2020-09-01 Security WG Agenda/Minutes

Created by , last modified Kathleen Connor about 2 hours ago

Go to start of metadata

@Kathleen ConnorChair:

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

 Zoom Client Download

https://zoom.us/j/6754075337

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866Participant Passcode: 675 407 5337

Zoom Tip Sheet

ATTENDEES - PLEASE TYPE YOUR NAME IN THE CHAT   IF YOU ARE ON THE CONFLUENCE ORSITE, PLEASE SCROLL DOWN TO THE BOTTOM AND CHECK YOURSELF IN TO BE COUNTED FOR

ATTENDANCE - THANK YOU!

Agenda Topics

Agenda Overview

MinutesFHIR SecurityPrivacy and Security Logical Model callSecurity WGM PrepFHIR DS4P IG - Ballot ReconciliationCross Paradigm US Security Labeling IGInfrastructure SDShare with Protections White Paper ProjectCARIN Blue Button Report OutHL7 Policy Advisory Committee (PAC)Chat notes

 Minutes Approval

Approve Meeting Minutes:

2020-08-25 Security WG Agenda/Minutes

Motion to Approve Meeting minutes as written

Moved/Second: JohnM / Suzanne

Vote - Approve/Abstain/Oppose :  

FHIR Security

Bob walked through payer provenance requirements per CMS rule (see attached deck.)  John and Kathleen asked questions about why payers don't know the identity of entities from which the target was derived.  Bob states the the CMS rule requires that the payer disclose the UCSDI data elements using FHIR so the inbound information is derived from various standard transactions and stored in a "data lake" from which the output is generated.  Perhaps in the future, payers will keep closer track on the data lake content's provenance so that the actual entity can be referenced or identified in Provenance.

Both Kathleen and John would prefer to have the ProvenanceSource extention on entity rather than on target.  Issue is that PDex is using R4 Provenance, which has entity set to 1..1.  That can be fixed in R5, but for now, there'd have to be a way to populate entity.  John suggested using text description rather than an identifier.  He will continue the modeling discussion on line.  Kathleen requested that the discussion take place on the list so that others can weigh in..

2020-08-31 FHIR-Security Meeting Agenda Discussed PDex Provenance extension - agreed that it should be on Provenance.entity.

Bob Dieterle is scheduled to join to discuss on this call. His description of the need for the ProvenanceSource extension: "

In general, the payer does not have the ability to point to a specific item (e.g. CCDA) in which the data was received.  They know that it was from a CCDA, but not the unique identity of the original CDA.  Remember, the data covered by the regulation goes back to 1/1/2016 and is frequently separated from the source data and maintained  in an organization data store.  The goal of the extension is to identify the source “type” and not the specific source item.  The source  entity and receipt date/time use existing element in the provenance resource." 

Bob also stated that: "We want to have the data attributed to a specific entity and date received and attribute to multiple sources (e.g. no need for other than 0..1).  Let’s discuss the requirements and implications of the approach on the call."

See attached ppt.

John recommended that the extension is carrying information that could be carried in the .entity.what filling out the .type given a vocabulary defined by PDex.

Updates on FHIR BallotNote: Connectathon Tracks related to Privacy/Security

2020-09 Consent Management and Enforcement Services Track

2020-09 FHIR Bulk Data

2020-09 Argonaut Granular Controls

FHIR Registry Birds of a Feather Recording

This session presented an overview of the new FHIR registry, , which will https://registry.fhir.orgsoon be made available for use by HL7 International. The upgraded FHIR registry contains powerful new query features for the FHIR community to find any FHIR package, profile or resource for reuse or to inform standards development projects. The registry content is now based on the FHIR package registry, bringing together production ready FHIR resources and packages from the core HL7 FHIR specification, HL7 published Implementation Guides and community FHIR content from .Simplifier.net

Mark stated that he's played around with extension on entity but hadn't been able to make it work yet.  Bob stated that the PDex Connectathon track will try both approaches, i.e., put ProvenanceSource extension on target and on entity.

