Skip to end of metadata
Go to start of metadata

Chair: @Chris Shawn

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

Zoom Client Download 

https://zoom.us/j/6754075337

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet

ATTENDEES - PLEASE TYPE YOUR NAME IN THE CHAT OR  IF YOU ARE ON THE CONFLUENCE SITE, PLEASE SCROLL DOWN TO THE BOTTOM AND CHECK YOURSELF IN TO BE COUNTED FOR ATTENDANCE - THANK YOU!

Agenda Topics 

 Minutes Approval

Approve Meeting Minutes:  2020-05-12 Minutes and 2020 5/21



Motion to Approve  5/12/2020 WG call

Moved/Second: Suzanne/ Kathleen

Vote - Approve/Abstain/Oppose: 7 - 1 - 0


Security WGM

2020-05 Security WGM Minutes

Motion to Approve 202005 Security WGM Minutes

Moved/Second: Beth/Mohammad

Vote - Approve/Abstain/Oppose: 7- 0 - 0

ConnectathonSecurity Labeling Track Report Out
FHIR DS4P IG

Review Reconciliation Spreadsheets and JIRA Ballot Recon - May not be ready by call

Approve Sept NIB due by July 5 per Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

  • Affirmative - 26
  • Negative - 13
  • Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

https://www.hl7.org/documentcenter/public/wg/tsc/HL7%20May%202020%20Ballot%20Results.zip

Deferred Sept NIB by July 5 per Security WG Admin

Motion to Approve FHIR DS4P IG NIB for Sept Ballot

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0

Cross-Paradigm US Regulatory Security Labeling IG

Kathleen - Continued work on the CDA templates for US Regulatory Labels.  Meeting with the Structured Document Example Task Force to ensure that templates are done correctly.

Planned for September ballot - Will be bringing ballot material forward for WG review.

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material:https://github.com/HL7/us-security-label-regs 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Deferred Sept NIB by July 5 per Security WG Admin

Motion to Approve Cross-Paradigm US Regulatory Security Labeling IG NIB for Sept Ballot

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0

FHIR Security




Security and Privacy  Information Model (S&P DAM REFRESH)

Review WGM notes on PSS review.

Review any revisions and seek approval of the HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

Need to complete PSS milestones per Security WG Admin Upcoming PSS and NIB Deadline Dates for Future Ballot Cycles

Security WG approval June 5, 2020

ISD approval - by July

TSC before August 23, 2020

Deferred until Mike revises per comments recorded in 2020-05 Security WGM Minutes

Motion to Approve HL7 Privacy and Security Information Model PSS

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0



Infrastructure SD

SMART Web Messaging PSS

Brett Marquard to discuss Security WG co-sponsorship

SMART Web Messaging enables tight UI integration between EHRs and embedded SMART apps via HTML5's Web Messaging. Use SMART Web Messaging to push unsigned orders, note snippets, risk scores or UI suggestions directly to the clinician's EHR session. Built on the browser's javascript window.postMessage function, SMART Web Messaging is a simple, native API for health apps embedded within the user's workflow.

Security Concerns: There are issues behind Privacy by Design (discussion)

(Note: security risk box was listed as yes - this was incorrect  for security risk)

See discussion on vote at SMART Web Messaging Project

Kathleen Commented: Agree with Matthew that this PSS needs to assess security concerns (GDPR, HIPPA, FERPA) at Implementation.  Security WG is concerned that 3c. Security Risk is still blank.  Please address this entry. Not sure the PSS is valid unless addressed in some way.

Motion to Approve Security as a Co-sponsor of SMART Web Messaging PSS

Moved/Second: Kathleen / Brett

Vote - Approve/Abstain/Oppose: 9 - 0 - 0

Share with Protections White Paper Project

Share with Protections Project Scope Statement  

TSC approved the PSS.

Work to add functional and technical requirements underway.

Deferred Sept NIB by July 5 per Security WG Admin

Motion to Approve Share with Protections White Paper NIB

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0

Security WG Health

Clean bill of health. Virtual stars to everyone.


Security and Privacy DAM Publication

Kathleen reformatting DAM post Lynn adding cover page and footers.  Final format QA completion date - 6/2 for submission to HQ for ANSI publication.

Security and Privacy Domain Analysis Model Publication Request is now on Confluence.

This request was previously approved in Sept 2019 WGM.  

Still need to review/approve product brief and get correct coversheet.

The balloted DAM link http://www.hl7.org/v3ballotarchive/v3ballot/html/dams/uvsec/V3DAM_SECURITY_R1_I1_2014MAY.pdf


CARIN Blue Button Report Out

Nothing to report.

Security is a cosponsor of CARIN Blue Button IG. Calls http://www.hl7.org/concalls/CallDetails.aspx?concall=48592 Monday Mar 2, 2020 - 02:30 PM (Eastern Time, GMT -05) https://leavittpartners.zoom.us/j/461256971 or Dial: 1 646 876 9923 // Meeting ID: 461 256 971


DaVinci Payer Provider Exchange IG

Bob Dieterle asked to move discussion about (3) RE FHIR-23293 CDS Hooks OAuth Tokens (detailed below) to the PDex call 4/24.

(3) RE FHIR-23293 CDS Hooks OAuth Tokens - Waiting on Bob Dieterle's diagram of the process walk through

Mohammad states that the Proposed Disposition “A token for access to the Payer FHIR API and the URI of the appropriate endpoint  is issued by the Payer CDS service in response to a successful CDS-Hook request” to his comment seems to have missed the point. I.e., OAuth tokens are issued by OAuth servers. The CDS server is not an OAuth server and cannot “issue” OAuth tokens; that’s why I asked the question of who issues this token that’s returned by the CDS.

 BACKGROUND

FHIR-23293 – Jira Comment

From minutes:

  • Following the CDS Hooks/ SMART on FHIR use case, which has been tested at multiple Connectathons
  • Up until we used it for PDex, the use of CDS Hooks was always from a 3rd party to a provider, and not from a provider to a payer
  • Token is being issued exactly the same way
  • Responder of the CDS Hook is issuing a token in this case (the data holder is issuing the token)
  • FHIR Specification Feedback
  • FHIR-23293

It is not clear who issues this Access Token and who it is issued to - PDex #101

http://hl7.org/fhir/us/davinci-pdex/2019Jun/6-4_Hook_Configuration.html

 Resolution Description:

A token for access to the Payer FHIR API and the URI of the appropriate endpoint  is issued by the Payer CDS service in response to a successful CDS-Hook request. 

Description

Existing Wording: When a Card is returned from the CDS Hooks appointment-book service by a Health Plan it will provide the following elements:

  • An Access Token for secure access to the Health Plan's FHIR API

Comment:

It is not clear who issues this Access Token and who it is issued to. If this is an OAuth access token, the flow for issuing it and identifying the client to the OAuth server must be clarified. It is also a major flaw from the OAuth perspective that the Access Token which must be known only to the specific client (in order to ensure accountability) is shared with the CDS service. Generally access tokens should not be known to any party other than the Client and the OAuth Server.

Moreover, it must be clearly stated that this access token must be restricted only to the Member in question and the recipient must not be able to recover any other members' information using this access token.

Summary:

It is not clear who issues this Access Token and who it is issued to

4/15

A token for access to the Payer FHIR API and the URI of the appropriate endpoint  is issued by the Payer CDS service in response to a successful CDS Hook request. 


HL7 Policy Advisory Committee


PAC WGM focused on salient US and International emerging legislation.

Next meeting will have a Security Labeling demonstration based on ONC LEAP Consent project.

Key areas of interest to Security WG are

.

Co-chair ElectionsAll 5 Security WG Cochair seats are up for election. At this time, all current Security co-chairs have been nominated as candidates.
Notes from CHAT

Requesting review provide comment

High Water Mark on Bundle - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Meaning.20of.20Security.20Labels.20on.20Bundles

Consent - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Consent.20IG.3F


Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1234 Arizona time

Meeting recording:

Attendees

  •  
@Adam Wong adam.wong@hhs.govHHS
  •  
ONC
  •  
HL7 Austria
  •  
Kaiser
  •  
Amol Vyas amol.vyas@cambiahealth.comCambia Health
  •  
Wave One
  •  
Aegis
  •  
Celine Lefebvre Celine.Lefebvre@ama-assn.org AMA
  •  
Clara Y. Ren clara.y.ren.ctr@mail.milFederal Electronic Health Records Modernization (FEHRM) Office
  •  

Chris Shawn, Co-Chair

VA
  •  

Craig.Newman@altarum.org

  •  
 Ready Computing
  •  
 @David Staggs drs@securityrs.comSRS 
  •  
Debra Simmons debrasimmons@
  •  
Sequoia
  •  
Heather McComas heather.mccomas@ama-assn.org AMA 
  •  
EPIC
  •  
Jeff Helman
  •  
Jim KamperAltarum
  •  
Federal Electronic Health Records Modernization (FEHRM) Office
  •  
SRS
  •  

John Davis (Mike)

VA
  •  

John Moehrke Co-Chair

By-Light
  •  
Aegis
  •  
Julie Chan jchan@cwglobalconsult.comCWGlobal
  •  

Kathleen Connor  Co-Chair

VA (Book Zurman)
  •  
Laura Bright laurabright4@gmail.com
  •  
Laura Hoffman laura.hoffman@ama-assn.orgAMA
  •  
EMR Direct
  •  
Sequoia
  •  
Matthew Reid matt.reid@ama-assn.orgAMA
  •  
VA (Book Zurman)
  •  
LGI Software
  •  
 PJM Consulting
  •  
Phillips
  •  
Trustworthy EHR 
  •  

@Ricky Sahu, @1up.health  

1up Health
  •  

Robert Dieterle rdieterle@enablecare.us

Enablecare
  •  
Russ Ott rott@deloitte.comDeloitte
  •  
Saul Kravitz saul@mitre.orgMITRE
  •  
Scott Fradkinsfradkin@flexion.us
  •  

Jopari

  •  
Stephen MacVicar smacvicar@mitre.orgMITRE
  •  
VA (Book Zurman)
  •  
 AMA
  •  

  •  
Flinders University
  •  
Vicki Giatzikis vig9034@nyp.orgNYP


  • No labels



Powered by a free Atlassian Confluence Community License granted to Health Level Seven International. Evaluate Confluence today.


Atlassian Provide feedback



  • No labels