules of engagement that demand processing behaviors. Including contained consent does not guarantee that recipient will notice or abide. this must be enforced by rules of engagement (policy). Those rules of engagement can mandate looking for Permission/Consent just as well as they can mandate one follow a contained Permission/Consent.

We might not be able to decide on ONE model, need more use-case analysis and examples to determine the solution. We might decide to have multiple models, but specific non-overlapping use-case for each model.




FHIR IG Proposal for gov work (confluence and build shown in github readme)

https://github.com/HL7/us-security-label-regs 

will discuss tuesday and bring to the group next week Kathleen Connor




FHIR IG for DS4P 

https://github.com/HL7/fhir-security-label-ds4p

Confluence: FHIR DS4P IG

will discuss tuesday and bring to the group next week Kathleen Connor




discussion of next generation of SMART

https://chat.fhir.org/#narrow/stream/179175-argonaut/topic/Scopes.20for.20data.20access


discussion document bit.ly/argo20-granular




In Process




FHIR-24908 - Getting issue details... STATUS

waiting on dicom


FHIR-24907 – Lifecycle event valueset should include HL7 lifecycle event vocabulary (ISO 10781) – bring in HL7 lifecycle event vocabularywaiting on iso


FHIR-24676 - PurposeOfUse vocabulary from ISO 14265 – bring in ISO vocabularywaiting on iso


FHIR-23712 - Getting issue details... STATUS  waiting on ISO

waiting on iso


FHIR-11071 - Getting issue details... STATUS  DS4P and CUI will be creating IG. This exercise will result in update of the FHIR core with informed instructions

moved to DS4P

Block Vote




Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due
Loading...
Refresh









FHIR BlockBlock vote preparation



none







FMMDefined plan to mature


Connectathon Update on Security at FHIR connectathon












Management Next agenda


New Business




 Adjournment

55 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval

 


Tasks