Skip to end of metadata
Go to start of metadata

Chair: @Kathleen Connor

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

FreeConferenceCall Online Meeting Link

Dial-in Number (United States): (515) 604-9567 Access Code: 880898#

Agenda Topics 

 Minutes Approval


2019-11-12 Security WG Agenda/Minutes

Motion to Approve  11/12 Minutes :  

Moved /Second: Suzanne / Mike

Approve/Abstain/Oppose: 8  - 0 - 0

November Harmonization

Kathleen - Final proposal review and request for approval to submit.

Very little changes made for the final.  Final will be posted to site soon.

201911 November Harmonization proposals reviewed by Kathleen: 

Motion to Approve submission of Final Harmonization Proposals.

Moved /Second Suzanne / Mohammad

Approve/Abstain/Oppose: 8- 0 - 0

PSAF Provenance Volume 3 Ballot Reconciliation

Kathleen - Discuss proposed resolutions for block votes

Craig Newman's comments

  • Comment # 83-115 block vote MOTION: CraigN / MikeDavis Approve dispositions as written
    • Discussion: Disposition clarification needed for 110 as described during conversation
  • Approve/Abstain/Oppose: 9- 0 - 0


Bernd Blobel editorial comments  5, 42 - 57may be resolved without substantive changes across all PSAF volumes.  Recommended disposition:  Vote Persuasive - will make these non-substantive changes to align the references in all PSAF volumes with updated references.

  • Comment #5, # 42-57 Approve dispositions as written
    • Clarification to add #5
    • Motion to approve:  Mike Davis/Suzanne Gonzales Web Approve/Abstain/Oppose: 9- 0 - 0

HL7 Netherlands Affiliate votes  2, 12, 13, 29 are duplicate comments:

  • postponed vote - need to get information from the HL7 office

There is international agreement to apply ISO 23903 to ascertain the use of multiple standards in a layer or stack, or architecture. The HL7 v3 Privacy and Security Architecture Framework does not apply this, making it difficult for policy makers, business analysts and architects to set up a solid business approach in which the privacy and security architecture framework can. This ISO 23903 is an important requirement to apply the Framework in conjunction with other standards like architectures, messages, EHR-S standards, clinical models and more.

Recommended disposition: Vote Note Related: ISO 23903 is still a draft standard. There is no agreement that HL7 must align with this draft standard. All of the other PSAF Volumes were approved as normative without this comment. Only PSAF Volume 3 was in scope @ 201909 ballot. Security WG will consider ISO 23903 once adopted in any future updates to PSAF if this specification is made freely available to HL7 members. 

FHIR Security

John Moehrke and Mohammad Jafari discussion on OAuth Subscription security issues going on at and the ongoing need to keep track of burning issues.  John added  FHIR subscriptions security Security Confluence page as a parking lot.

Kathleen - Added CR 25180 for security label annotation extension to indicate how to display CUI or other Privacy Marks and to list the Designator's Agency name/contacts.

John commented: I think this extension, if it is needed, should be added by an IG specific to its use. Thus a CUI implementation guide should be written that creates this extension. In this way the extension is well understood. And those declaring conformance to CUI IG would then know to look for it and what to do with it. Aa a core extension this would not be clear.

Kathleen responded: The requested extension has multiple use cases - CUI is just a salient example. Another example offered was the ability to specify how COPY would be displayed in the Narrative based on the PrivacyMark security label COPYMark. The assigner of "COPY" on the Resource may need to be specified. Ditto "CONFIDENTIAL" as a rendered PrivacyMark may need to have the font, placement, and all Caps specified with an annotation extension. Other PrivacyMark security labels about which implementers may want to control display include the 42 CFR Part 2 Prohibition against Redisclosure and deliver only to addressee. There are chances that internationally, there may be many privacy marks that implementers will want rendered in FHIR in a particular way. Therefore, I argue that this is a core extension, which should be available to profile rather than creating a proliferation of IG specific extensions aiming to achieve the same result.