Mark and John both suggested that the payer's provenance use case isn't specific to payers, e.g., HIEs and other data manipulators may have the same issue.

Privacy &Security  Logical(information) Model

2020-08-26 Privacy and Security Logical Information Model - Mike

(NIB needs to completed before early November)

Next call tomorrow!  (last meeting before WGM)

2020-09-02 Privacy and Security Logical Information Model

Calls are on Wednesdays 1 - 2 ET http://www.hl7.org/concalls/CallDetails.aspx?concall=50666

https://zoom.us/j/6754075337

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866Participant Passcode: 675 407 5337

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approved 7/7

TSC PSS approval before August 23, 2020

Mike's update:

Provenance Lineage Pedigree White Paper.pptx

September WGMPrep

Connectathon information session September 1, 2020 at 4:00 PM ET by clicking . We will hererecord the session and place the link on the main immediately Connectathon 25 Confluence Sitefollowing.  Please complete your as soon as possible so that we will Pre Connectathon Surveyknow which track you will participate in.

Security/CBCP WGM Planning is underway - See 2020-09 September Virtual Security WGM (please send agenda items to  or Kathleen Connor Suzanne Gonzales-Webb for inclusion to WGM Agenda)

FHIR Security session cancelledplaceholder (currently empty)opening joint w/CBCP - report out on projectopening TUES joint w/CBCP - ballot reconciliation, etc.

JohnM will not be attending so deleted FHIR Security Session.

AlexM will make sessions as he is available 

International report out - Tuesday 9/22 4PM ET - International Security Topics (Alex will chair)

LHS WG on CBCP Joint 9/22 10AM ET

Interim WG Health - See Infrastructure

202009 September Virtual Security WGM

FHIRDS4P IG

Review and approve for 10/20 opening date.FHIR DS4P IG Out-of-cycle ballot request

Carmela A. Couderc block - continue review

Review Reconciliation Spreadsheets and JIRA Ballot Recon

Missed approval of Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

Affirmative - 26Negative - 13Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

https://www.hl7.org/documentcenter/public/wg/tsc/HL7%20May%202020%20Ballot%20Results.zip

Reviewed Carmela's comments 1 -24.  Kathleen will send to her for feedback.  Will vote on this block next call.

 Spreadsheet Spreadsheet

Spreadsheet

 Spreadsheet

Upcoming deadlines:

NIB Deadline for submission - ???, 2020FHIR IG must be substantively complete - ???, 2020FHIR IG must be complete and handed over to sponsoring WG for QA review - ???QA review cycle - ???Content QA Change application - ???Final content to Lynn for inclusion in Oct Out-of-cycle ballot ???Submit Ballot Readiness Checklist - before ???

If you have any questions about these dates or the process, you can check out the FHIR IG Process Flow on Confluence

( )https://confluence.hl7.org/display/FHIR/B+-+Content+Development+and+Submission

Cross-ParadigmUS Regul

CUI Program Blog ( ) NARA is promoting NIEM 5.0 Beta https://isoo.blogs.archives.gov https://niem. as the national healthcare standard for conveying CUI github.io/niem-releases/ https://isoo.blogs.

archives.gov/2020/07/02/cui-metadata/

CUI Metadata standard available for review

July 2, 2020July 2, 2020 by Mark Riddle, posted in , , General updates Marking & examples News

The CUI Executive Agent has been working with the CUI Advisory Council and the National to develop a metadata standard for CUI categories and limited Information Exchange Model (NIEM)

dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.

CUI Q4 Stakeholders Update! Call presentation

CUI Update to Stakeholders Q4 2020 presentation

August 17, 2020 by Devin Casey, posted in , , Events & reviews General updates Uncategorized

Topics include:

CUI and Metadata (update)CUI Federal Acquisition Regulation case (update)Recent CUI NoticesAn overview of some frequently asked questionsLive Question and Answer period

https://isoo.blogs.archives.gov/2020/08/17/cui-q4-stakeholders-update-wednesday100et/

atory SecurityLabeling IG

PDF PDF

og PDF :

·        Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

·        CUI Metadata standard available for review

·        CUI Marking Class (Webex)

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material:  https://github.com/HL7/us-security-label-regs

John and Mohammad are committers.

