Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  

Mondays at 12:00 pm Eastern Time -

NOTE: This attendance applies if you are present at the related meeting/call, regardless if you have signed a different attendance for your WG. 


Minutes Approved as Presented 2019-12-09 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."

Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes ApprovalMinutes approved
New projects?

Potential (but only if someone steps forward) new projects this committee could take on:

* Basic Provenance in FHIR
* AuditEvent supporting Patient Empowerment
* Additional guidance for the core security pages
Security around FHIR Subscription
Security around bulk-data access
Security around multi-organization interactions (e.g. HIE)
* App dynamic registration
* Updating of SMART-on-FHIR with next kind of use-case (tbd)
* Templating of IG to drive Security Considerations
* Templating of IG to drive consistent use of Provenance, AuditEvent, and Signatures
* Definition of a new Resource for Permission use-cases
* Creation of a library of security/privacy focused IG that can be included in 'other' IG as modular security solutions (similar to how SMART-on-FHIR is used today, but supporting other security models). This might be where the subscription, bulk-data, and multi-organization solutions are organized for easy use.  

didn't review

Permission Resource

Reviewed Jose's blog

  • Not clear how the use-cases are not satisfied by current solutions between data tagging, bundle tagging, consent, and contract
  • Likely the cases need to focus more on the non-contract use-cases, those where the communication channel has many possible policies where thus the communication needs to be specific about the permission provided

FHIR IG Proposal for gov work

IG Proposals

Mostly the information comes from our PSS.

Specifically focus on 

  • Proposed IG realm and code
    • us/security-gov-labels
  • short description
    • should be a single sentence of "what is the problem solved"
  • long description
    • should be a few paragraphs on "what is the problem solved: do not include how it is solved.
    • Should be readable by typical HL7 audience, so should explain special terms, but can expect typical HL7 level of reading comprehension.

Prototype (unofficial) Government Regulated Security IG

Known issues not yet updated:

  • break the one valueset into many, to be specific to use-cases and transaction
  • unknown code of "COR" is actually "COC"
  • add code for research?
  • Explain that the need for communication of is because the communication channel supports multiple policies, so the selects which of these policies applies to the request and response

Will get renamed when IG Proposal is complete 

Updates can be provided by a forked pull-request

John to consider adding Mohammed to the project to ease updates.

In addition to the known issues to the left

  • group confidentialtiyCode and CUI for use on data
  • TPOR - Treatment, Payment, Operations, and Research 
    • Not clear to me how Research fits in our three use-cases
  • Add extensions that have been mentioned around CUI need

In ProcessSecurity Open Items – now in JIRA

FHIR-24908 - Where vocabulary and valuesets come from DICOM, they should be imported and used from DICOM – elimination of AuditEvent codeSystem duplicaitonwaiting on dicom

FHIR-24907 – Lifecycle event valueset should include HL7 lifecycle event vocabulary (ISO 10781) – bring in HL7 lifecycle event vocabularywaiting on iso

FHIR-24676 - PurposeOfUse vocabulary from ISO 14265 – bring in ISO vocabularywaiting on iso

FHIR-23712 - Getting issue details... STATUS  waiting on ISO

waiting on iso

FHIR-11071 - Getting issue details... STATUS  DS4P and CUI will be creating IG. This exercise will result in update of the FHIR core with informed instructions

moved to DS4P
Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

FHIR BlockBlock vote preparation


FMMDefined plan to mature

Connectathon Update on Security at FHIR connectathon

SMARTdiscussion of next generation of SMART

Consent servicediscussion of next generation consent service

Management Next agenda

New Business

60 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval