HL7 Security & Accountability Sigminutessept. 27-29, 2004

HL7 Security & Accountability SIGMinutesSept. 27-29, 2004

Attendees

Name / Affiliation / E-mail Address
Glen Marshall / Siemens /
Dawn Rota / VA /
Bernd Blobel / HL7 Germany /
Hideyuki Miyohara / HL7 Japan /
Ernest Chan / KP /
Ed Coyne / SAIC (VA) /
Wayne Haber / SecureWorks /
Mike Davis / VA /
Mark Morwood / Sentillion /
Bill Raves / Misys /
John Moehrke / GE /
Matt Ruebel / Cerner /

Agenda Items

1. Dawn Rota was elected as co-chair
2. We reviewed the charter update intended to advance the Security and Accountability SIG to become the HL7 Security Technical Committee. This will be presented to the Architectural Review Board with the intent of seeking approval in the January TSC meeting.
   
3. We heard update presentations from these external groups (no action items):
4. IHE: Auditing, Directory, PKI, RBAC
5. European activities
6. ISO/TC 215 WG 4
7. ASTM E31.20
8. US Federal Government
9. Joint meetings were held:
10. CQ (hosting) – Sept. 27, 4Q
11. PM (hosting) – Sept 28, 2Q
12. Communications and meetings
13. The SIG chairs request that we use the HL7 web site document area for official documents, versus distributing documents via e-mail
14. Planned meetings for January

• Tuesday 1Q-3Q – committee meeting
• Tuesday 3Q – joint with CQ (hosting)
• Wednesday 1Q – joint with MnM (hosting)
• Thursday 1Q-4Q – committee meeting

1. Role Based Access Control
2. The RBAC Plan of Action was approved unanimously (7 votes)
   
3. Discussions on Sept. 29:

Artifacts Presented:

• HL7 Lab Freq Order Full Example
• HealthcareScenarioRoadmap_ASTM
• Scenario-driven Role Engineering Process for Functional RBAC Roles
• Healthcare RBAC Role Engineering Process, v.3.0 (should be v3.1) Mike to change gray boxes (CRIM instead of RMIM, RIM is all-encompassing and not database)
• Security and Business Rules in RBAC R008

Goal:Standard catalogue of healthcare permissions {operations, objects}.

Recommendation: Approach TC’s that are ready for this process (EHR), since this is a new paradigm for HL7 which had previously created storyboards to support and depict messaging, not work flow.

Normative deliverable: HDF modification (the role engineering process).

Security and Accountability needs to:

• outline the process
• end up with consistent results at the same level

RMIM and DMIM not detailed enough to identify objects. EHR may help define?

January ’05 – MnM wants to flesh out the role engineering process (for inclusion in the HDF).

Access control roles, business rules and security rules are conceptually separate, but combined at the enterprise level (high-level) managed by same admin. Implementation considerations.

Issue: Do we define permissions allowing constraints?

• ISO separated roles from policies with policy associating constraints.
• HL7 – We won’t agree on constraints. Sec TC is notcurrently capturing constraints or business rules (although properly, need to capture both).

What level do we use?

• We need a rule that all can follow.
• An object should be reasonable and usable. Not more detail than applications support so that it is implementable (and transportable via HL7 messages and transactions). Is this the RIM ‘ACT’?

Details of activities to do per HL7 Sec TC RBAC Work Plan:

• Sec TC members needs to access to RBAC documents to Sec TC work documents for review of terminology, etc. to create the framework for permissions vocabulary, etc. Artifacts were distributed to attendees at Atlanta WGM. Will also be made available via HL7 website.
• VHA to develop use cases and possibly pass out to TC’s for validation, rather than have the TC’s write them. Domain experts/Clinicians to define the scenarios, use cases and permissions.