CUI Marking class (Webex)

by Charlene Wallace

CUI Marking fundamentals webex on

August 28, 2020 from 11 am – 1 pm (EDT).

Participants will receive a completion certificate for attending the webex.

In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.

During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at ; you may join the 11:00 AM Eastern Time on August 28, 2020conference 10 minutes prior.

Step 1: Dial into the conference.

Dial-in: 888-251-2949 or 215-861-0694

Access Code: 9214891#

Need an international dial-in number?

Step 2: Join the conference on your computer.

Entry Link: https://ems8.intellor.com/login/831806

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Infrastructure SD

PSS for the January 2021 Reaffirmation Ballot of CTS2 - vote underway starting 8/13

The slide deck and the recording of the August Co-Chair Update Meeting

High expectations for WG cochair involvement and for members to generally be familiar with

Essential RequirementsGOMJIRA for Standards Development and progression, Change Requests, BallotingUTG - actively developing and refining HL7 terminology and participating in review/approval processes - this is no long a single vocab facilitator role.  WG health metrics on level of WG member participationGovernance Process Participation

Melva, Dave, and Anne will be monitoring WG meeting minutes for indications that we are actually involved in governance and using the tooling.

https://www.pathlms.com/hl7/courses/22889/slide_presentations/170895

Slide 23

File Storage S3 Connectors are added to Work Group and

Governance Group Confluence spaces – “S3 Storage”

- Will show up in your space over the next week

Easy to use- Can create folders and sub-folders- Encourage you to decide on a structure before you get started? How to Documents- https://confluence.hl7.org/display/HDH/How+to+use+S3+file+storage? Default Permissions- mirrors Confluence permissions? View, Create, Rename, Delete – Co-chairs? View, Create – Jira Users? View – Anonymous? Have questions?- Contact webmaster@hl7.org- FAQs will be added as questions come up

Security WG File Storage - S3 Connector

Share with Protections WhitePaper Project

Please sign up to vote on the Share with Protections White Paper

Ballot pool = 120.  2 abstains, 0 affirmative, 0 negatives.

Motion to Approve SwP submission for Sept Ballot

2020-06-23 Minute

Submitted for Ballot

ONC

CMS Acts to Spur Innovation for America’s Seniors  Aug 31, 2020

Today, under President Trump’s leadership, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule that unleashes innovative technology so Medicare beneficiaries have access to the latest, most cutting-edge devices. Today’s action represents a step forward that will help demolish the existing bureaucratic barriers that have created a “valley of death” for innovative products, resulting in lag times and lack of access for America’s seniors. This proposed rule delivers on President Trump’s direction to cut government red tape so seniors can access the latest treatments, which he issued in his Executive Order on Protecting and Improving Medicare for Our Nation’s Seniors.

“President Trump is delivering on the promise he made to Americans: a better, stronger Medicare program for today and the years ahead,” said U.S. Department of Health and Human Services (HHS) Secretary Alex Azar. “This new proposal would give Medicare beneficiaries faster access to the latest lifesaving technologies and provide more support for breakthrough innovations by finally delivering Medicare reimbursement at the same time as FDA approval.”

“For new technologies, CMS coverage approval has been a chicken and egg issue. Innovators had to prove their technologies were appropriate for seniors, but that was almost impossible since the technology was not yet covered by Medicare and thus not widely used enough to demonstrate their suitability for Medicare beneficiaries,” said CMS Administrator Seema Verma. “These efforts will ensure seniors get access to the latest technologies while lowering costs for innovators. Arcane bureaucratic requirements have no business preventing seniors’ access to a technology that might save their lives.”

