Difference between revisions of "Minutes - Security WG 2023-10-18"
From Health Level 7 Belgium Wiki
KarlienErauw (talk | contribs) |
KarlienErauw (talk | contribs) |
||
Line 1: | Line 1: | ||
===== Attendees ===== | ===== Attendees ===== | ||
− | |||
* Bart Decuypere | * Bart Decuypere | ||
* Benny Verhamme | * Benny Verhamme | ||
+ | * Brecht Van Vooren | ||
* Brian Thieren | * Brian Thieren | ||
* Dominiek Leclerq | * Dominiek Leclerq | ||
* Elien De Koker | * Elien De Koker | ||
* Félix De Tavernier | * Félix De Tavernier | ||
− | |||
* Hanne Vuegen | * Hanne Vuegen | ||
* Jean-Michel Polfliet | * Jean-Michel Polfliet | ||
− | |||
* Karlien Erauw | * Karlien Erauw | ||
* Maxime Caucheteur | * Maxime Caucheteur | ||
Line 18: | Line 16: | ||
===== Excused/Not present ===== | ===== Excused/Not present ===== | ||
− | * | + | * Anthony Maton |
* Cyprien Janssens | * Cyprien Janssens | ||
* Didier Temans | * Didier Temans | ||
* Erwin Bellon | * Erwin Bellon | ||
* Filip Veldeman | * Filip Veldeman | ||
+ | * Filoretta Velica | ||
* Isabelle Pollet | * Isabelle Pollet | ||
* Jan Lenie | * Jan Lenie | ||
* Jan Stinissen | * Jan Stinissen | ||
+ | * José Costa Teixeira | ||
* Marco Busschots | * Marco Busschots | ||
* Nick Hermans | * Nick Hermans | ||
Line 36: | Line 36: | ||
===== Minutes ===== | ===== Minutes ===== | ||
+ | * Pseudonymization technical document: there is an urge from some eHealth projects to move forward faster due to the deadlines on some projects (Vialink FHIR and UHMEP project) | ||
+ | ::* there have been discussions on a higher level outside the HL7 Belgium community and the decision was to publish asap | ||
+ | ::* the proposal fitted the projects so it will be published | ||
+ | ::* an IG in architecture & security will be published, following the slides discussed the previous weeks, the work on the technical artefacts is still ongoing but will be ready in the coming days | ||
+ | ::::* this will not include an overview of the pseudonymization service, it is linked to the cookbook that is published | ||
+ | |||
* We review on how the feedback from the 20 Sept meeting on [https://docs.google.com/presentation/d/17ys63H19j-gMzf1SDfVzUZfqPvnZDY_WVxFlE07QXl8/edit#slide=id.g283b0eddda1_1_0 pseudonymization] | * We review on how the feedback from the 20 Sept meeting on [https://docs.google.com/presentation/d/17ys63H19j-gMzf1SDfVzUZfqPvnZDY_WVxFlE07QXl8/edit#slide=id.g283b0eddda1_1_0 pseudonymization] | ||
::* is it possible to have a shorthand for f.e. SSIN | ::* is it possible to have a shorthand for f.e. SSIN |
Revision as of 07:15, 18 October 2023
Attendees
- Bart Decuypere
- Benny Verhamme
- Brecht Van Vooren
- Brian Thieren
- Dominiek Leclerq
- Elien De Koker
- Félix De Tavernier
- Hanne Vuegen
- Jean-Michel Polfliet
- Karlien Erauw
- Maxime Caucheteur
- Philippe Baise
- Steven Van den Berghe
- Werner De Mulder
Excused/Not present
- Anthony Maton
- Cyprien Janssens
- Didier Temans
- Erwin Bellon
- Filip Veldeman
- Filoretta Velica
- Isabelle Pollet
- Jan Lenie
- Jan Stinissen
- José Costa Teixeira
- Marco Busschots
- Nick Hermans
- Nico Vannieuwenhuyze
- Stef Hoofd
Agenda
- review feedback on pseudonymization of FHIR resources
- proposal
Minutes
- Pseudonymization technical document: there is an urge from some eHealth projects to move forward faster due to the deadlines on some projects (Vialink FHIR and UHMEP project)
- there have been discussions on a higher level outside the HL7 Belgium community and the decision was to publish asap
- the proposal fitted the projects so it will be published
- an IG in architecture & security will be published, following the slides discussed the previous weeks, the work on the technical artefacts is still ongoing but will be ready in the coming days
- this will not include an overview of the pseudonymization service, it is linked to the cookbook that is published
- We review on how the feedback from the 20 Sept meeting on pseudonymization
- is it possible to have a shorthand for f.e. SSIN
- this is possible but however there is no real use for it. The transit info should be used to transform the pseudonym to its eventual form, because the pseudonym is different for every transmission. This form is not suitable to be stored or processed otherwise.
- On top, this will impact the validation of pseudonymized and non-pseudonymized resources, because of the additional slice to be added to pseudonymizable resources.
- extensions are not preferable, what if you don't store it ; but pseudonymized is not an unique identifier so it could not be used this way
- what about blinding/unblinding (see cookbook): not clear yet
- reuse info from header and omit it from the FHIR message
- Each pseudonym has its own transit info, even if you use the “multiple” functionality
- how to solve the search problem for pseudonymized resources?
- size of getRequest is limited, however there is an alternative in the FHIR standard, using post syntax
- search can done using POST and POST url syntax because of the size of the search parameters
- how will we express the parameters ? There are 2 options:
- treat parameter as composite parameter using a separate token, concatenation using a $ sin
- encode pseudonym in a JWE string, this will have a double impact of Base64 encoding
- which option do we agree upon ?
- this is not a FHIR query, therefore the composite
- this is only for solutions that use pseudonymization
- Discuss search for contained resource
- see issues 255 and 257 in referral project
Action items
- Security controls: continue work on valuesets by Brecht
- Position of HL7 Belgium on the FHIR R5 release (to cover the already upcoming questions from players and stakeholders in Belgium)
- FHIR readiness of Belgian metahub-hub system: see preparation work
Next meetings
- Wednesday 15 Nov at 9AM