Scribe: @Suzanne Gonzales-Webb
Weekly calls Tuesdays 3PM ET
FreeConferenceCall Online Meeting Link https://www.freeconferencecall.com/join/security36
Dial-in Number (United States): (515) 604-9567 Access Code: 880898#
Motion to Approve 11/12 Minutes :
Moved /Second: Suzanne / Mike
Approve/Abstain/Oppose: 8 - 0 - 0
Kathleen - Final proposal review and request for approval to submit.
Very little changes made for the final. Final will be posted to site soon.
201911 November Harmonization proposals reviewed by Kathleen:
Motion to Approve submission of Final Harmonization Proposals.
Moved /Second Suzanne / Mohammad
Approve/Abstain/Oppose: 8- 0 - 0
|PSAF Provenance Volume 3 Ballot Reconciliation|
Kathleen - Discuss proposed resolutions for block votes
Craig Newman's comments
Bernd Blobel editorial comments 5, 42 - 57may be resolved without substantive changes across all PSAF volumes. Recommended disposition: Vote Persuasive - will make these non-substantive changes to align the references in all PSAF volumes with updated references.
HL7 Netherlands Affiliate votes 2, 12, 13, 29 are duplicate comments:
There is international agreement to apply ISO 23903 to ascertain the use of multiple standards in a layer or stack, or architecture. The HL7 v3 Privacy and Security Architecture Framework does not apply this, making it difficult for policy makers, business analysts and architects to set up a solid business approach in which the privacy and security architecture framework can. This ISO 23903 is an important requirement to apply the Framework in conjunction with other standards like architectures, messages, EHR-S standards, clinical models and more.
Recommended disposition: Vote Note Related: ISO 23903 is still a draft standard. There is no agreement that HL7 must align with this draft standard. All of the other PSAF Volumes were approved as normative without this comment. Only PSAF Volume 3 was in scope @ 201909 ballot. Security WG will consider ISO 23903 once adopted in any future updates to PSAF if this specification is made freely available to HL7 members.
John Moehrke and Mohammad Jafari discussion on OAuth Subscription security issues going on at https://chat.fhir.org/#narrow/stream/179229-subscriptions/topic/OAuth.20.26.20subscriptions and the ongoing need to keep track of burning issues. John added FHIR subscriptions security Security Confluence page as a parking lot.
Kathleen - Added CR 25180 for security label annotation extension to indicate how to display CUI or other Privacy Marks and to list the Designator's Agency name/contacts.
John commented: I think this extension, if it is needed, should be added by an IG specific to its use. Thus a CUI implementation guide should be written that creates this extension. In this way the extension is well understood. And those declaring conformance to CUI IG would then know to look for it and what to do with it. Aa a core extension this would not be clear.
Kathleen responded: The requested extension has multiple use cases - CUI is just a salient example. Another example offered was the ability to specify how COPY would be displayed in the Narrative based on the PrivacyMark security label COPYMark. The assigner of "COPY" on the Resource may need to be specified. Ditto "CONFIDENTIAL" as a rendered PrivacyMark may need to have the font, placement, and all Caps specified with an annotation extension. Other PrivacyMark security labels about which implementers may want to control display include the 42 CFR Part 2 Prohibition against Redisclosure and deliver only to addressee. There are chances that internationally, there may be many privacy marks that implementers will want rendered in FHIR in a particular way. Therefore, I argue that this is a core extension, which should be available to profile rather than creating a proliferation of IG specific extensions aiming to achieve the same result.
FHIR Security call cancelled. John is looking for new time.
Discussion thread on Zulip @ https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Proposed.20extension.20for.20CUI.20codes
|Sequoia CUI Discussions|
No work moving forward on creating the PSS at this time. Sequoia notified MIke that they are members of HL7 and will be providing resources towaard the project
Update on the CUI/Security Labeling X-Paradigm IG PSS
Progress on the FHIR DS4P IG
MOTION: Approve the Cross-Paradigm ("X-Paradigm") IG PSS covering security labeling cross the family, including wrappers.
Moved : x / Second: x
Discussion: Approve/Abstain/Oppose: 0 - 0 - 0
|Basic Provenance Report out|
Confirm that at least one Security Co-chair is in attendance in order to provide a vote/block vote for Basic Provenance calls.
Brett gave update on where the project is on completing ballot reconciliation.
Plan is to continue weekly calls.
Brett asked whether block votes should always be decided on the Security WG call or if block votes can be held if a Security Cochair is present and chairing. Kathleen will check with Security WG on 11/19 call
Does Security WG want all Basic Provenance block votes should be held on Security WG calls or if they can be held if a Security Cochair is present and chairing.
Decision: If Security cochair is presiding over Basic Provenance call, then hold block votes, and report to Security WG. If no Security cochair is available, and timing is critical, then schedule vote for Security WG call.
|Cancel 11/26 call|
|WGM Report out|
Kathleen - Draft WGM Minutes - in process.
Share with Protections
Mike Davis - we have wrapped this into the CUI IG. We have a couple of documents on SwP and have some editorial changes to make to the original PPT,Document. Mike will complete will present the final to the Security WG
Mike will present updates on the week following Thanksgiving.
Update on SwP Part 1 and Part 2 (to be presented Drafts). Recommend FHIR IG PSS for SwP.
|(SP) 800-207, Zero Trust Architecture|
Mike Davis: Should HL7 Sec WG provide comments on NIST Zero Trust Architecture relevant to standards work? Reference HL7’s PSAF Vol 1 with links to relevant sections such as Fig 7, 9, 12, 18 etc.
|Federal Health IT Strategic Plan|
Mike Davis Should HL7 security comment on Federal Health IT Strategic Plan –
|Next week's Security Meeting / Thanksgiving week has been cancelled. Kathleen will send out notice|
|Adjournment||Meeting adjourned at 1:35 Arizona Time|
Temporary Meeting Recording: https://fccdl.in/mv0Eg45dFE
|@Adam Wong email@example.com||HHS|
Chris Shawn, Co-Chair
|@David Staggs firstname.lastname@example.org||SRS|
|Heather McComas email@example.com||AMA|
John Davis (Mike)
John Moehrke Co-Chair
|Julie Chan firstname.lastname@example.org||CWGlobal|
Kathleen Connor Co-Chair
|VA (Book Zurman)|
|Laura Bright email@example.com|
|Laura Hoffman firstname.lastname@example.org||AMA|
|Matthew Reid email@example.com||AMA|
|VA (Book Zurman)|
@Ricky Sahu, @1up.health
Robert Dieterle firstname.lastname@example.org
|Saul Kravitz email@example.com||MITRE|
|Stephen MacVicar firstname.lastname@example.org||MITRE|
|VA (Book Zurman)|
Terrence Cunningham 'Terry'
|@Trish Williams Co-Chair||Flinders University|