Today’s announcement of the Medicare Coverage of Innovative Technology (MCIT) (CMS-3372-P) proposed rule, would provide Medicare beneficiaries access to the latest medical technology faster than ever. Under current rules, FDA approval of a device is followed by an often lengthy and costly process for Medicare coverage. The lag time between the two has been called the “valley of death” for innovative products, with innovators spending time and resources on FDA approval, only to be forced to spend additional time and money on the Medicare coverage process. This represents not only an unnecessary waste of resources for innovators, but also a significant problem for America’s seniors, who are prevented access to these potentially lifesaving technologies during the existing Medicare coverage determination process.

The MCIT proposal would eliminate this lag time for both seniors and innovators. It would create a new, accelerated Medicare coverage process for innovative products that the FDA deems “breakthrough,” which FDA approves on an expedited basis and could include devices harnessing new technologies like implants or gene-based tests to diagnose or treat life-threatening or irreversibly debilitating diseases or conditions like cancer and heart disease. Under the proposal, Medicare would provide national coverage simultaneously with FDA approval, for a period of four years. After that time, CMS may reevaluate the device based on clinical and real-world evidence of improvement in health outcomes among Medicare beneficiaries. This four-year timeline would incentivize the manufacturers of these breakthrough devices to develop additional evidence regarding the applicability of their products to the Medicare population, so they might continue Medicare coverage beyond the initial four years.

Importantly, because the MCIT rule would provide national Medicare coverage for four years, it would streamline identical local coverage decisions (LCDs), promoting equal access for seniors and helping innovators focus on getting their devices to patients and clinicians.  Currently, under the LCD process, 16 Medicare Administrative Contractors (MACs) make Medicare coverage decisions on the local level – 12 for Medicare Parts A and B, and four for Durable Medical Equipment. Each MAC’s decisions apply only to that MAC’s jurisdiction. In the absence of national Medicare coverage for an innovative product, the product could be covered by a patchwork of LCDs, meaning a senior in one area could have access, while another senior in a different area would not. Additionally, to secure these LCDs, innovators can be forced to seek separate decisions from several MACs. MCIT breaks through this bureaucracy to help innovators and seniors alike. Under MCIT, breakthrough devices are given automatic national coverage for four years, simultaneous with FDA approval, meaning innovators do not need to seek coverage from the MACs.

This proposed rule would also allow Medicare to cover eligible breakthrough devices the FDA has approved for use in 2019 or 2020, giving Medicare beneficiaries immediate access to these innovative and potentially life-saving devices.

Additionally, the MCIT proposed rule would clarify the standard CMS uses to determine whether Medicare should cover a product, like a drug, device, or biologic. Under the Medicare law, the program can only pay for items or services that are “reasonable and necessary” for the Medicare population. If finalized, the MCIT proposal would clarify CMS’ definition of reasonable and necessary in regulation to give innovators a clearer understanding of CMS standards.

Today’s announcement also implements a major CMS effort to provide better customer service for innovators seeking Medicare coverage for their products. This takes the form of a coordinated, one-stop-shop internal structure that harmonizes the coverage, coding, and payment processes. This new internal coordination will help CMS better assist innovators as they seek to secure Medicare coverage and payment for their newly FDA-approved products. This effort includes a new pilot project under which knowledgeable CMS staff will guide innovators through the coverage, coding, and payment processes to cut through confusion and, ultimately, help Medicare deliver critical new technologies to seniors more quickly.

In addition to the proposed rule and the internal changes, CMS is also announcing that, in an effort to ensure certainty and clarity for stakeholders, the agency has significantly reduced a backlog of requests for National Coverage Determinations (NCDs), some of which have been on a list awaiting approval since 2014. In 2019 there were 11 NCD applications waiting for CMS review. By the end of 2020, CMS will have addressed nine of those 11. One of the remaining two is being handled by local Medicare Administrative Contractors (MACs) and the second is undergoing additional clinical trials.

Public comments on the proposed rule will be accepted until November 2, 2020.

