Wednesday, December 9, 2009

Current Security and Privacy developments

This is a simple listing of all of the Security and/or Privacy developments underway. I am sure there is something missing, but I find it useful to track the efforts. This is grouped but not in any particular order. Please feel free to comment with updates. Getting access to the working drafts is not always possible given the governance of the controlling organization. I can assist with getting anyone engaged with the work item.
  • Country Specific
  • Profiling Organizations
    • IHE -- http://www.ihe.net
      • Update to XUA to add one or more options for attributes to enable Access Control. Potentially using XSPA, as well as experience from NHIN and epSOS.
  • Standards Organizations
    • HL7 -- http://www.hl7.org
      • Security TC http://wiki.hl7.org/index.php?title=Security
        • Security Domain Analysis Model
          • This project is intended to create and ballot a single HL7 Domain Analysis Model (DAM) integrating both security access control and privacy information models.
        • Risk Assessment Framework Cookbook
          • The scope of this project is to create a unified method and process to identify issues, categorize them using a standard and accepted risk framework, bring the risks to the attention of the Security Technical Committee (TC) and use the consulting and oversight of that committee to standardize the much needed solutions and at the same time leverage the limited resources available.
        • Privacy and Authorization Terminology
          • The scope of this project includes incorporation of additional RBAC permission vocabulary (e.g., Healthcare Financial Transactions), Privacy Consents and Constraints. Has passed ballot, now being reconciled.
      • CBCC TC http://wiki.hl7.org/index.php?title=Community-Based_Collaborative_Care
        • Update V3 Privacy Message
          • CBBC balloted a V3 Privacy message a couple of years ago that resulted in a normative standard; they may update this in the Spring of 2010.
        • Consent Directive CDA Implementation Guide.
          • The project is intended to produce a structured document specification to exchange signed Consent Directives.
        • Composite Privacy Consent Directive R2
          • In addition to the analysis of new requirements, this project will correct any problems detected in the current 'Data Consent R1' standard.
      • Joint work
        • confidentialityCode - clarification of the purpose of this attribute and the purpose of each vocabulary value. Hopefully this will NOT create unnecessary interoperability problems given legacy, IHE, and DICOM use of the same named attribute.
      • SOA - PASS
      • CCOW
        • SAML Assertions as proper user identity subjects
    • DICOM - http://medical.nema.org (follow link for DICOM Standard) or ftp://medical.nema.org/medical/dicom/2008/ (changes with annual publication)
      • DICOM supplement 95 -- Audit Trail Messages
        • fixes, radiology extensions, and addition of SYSLOG-PROTOCOL family
      • DICOM Supplement 142 -- Clinical Trial De-identification Profiles
      • CP-884 - DNS self-discovery for secure DICOM services
      • CP-892 - Add De-identifying Equipment to Contributing Equipment Sequence
      • CP-895 - Password based encryption for media security
    • ISO - TC 215
      • ISO/PRF TS 21547 Health informatics -- Security requirements for archiving of electronic health records -- Principles
      • ISO/PRF TR 21548 Health informatics -- Security requirements for archiving of electronic health records -- Guidelines
      • ISO/CD 22857 Health informatics -- Guidelines on data protection to facilitate trans-border flows of personal health information
      • ISO/CD 27789 - Health informatics -- Audit trails for electronic health records
        • Started based on RFC3881, but has diverged
    • IEC
      • IEC 80001 -- Risk Management approach to connecting a medical device to a healthcare network, including security risks.
    • OASIS -- http://www.oasis-open.org
  • Other Organizations
    • Joint working group HIMSS & NEMA
      • Next generation of MDS2