FHIR Security call cancelled. John is looking for new time.

Discussion thread on Zulip @

Sequoia CUI Discussions

Mike Davis

No work moving forward on creating the PSS at this time.  Sequoia notified MIke that they are members of HL7 and will be providing resources towaard the project


Update on the CUI/Security Labeling X-Paradigm IG PSS

Progress on the FHIR DS4P IG

Controlled Unclassified Information (CUI) Problem and Solutions

MOTION: Approve the Cross-Paradigm ("X-Paradigm") IG PSS covering security labeling cross the family, including wrappers. 

Moved : x / Second: x

Discussion: Approve/Abstain/Oppose: 0 - 0 - 0

 Document Presentation

Basic Provenance Report out

Confirm that at least one Security Co-chair is in attendance in order to provide a vote/block vote for Basic Provenance calls.


Brett gave update on where the project is on completing ballot reconciliation. 

Plan is to continue weekly calls.

Brett asked whether block votes should always be decided on the Security WG call or if block votes can be held if a Security Cochair is present and chairing.  Kathleen will check with Security WG on 11/19 call

Does Security WG want all Basic Provenance block votes should be held on Security WG calls or if they can be held if a Security Cochair is present and chairing.

Decision: If Security cochair is presiding over Basic Provenance call, then hold block votes, and report to Security WG.  If no Security cochair is available, and timing is critical, then schedule vote for Security WG call.

Cancel 11/26 call

WGM Report out

Kathleen - Draft WGM Minutes - in process. 

16 SEP 2019 SEC WGM Minutes

17 SEP 2019 SEC WGM Minutes

18 SEP 2019 SEC WGM Minutes


Share with Protections

Mike Davis - we have wrapped this into the CUI IG.  We have a couple of documents on SwP and have some editorial changes to make to the original PPT,Document.  Mike will complete will present the final to the Security WG

Mike will present updates on the week following Thanksgiving.

Update on SwP Part 1 and Part 2 (to be presented Drafts).  Recommend FHIR IG PSS for SwP. 

No Update
Slide decks and Sharing with Protections paper are available on Security WG Confluence site
(SP) 800-207, Zero Trust Architecture

Mike Davis: Should HL7  Sec WG provide comments on NIST Zero Trust Architecture relevant to standards work?  Reference HL7’s PSAF Vol 1 with links to relevant sections such as Fig 7, 9, 12, 18 etc.

Federal Health IT Strategic Plan

Mike Davis Should HL7 security comment on Federal Health IT Strategic Plan –

    • Individuals perform on their own some of the activities that traditionally occur only in formal health care settings (e.g., monitoring blood pressure, tracking body mass index). An increasing number of individuals want the ability to use technology to track and improve upon their health goals, and want technology to be helpful and easy to use.
    • How does HL7 support objective 4b?

Need links.

 Next week's Security Meeting / Thanksgiving week has been cancelled. Kathleen will send out notice
AdjournmentMeeting adjourned at 1:35 Arizona Time

Temporary Meeting Recording:


@Adam Wong adam.wong@hhs.govHHS
HL7 Austria
Wave One

Chris Shawn, Co-Chair

 Craig Newman
 Ready Computing
 @David Staggs drs@securityrs.comSRS 
Heather McComas AMA 
Jim KamperAltarum

John Davis (Mike)


John Moehrke Co-Chair

Julie Chan jchan@cwglobalconsult.comCWGlobal

Kathleen Connor  Co-Chair

VA (Book Zurman)
Laura Bright
Laura Hoffman laura.hoffman@ama-assn.orgAMA
EMR Direct
Matthew Reid matt.reid@ama-assn.orgAMA
VA (Book Zurman)
 Nancy Lush
 PJM Consulting
Trustworthy EHR 

@Ricky Sahu,  

1up Health

Robert Dieterle

Saul Kravitz saul@mitre.orgMITRE


Stephen MacVicar smacvicar@mitre.orgMITRE
VA (Book Zurman)

@Trish Williams Co-ChairFlinders University

  • No labels