For a fact sheet on the proposed rule (CMS-3372-P), please visit: https://www.cms.gov/newsroom/fact-sheets/proposed-medicare-coverage-innovative-technology-cms-3372-p

The proposed rule (CMS-3372-P) can be downloaded from the Federal Register at:

https://www.federalregister.gov/documents/2020/09/01/2020-19289/medicare-program-medicare-coverage-of-innovative-technology-and-definition-of-reasonable-and

ONCFAST

ONC FHIR at Scale Taskforce (FAST) Workshop: An Architectural Framework for Ecosystem InfrastructureMonday, September 14, 2020; 08:30 AM EDT – 5:00 PM ETRegistration

Join ONC and members of the FHIR at Scale Taskforce ( ) initiative for a full day workshop FASTtitled: “ .” Having developed and FAST, An Architectural Framework for Ecosystem Infrastructure pro

 to address   associated with deploying FHIR posed solutions technical infrastructure challengessolutions “at scale,” the   community now seeks to explore and solicit feedback on the both the FASTarchitectural considerations and pathways to implementation for each of these solutions.

The   Initiative recognizes that ongoing collaboration and coordination with industry leading FASTefforts and a broader group of industry stakeholders is key to understanding industry challenges and successes, ensuring an accurate industry wide gap analysis, maintaining awareness of new developments, and avoiding duplication of efforts. To that end, this workshop will support The FAST Initiative’s goal to maintain transparency and communication, while welcoming industry feedback that can inform our collective efforts and approaches.

For more information on the  initiative, please review the following resources:FAST 

The Official   Confluence siteFASTThe   2020 Mid-Year ReportFASTThe   2019 End of Year ReportFAST

OCRNews

August 25, 2020

Summer 2020 Cybersecurity Newsletter | HHS.govOCR

Making a List and Checking it Twice: HIPAA and IT Asset Inventories

The HIPAA Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that it creates, receives, maintains, or transmits. Conducting a risk analysis, which is an accurate and 1thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI held by an organization, is not only a Security Rule requirement, but also is 2fundamental to identifying and implementing safeguards that comply with and carry out the Security Rule standards and implementation specifications.   However, despite this long-standing HIPAA 3requirement, OCR investigations frequently find that organizations lack sufficient understanding of where all of the ePHI entrusted to their care is located. Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT)  asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance.

Creating an IT Asset Inventory Generally, an enterprise-wide IT asset inventory is a comprehensive listing of an organization’s IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset). The HHS Security Risk Assessment Tool includes inventory capabilities that allow for manual entry or bulk loading of asset information with respect to ePHI. Larger, more complex organizations may choose dedicated IT Asset Management (ITAM) solutions that include automated discovery and update processes for asset and inventory management. HIPAA covered entities and business associates using the NIST Cybersecurity Framework (NCF) should be able to leverage the 4inventory components of the NCF’s Asset Management (ID.AM) category, which includes inventorying hardware (ID.AM-1), inventorying software (ID.AM-2), and mapping communication and data flows (ID.AM-3), to assist in creating and maintaining an IT asset inventory that can be used in and with their Security Rule risk analysis process with respect to ePHI. When creating an IT asset inventory, organizations can include:

Hardware assets that comprise physical elements, including electronic devices and media, which make up an organization’s networks and systems. This can include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.Software assets that are programs and applications that run on an organization’s electronic devices. Well-known software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems. Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory.Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.5

How an IT Asset Inventory Can Help Improve an Organization’s Risk AnalysisHIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the risks to the ePHI it maintains. Identifying, assessing, and managing risk can be difficult, especially in organizations that have a large, complex technology footprint. Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization.

