Please see
FHIR DS4P IG PSS - approved
FHIR DS4P IG proposal - approved
Approved 2020-01-15 FMG Agenda/Minutes
FHIR DS4P Continuous Build htFHIR DS4P Continuous Buildtp://build.fhir.org/ig/HL7/fhir-security-label-ds4p/branches/master/index.html
The github repo for the source material:
https://github.com/HL7/fhir-security-label-ds4p
Introduction:
HL7 has developed standards for segmenting sensitive data for HL7 v2 and CDA. No such guidance is available for FHIR implementers. This section of the Security WG Confluence site is intended to house current work in this area.
Please also see our pages on Security Labeling and CUI from a conceptual level, and the Cross-Paradigm US Security Label project for examples of what could be adopted as consensus approach for using security labels for CUI 32 CFR Part 2002, 42 CFR Part 2, and Title 38 Section 7332
- Cross Paradigm US Security Labeling IG
- Cross Paradigm CUI 32 CFR Part 2002, 42 CFR Part 2, and Title 38 Section 7332 Security Labeling IGs PSS
- Cross Paradigm CUI, Part 2, and 7332 Structure
Project Need
There is a need to develop FHIR implementation guidance for the use of FHIR meta.security labels to emulate the syntactical structure for security labeling as defined in the HL7 Healthcare Privacy and Security Classification System (HCS), which is the normative, conceptual model upon which both HL7 v2 and the Data Segmentation for Privacy CDA IG are based. The syntactical structure of security labels dictates how the security tag sets (HL7 security labeling terminology) is used to populate specific fields in a security label with appropriate tags so as to represent a computable policy.
In addition, there is a need for guidance and examples for how a community can develop consensus security labels for specific policies so as to minimize variance in policy representations so that rules engines are apply to uniformly enforce them to enable trusted exchange of health information among trading partners who ascribe to the same consensus labels.
Security Labeling Conceptual Guidance
The Security WG provides several pages devoted to providing detailed guidance on specific types of Security Tags and topics such as how to assign High-Water Marks to "wrappers" or enveloping structures used to transmit HL7 v2, CDA, and FHIR content.
- Share with Protections
- Security Labels
- Controlled Unclassified Information (CUI) Problem and Solutions
FHIR DS4P IG Structure
The main sections of the FHIR IG are:
- Background - provides business context for the implementation guide and information that implementers should be familiar with before reading the remainder of the IG. There could be multiple pages for this.
- Use Cases – support for # 1 and #2 for this ballot, others for vnext.
- Detailed Specification - The overall requirements.
- FHIR DS4P Security Label Structure – much of this is on Confluence already
- FHIR DS4P Security Labeling Extensions
- – Mohammad is formalizing the Security Label extensions:
- mustDisplay https://jira.hl7.org/browse/FHIR-25180
- relatedArtifact https://jira.hl7.org/browse/FHIR-25217
- contributor https://jira.hl7.org/browse/FHIR-25223
- FHIR Security Label SPIF
- Sender Specification - The requirements for Sender actor
- Capability Statement for Client Discovery
- Labeling levels supported: Bundle, Resource, Sub-Resource
- Security Labels supported: Equivalent to a SPIF
- Extension support
- Recipient Specification - The requirements for Recipient actor.
- Capability Statement for Client Registration
- Labeling levels supported: Bundle, Resource, Sub-Resource
- Security Labels supported: Equivalent to a SPIF
- Extension support
- Security and Privacy Considerations - The considerations for Privacy and Security.
- Downloads - Allows downloading a copy of this implementation guide and other useful information
The main sections of this IG vnext are:
- Trust Contract with Capability Statement and SPIF negotiated by sender and receiver on potentially on Blockchain with Federated Provenance
- Cascaded OAuth – how the Sender consults relevant policies for Privacy Preserving Based on