Difference between revisions of "Minutes - Security WG 2023-02-08"

Attendees

• Anthony Maton
• Bart Decuypere
• Benny Verhamme
• Brian Thieren
• Elien De Koker
• Félix De Tavernier
• Jan Stinissen
• Jean-Michel Polfliet
• José Costa Teixeira (first part)
• Karlien Erauw
• Marco Busschots
• Philippe Baise
• Steven Van den Berghe
• Werner De Mulder (second part)

Excused/Not present

• Brecht Van Vooren
• Cyprien Janssens
• Didier Temans
• Erwin Bellon
• Isabelle Pollet
• Jan Lenie
• Nick Hermans

Agenda

• Context / needs
• Determine meeting schedule
• Security controls
• Literal references in FHIR resources: need for guidelines ? see issue from WG referral (linked to Vitalink/brecht VV)
• Position of HL7 Belgium on the FHIR R5 release (to cover the already upcoming questions from players and stakeholders in Belgium)
• FHIR readiness of Belgian metahub-hub system: see preparation work

Minutes

• Introduction of the group to the newcomers: everyone comes in as a professional, not linked to his organisation as this group is here to advice towards mature FHIR implementations
• Security controls: this group has to provide technical guidance supporting the funtional requirements

• it has to be compatible with the current access matrix
• challenges exist on fetching related resources, so there might be a need for a hierarchy of access (f.e. allowed to fetch a patient and afterwards to fetch an observation)
• start google doc with the current access matrix to start analysis what is possible in FHIR and how

• reference: https://build.fhir.org/permission
• ABAC: attribute based access control
• some atrributes of the patient and user might have to be taken into account

• ask Brecht V.V; to join the meting & explain

• Literal references

• there is some confusion if you refer to a system that does not exist today

• a literal reference is not always resolvable, is possible in the standard but is confusing to the users anyway

• logical references are also possible
• anyone willing to bring a common approach to the table ?
• our advise: if the reference URL is not accessible we advise to use a logical reference instead of a literal reference

• phrase point of view on R4 & R5 release

• what are the current views ?
• there will be a mixed ecosystem as R5 will be adopted since it has more functionalities

draft

• Some issues came up in other HL7 Belgium working groups so this group is reconvened since mid December
• We have the necessary stakeholders on board: RSW, VZN, Cozo, RSB
• It is requested to include the link to the meeting minutes & agenda items in the meeting invites
• The purpose of this WG is to create recommendations and best practices, we cannot impose anything. Therefore we will continuously ask for feedback to all stakeholders, in particular the hubs.
• We agree to continue working on the items (security controls & litoral references) that were tackled during the last meeting
• Security controls : see previous discussion here

• link with access matrix which is evolving
• security labels in FHIR don't have any hierarchy
• we should ask for advice & input before starting specifications towards creating the implementation guide
• action item: we/HL7 Belgium have to write out what the situation/technical possibilities and limits exist in FHIR R4 and R5

• please provide some input here

Action items

• security controls: status of document describing the FHIR situation
• litoral references: phrase our point of view
• phrase recommendation on R4/R5 release

Next meeting

• Wednesday 22 Feb at 9AM - TBC (holiday week) change biweekly schedule TBC