When creating or maintaining an IT asset inventory that can aid in identifying risks to ePHI, it may be beneficial to consider other IT assets that may not store or process ePHI.  An entity’s risk analysis obligation is to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities held by the covered entity or to the confidentially, integrity, and availability of ePHIbusiness associate.” Assets within an organization that do not directly store or process ePHI may 6still present a method for intrusion into the IT system, that could lead to risks to the confidentiality, integrity, and availability of an organization’s ePHI. For example, consider an Internet of Things (IoT) or a smart, connected device that provides access to facilities for maintenance personnel for control and monitoring of an organization’s heating, ventilation, and air conditioning (HVAC). Although it does not store or process ePHI, such a device can present serious risks to sensitive patient data in an organization’s network. Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation, or other techniques to deny or impede an intruder’s lateral movement, can provide an intruder with a foothold into an organization’s IT network. The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization’s network and potentially compromise ePHI.

Real world examples of IoT devices used for malicious activities include incidents reported by Microsoft in which malicious actors were able to compromise a VOIP phone, printer, and video decoder to gain access to corporate networks. The hackers were able to exploit unchanged default passwords and unpatched security vulnerabilities to compromise these devices. Once inside the network, the hackers were able to conduct reconnaissance and access other devices on the corporate network in search of additional privileges and high-value data.7

An IT asset inventory that includes IoT devices can strengthen an organization’s risk analysis by raising awareness of the potential risks such devices may pose to ePHI. The lack of an inventory, or an inventory lacking sufficient information, can lead to gaps in an organization’s recognition and mitigation of risks to the organization’s ePHI.  Having a complete understanding of one’s environment is key to minimizing these gaps and may help ensure that a risk analysis is accurate and thorough, as required by the Security Rule.

Ongoing Process and BenefitsAn IT asset inventory can aid in an organization’s overall cybersecurity posture and HIPAA compliance in other ways, too. For example, HIPAA covered entities and business associates must “[i]mplement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility.” This includes servers, workstations, mobile devices, laptops, and any other 8hardware or media that contains ePHI. Receipt, removal, and movements of such devices can be tracked as part of an organization’s inventory process. This has become more important as organizations’ networks and enterprises grow increasingly large and complex – especially, considering the proliferation and use of mobile devices and removable media by the workforce. If reasonable and appropriate, organizations also may consider adding location and owner or assignment information to an IT asset inventory to assist in an organization’s ability to “[m]aintain a record of the movements of hardware and electronic media and any person responsible . . . .”9

Further, by comparing its inventory of known IT assets against the results of network scanning discovery and mapping processes, an organization can identify unknown or “rogue” devices or applications operating on its network. Once identified, these previously unknown devices can be added to the inventory and the risks they may pose to ePHI identified, assessed, and mitigated. An inventory can also be integral to an organization’s vulnerability management program. New software bugs and vulnerabilities are identified on a regular basis. Subsequently, software updates and patches are regularly issued to fix these bugs and mitigate these vulnerabilities. An enterprise-wide IT asset inventory can help an organization identify and track affected devices to facilitate and verify timely application of updates and patches.

Additional Resources:NIST SP 800-66 Rev. 1: An Introductory Resource Guide for Implementing the Health Insurance

: Portability and Accountability Act (HIPAA) Security Rule https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf - PDF

HHS Security Risk Assessment Tool:https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

August 2018 Cyber Security Newsletter: Considerations for Securing Electronic Media and Devices: https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-august-2018-device-and-media-controls.pdf - PDF

Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks:https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf - PDF

NIST SP 1800-5: IT Asset Management:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-5.pdf - PDF

* This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion.

Footnotes

? See Security Standards: General Rules, 45 CFR 164.306; Administrative Safeguards, 45 CFR 164.308; Physical Safeguards, 45 CFR 164.310; and Technical Safeguards, 45 CFR 164.312.? See Risk Analysis, 45 CFR 164.308(a)(1)(ii)(A).? See Maintenance, 45 CFR 164.306(e); Evaluation, 45 CFR 164.308(a)(8); Device and Media Controls, 45 CFR 164.310(d)(1); and Documentation Updates, 45 CFR 164.316(b)(2)(iii).? .https://www.nist.gov/cyberframework? “The analysis of data flows and data uses that covered entities are doing so as to comply with the Privacy Rule should also serve as the starting point for parallel analysis required by [the Security Rule],” Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334, 8371 (February 20, 2003).? See 45 CFR 164.308(a)(1)(ii)(A), Risk Analysis (emphasis added).? https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/? 45 CFR 164.310(d)(1), Device and Media Controls.? 45 CFR 164.310(d)(2)(iii), Accountability (Addressable).

