Chair: John Moehrke
Scribe: John Moehrke
Mondays at 12:00 pm Eastern Time
Meeting ID: 675 407 5337
Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337
|Joseph M. Lamy|
Minutes Approved as Presented 2020-09-14 FHIR-Security Meeting Agenda
This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."
Meeting Minutes from Discussion
|Decision Link(if not child)|
|Management||Minutes Approval||approved by general consent|
|CR NPI||NPI as sensitive in Practitioner and PractitionerRole|
The appropriate protections for Privacy and Security are specific to the risks to Privacy and the risks to Security of that data being protected. This concept of appropriate protections is a very specific thing to the actual data. Any declaration of 'required' or 'optional' requirements that could be mentioned here are only recommendations for that kind of Resource in general for the most common use of that Resource. Where one uses the Resource in a way that is different than this most common use, one will have different risks and thus need different protections.
Most Resources will need some form of Access Control to Create, Update, or Delete. The following general guidance is given only as general guidance for READ and QUERY access:
220.127.116.11.3 Individual Sensitive:
These Resources do NOT contain Patient data, but do contain individual information about other participants. These other individuals are Practitioners, PractitionerRole, CareTeam, or other users. These identities are needed to enable the practice of healthcare. These identities are identities under general privacy regulations, and thus must consider Privacy risk. Often access to these other identities are covered by business relationships. For this purpose, access to these Resources will tend to be Role specific using methods such as RBAC or ABAC.
Kathleen proposed a new identifier information sensitivity code IDS and an extension on DS4P IG to permit pointing to a list of codes such as SSN, NPI etc.
IDS (identifier information sensitivity): Policy for handling information related to an identifier of an information subject, which will be afforded heightened confidentiality.
Usage Note: Such policies may govern the sensitivity of information related to an identifier of an act, such as the identifier of a contract; a role, such as a citizen, a patient, a practitioner, or an organization; or an entity such as a medical device due to potential impact on the privacy, well-being, safety or integrity of an information subject. For example, protection against identity fraud or counterfeit.
Notice what HAPI has done for security. Is there something we should learn for Permission or Consent? This seems to be defining a declarative language for FHIR specific rules.
See general HAPI security
See HAPI RuleBuilder()
updates from WGM
Kathleen Connor update?
Deferred. The approved Security WGM with recordings is available https://confluence.hl7.org/pages/resumedraft.action?draftId=86976145&draftShareId=f258fa47-c0c8-4347-bed8-315f8abecce1&
|Consult from PDex|
Use of Provenance in PDex
Robert Dieterle update?
|FAST||purposeOfUse subset on the request as a promise to not use the data returned beyond the subset.|
http://build.fhir.org/permission is prototyped
FHIR Permission - for use-case submission and analysis
Kathleen added the following to FHIR Permission
During 2020-10-19 FHIR-Security Meeting Agenda call, we discussed the need to develop boundaries for Permission Resource to help implementers determine whether to use it instead of or in combination with Security Labels, and the dependency of both on a Trust Framework. We should determine and explain any additional implementation/processing complexity for using either approach. In any case, a policy domain should avoid using both Permission Resource and Security Labels to serve the same use case.
FHIR IG Proposal for gov work (confluence and build shown in github readme)
discussion of next generation of SMART
discussion document bit.ly/argo20-granular
|waiting on iso – some movement as ISO has not provided the document. BUT still not clear if licensing is clean.|
|waiting on M&M to give modeling guidance|
|FHIR Block||Block vote preparation|
|FMM||Defined plan to mature|
|Connectathon||Update on Security at FHIR connectathon|