Thursday, August 2, 2012

HL7 WGM - Introduction to Security and Privacy

The HL7 Security Workgroup is hosting a Free Educational Session at the Baltimore HL7 Working Group Meeting - September 12th, afternoon. See Page 13 in the HL7 Workgroup Meeting Brochure
This session will focus on how to apply security and privacy to the health IT standards. It will cover the basics of security and privacy using real-world examples. The session will explain how each phase of design needs to consider risks to security and privacy to best design security and privacy in; and mechanisms for flowing risks down to the next phase of design. In addition, it will cover the security and privacy relevant standards that HL7 has to offer including: Role-Based-Access-Control Permissions, Security/Privacy ontology, ConfidentialityCode, CDA Consent Directive, Access Control Service, Audit Control Service, and others. These standards and services will be explained in the context of providing a secure and privacy protecting health IT environment.
As a FREE Educational Session this takes place in the Security Workgroup meeting room Q3-Q4 Wednesday. I invite all members of the security workgroup to attend, engage in discussion, and offer to lead topics. I am prepared to do this completely on my own, but really really enjoy sharing the spotlight.

What I have planned is for the first Quarter (Q3 Wednesday) to cover our already prepared Security Risk Assessment Cookbook Tutorial. The focus here is on fundamentals of security and privacy risk assessment as a means to determine realistic requirements that mitigate risks in a complete and appropriate way. This will be accelerated as it is originally intended to be twice this long. It might get compressed even more if we uncover and create more compelling second half work.

For the second half of the afternoon (Q4 Wednesday) I would like to cover the other security and privacy components that exist in HL7. Here is where I really hope to leverage the expertise of the other Security Workgroup members.
  • HL7 Value Sets using Code System Confidentiality (2.16.840.1.113883.5.25) -- This vocabulary is used in the confidentialityCode metadata attribute to identify the data object sensitivity and confidentiality classification. This enables both segmentation of especially sensitive topics and also Role-Based-Access-Control that protects objects for both security and privacy
  • HL7 Version 3; Composite Privacy Consent Directive (CDA), DSTU Release 2 - This CDA document object captures the patient privacy preferences, authorizations, and consents. This document is used as evidence of a patient consent ceremony as well as triggers privacy policy engines to enforce the patient privacy.
  • Role-Based Access Control Permission Catalog (RBAC), Release 2 - This vocabulary enables communication of users permissions in an interoperable way. This vocabulary can be used at a multitude of points in the Privacy and Security system.
  • Privacy, Access and Security Services (PASS)
    • Access Control Service – This is a service being defined for support of access control decisions and enforcement
    • Healthcare Audit Services Release 1.0 -- This service specification is available and enables security audit log recording. There are also service endpoints to enable different security and privacy audit analysis use-cases, including the creation of an accounting of disclosure.
  • EHR Functional Model, Release 1 -- The EHR functional model includes a comprehensive set of security and privacy functions. This catalog includes detailed system level requirements that are actionable and testable. Profiles of this functional model are available for many functional systems including an EMR and PHR.
  • HL7 Version 3 Standard: Transport Specification, MLLP, R2 -- The HL7 transport specifications include transport security (e.g. TLS)
  • and probably some of the currently under development things...
Most important is that this is a discussion. We will cover what ever material the audience needs to cover in the space of what HL7 has to offer in the realms of Privacy and Security.