Security WG Opening Session
Approval of agenda. Proposed: Trish, Seconded: Dave. 6:0:0
|Introductions and updates|
John Moehrke: IHE continuing to revise IUA profile (OAuth for restful). End goal still not clear but correction of specification errors in mid-goal and this is around the scope. Some challenges in acceptance of this. IHE connectathon and interest in Audit event. ONC and IHE collaboration to assess HIE guides relative to FHIR - gap identified ithat the IG does not have a FHIR consent mechanism. Will be proposed as a new work item fro consent management in a MHDS environment.
Alexander Zautke (HL7 Germany). FHIR implementation projects started with vengeance!
Dave Pyke (CBCP): working on TLS1.3 requirements as no common agreement on whether or extensions are sufficient secure for healthcare HIE. Would welcome discussion on this.
Hide (HL7 Japan, TC215 ISO WG4 Co-Convenor): Defining PKI infrastructure published at ISO.
Alex Mense (HL7 Austria): How to integrate FHIR with CDA existing architecture and ongoing question.
Trish Williams (HL7 Australia): Australia working on new Cybersecurity 2020 Strategy (not just for healthcare).
Kumar Satyam (Philips Architect, HL7 India): Upcoming digital health privacy act. Data sharing is open and less protected.
HL7 Project status and WGM planned project activities
Sample-IG: John added some consideration that need to be included - guidance to the author on what is appropriate to include in the section and how to go about deriving the security and privacy content for this section (although missing in version on line at present - John to followup on this).
No report. Lisa Nelson the general care plan area captured consent but details not known. The Netherlands, and Ontario (Canada) are implementing R4.
Audit events in FHIR
21 people signed up for the FHIR Security tutorial
Update on security label IG (to be given later in meeting) John Moehrke
|Q2||Audit event (continued)||Trish||Completion of AuditEvent change request and proposed disposition on Jira. FHIR-25287|
Jira FHIR outstanding provenance items were reviewed. Many are awaiting FHIR-I or other WGs input before complete resolution.
|SMART on FHIR - Overview (if time)||Deferred to Q1 Friday.|
|Q3||Permissions and consent discussion||Alex|
Permissions and consent discussion. Use cases for situations where explicit consent is not need but permission to use data based on other reason (e.g. regulations) has to be recorded or transmitted.
Discussion around possible new resource “permission” as a different concept to "Consent" to express specific permission for handling data under specific situations (regulation, etc.)
Needs to be linked to specific data or specific groups of resources. Discussion if using “Compartment” might do it. Eventually proposal is to use GraphDefinition as a more general concept. This must include residual rules. This will be leveraging HCS and GraphDefinition.
Started to draft the new resource - John initiating.
|Q4||FHIR Security Preview - John Moehrke||Trish||The WG members reviewed the slides created by John for the FHIR Security and Privacy Tutorial to see where they could be shortened.|