CARINBlue Button ReportOut

Nothing to report.

Security is a cosponsor of CARIN Blue Button IG. Calls http://www.hl7.org/concalls/CallDetails. aspx?concall=48592 Monday Mar 2, 2020 - 02:30 PM (Eastern Time, GMT -05) https://leavittpartner

or Dial: 1 646 876 9923 // Meeting ID: 461 256 971 s.zoom.us/j/461256971

HL7 Policy Advisory Committee (PAC)

ONC is now accepting submissions for the next version of the United States Core for Data Interoperability (USCDI) through the new ONC New Data Element and Class (ONDEC) submission system. The USCDI is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. The next version of the USCDI will be drafted and finalized based on your data element submissions to the ONDEC system.

Read the Blog ?

Submit Comments ?

USCDI Survey needs input from Security WG.  PAC sent this request for WG input:

ANSI to Host September 14 Standardization Empowering AI-enabled Systems in Healthcare Coordination Workshop

On  , ANSI will virtually convene a workshop of interested stakeholders to September 14, 2020explore opportunities for progress in AI-enabled systems in healthcare through collaboration and standardization, to identify challenges, barriers and gaps, and to discuss steps to optimize regulatory frameworks. Advance registration is open.

ANSI to Host September 14 Standardization Empowering AI-enabled Systems in Healthcare Coordination Workshop

Advance Registration is Open

8/24/2020

On   the   (ANSI) will virtually convene September 14, 2020, American National Standards Institutean open forum workshop of interested stakeholders to explore opportunities for progress in AI-enabled systems in healthcare through collaboration and standardization, to identify challenges, barriers and gaps, and to discuss steps to optimize regulatory frameworks.

In July, ANSI issued a survey on  . Standardization Empowering AI-enabled Systems in Health CareSurvey results will inspire the discussion at a public-private virtual workshop, which will cover data, transparency and  , governance and risk management, related to AI-enabled systems explainabilityin healthcare.

The goal of this virtual workshop is to set the stage and build momentum for an in person workshop in 2021, where recommendations for coordination of standardization and governance to meet expectations of safety, quality, responsibility, and risk—to support AI-enabled systems in health care—can be developed.

Register in advance for the workshop  .WebEx

Standardization and AI-enabled Systems in Health care

The landscape for standardization and regulation of AI-enabled systems in healthcare is complex and very dynamic. While many stakeholders understand different parts of this landscape, it is unlikely that anyone possesses full knowledge of it. In order to create a common understanding, to identify and fill gaps, and to increase awareness and coordination in standards, ANSI will sponsor a virtual workshop focusing on the role of autonomous and intelligent systems standards in medical software and consumer systems that interact with the professional health care sector.

As the coordinator of the U.S. private sector-led system of voluntary standardization, ANSI has initiated a dialogue with stakeholders. The Institute provides a neutral venue for broad and open discussion of standardization issues for emerging technologies and in national priority areas.

Stakeholders interested in getting involved in the September 14 workshop can contact Michelle Deane, ANSI Director, at  .mdeane@ansi.org

Draft Consumer Privacy Framework for Health Data

August 26, 2020 – The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) released The A Draft Consumer Privacy Framework for Health Data. Frameworkincludes a description of the health data that warrant protection, as well as the standards and rules that should govern them. The also includes a self-regulatory model that would hold Framework companies accountable to these standards and rules. The work is the first output of a collaborative effort addressing gaps in legal protections for consumer health data outside of the Health Insurance Portability and Accountability Act’s (HIPAA) coverage. The collaboration was funded through a grant by the Robert Wood Johnson Foundation.

The public is invited to review the draft framework and offer constructive feedback by Friday, September 25, 2020 in the form below. 

Download Webinar Slides (PDF)

Draft Consumer Policy Framework (PDF)

Video (Link)

HL7 FHIR Consent and Security Labeling would be useful for implementing this framework.  Submitted to PAC for consideration.

CARIN Code of Conduct 2020 - Another Consumer Privacy Protection Framework

Notes fromCHAT

Requesting review provide comment / recommend participants review the information (links below)

High Water Mark on Bundle - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Meaning.20of.20Security.20Labels.20on.20Bundles

Consent - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Consent.20IG.3F

Scopes for data access - https://chat.fhir.org/login/#narrow/stream/179175-argonaut/topic/Scopes.20for.20data.20access

DS4P IG - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/DS4P.20IG

Fine-grained Security Policies

Consent Provisions

 OCR ruling related to Cost for Right of Access

Grahame Provenance agent.type vs agent.role value sets and element semantics

UsefulLinks

Confluence and JIRA Tutorials

https://confluence.hl7.org/display/HDH#c4472ec9-1ffa-4734-835d-ea12286e013e-31686915

Ballot Management

Security Ballot Management Nov 1 - NIB Deadline - Privacy and Security Logical Model

Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1539 Arizona time

Meeting recording: 

<link>

Attendees

 @Adam Wong adam.wong@hhs.gov HHS

 Alex Kontur ONC

 Alexander MenseCo-Chair HL7 Austria

 Beth Pumo Kaiser

 Amol Vyas amol.vyas@cambiahealth.com Cambia Health

 Brett Marquard Wave One

 Carie Hammond Aegis

 Celine Lefebvre Celine.Lefebvre@ama-assn.org  AMA

 Clara Y. Ren clara.y.ren.ctr@mail.mil Federal Electronic Health Records Modernization (FEHRM) Office

 Chris Shawn, Co-Chair VA

  Craig Newman Craig.Newman@altarum.org

 Dave Silver Electrosoft

 David Pyke    Ready Computing

  @David Staggs drs@securityrs.com SRS 

 Debra Simmons debrasimmons@

  Didi Davis Sequoia

 Giorgio Cangioli

 Heather McComas  heather.mccomas@ama-assn.org AMA 

 Isaac Vetter   EPIC

 Jeff Helman AEGIS for SSA

 Jerry Goodnough

 Jim Kamper Altarum

 Joel Bales Federal Electronic Health Records Modernization (FEHRM) Office

 Johnathan Coleman SRS

 John Davis (Mike) VA

 John Moehrke Co-Chair By-Light

 Joseph M. Lamy Aegis

 Julie Chan jchan@cwglobalconsult.com CWGlobal

 Kathleen Connor  Co-Chair VA (Book Zurman)

 Laura Bright laurabright4@gmail.com

 Laura Hoffman laura.hoffman@ama-assn.org AMA

 Lloyd McKenzie

 Lorraine Constable

 Luis Maas EMR Direct

 Mark Scrimshire

 Matt Blackmon  Sequoia

 Matthew Reid matt.reid@ama-assn.org AMA

 Mohammad Jafari VA (Book Zurman)

  Nancy Lush Patient Centric Solutions

 Peter Muir    PJM Consulting

 Peter van Liesdonk  Phillips

 Reed D. Gelzer   Trustworthy EHR 

 @Ricky , @1up.health  Sahu 1up Health

 Robert Dieterle rdieterle@enablecare.us Enablecare

 Russ Ott rott@deloitte.com Deloitte

 Saul Kravitz saul@mitre.org MITRE

 Scott Fradkin sfradkin@flexion.us

 Sherry Wilson Sherry_Wilson@jopari.com Jopari

 Serafina Versaggi

 Stephen MacVicar smacvicar@mitre.org MITRE

 Suzanne Gonzales-Webb VA (Book Zurman)

   'Terry'Terrence Cunningham  AMA

 Theresa Årdal Connor

 Tom Hicke

 Patricia A.H. Williams aka Trish Flinders University

 Vicki Giatzikis vig9034@nyp.org NYP