Difference between revisions of "Minutes - Security WG 2021-05-21"

From Health Level 7 Belgium Wiki
(Created page with "* Minutes * Hannes presents "Access control in FHIR" that was also ::* care provider has to go through id & auth and there has to be a control to assess if he has access to t...")
 
Line 1: Line 1:
* Minutes
+
===== Attendees =====
 +
* Bruno Casneuf
 +
* Erwin Bellon
 +
* Hannes De Clercq
 +
* Jean-Michel Polfliet
 +
* Karlien Erauw
 +
* Nick Hermans
 +
* Pablo d'Alcantara
 +
* Raphaël, RSW
 +
* Robin Bosman
 +
 
 +
===== Excused/Not present =====
 +
* Didier Temans
 +
* José Costa Teixeira
 +
 
 +
===== Agenda =====
 +
* Presentation by Hannes
 +
* Plan to go forward
 +
 
 +
===== Previous Minutes =====
 +
* Background: request raised in eHealth Platform WG Architecture from April 30
 +
* RSW cannot join on Tuesday afternoons so we must look for a different timeslot. Proposed weekly meeting slot as from May 21: Fridays from noon to 1PM
 +
::* remark: Hannes should be available as key person
 +
* What exactly is the request:
 +
::* see presentation WG Architecture here: Access control in FHIR, https://drive.google.com/file/d/1v-Lg204eKYKEOdCUJtv7gT0G4vd0XIpP/view?usp=sharing
 +
::* do we need middleware when using a FHIR server to have access to patient consent and therapeutic relationship
 +
::* what are the encountered issues and how can we mitigate these ?
 +
* Plan to go forward:
 +
::* benefits of using middleware
 +
::* encountered issues when using middleware
 +
* Question: how to interrogate multiple FHIR servers
 +
===== Minutes =====
 +
 
 
* Hannes presents "Access control in FHIR" that was also  
 
* Hannes presents "Access control in FHIR" that was also  
 
::* care provider has to go through id & auth and there has to be a control to assess if he has access to the resource (access management): check patient consent, exlusions, therapeutic relationship and access matrix for care providers
 
::* care provider has to go through id & auth and there has to be a control to assess if he has access to the resource (access management): check patient consent, exlusions, therapeutic relationship and access matrix for care providers
Line 6: Line 38:
 
::::* solution 1: generic : IAM connect, client communicates through middleware/component to assess access to resource before entering in the FHIR server - adaptions outside of FHIR server - more difficult for client to know why he doesn't have access
 
::::* solution 1: generic : IAM connect, client communicates through middleware/component to assess access to resource before entering in the FHIR server - adaptions outside of FHIR server - more difficult for client to know why he doesn't have access
 
::::* solution 2: more specific - using SMART on FHIR - client can talk directly to FHIR server- controls happen in step 4 - suggestion for setp 4B to connect with metahub (pip)
 
::::* solution 2: more specific - using SMART on FHIR - client can talk directly to FHIR server- controls happen in step 4 - suggestion for setp 4B to connect with metahub (pip)
 +
::* RSW has its own authentic source for therap relationships that has to be taken into account in their SMART on FHIR solution

Revision as of 10:20, 21 May 2021

Attendees
  • Bruno Casneuf
  • Erwin Bellon
  • Hannes De Clercq
  • Jean-Michel Polfliet
  • Karlien Erauw
  • Nick Hermans
  • Pablo d'Alcantara
  • Raphaël, RSW
  • Robin Bosman
Excused/Not present
  • Didier Temans
  • José Costa Teixeira
Agenda
  • Presentation by Hannes
  • Plan to go forward
Previous Minutes
  • Background: request raised in eHealth Platform WG Architecture from April 30
  • RSW cannot join on Tuesday afternoons so we must look for a different timeslot. Proposed weekly meeting slot as from May 21: Fridays from noon to 1PM
  • remark: Hannes should be available as key person
  • What exactly is the request:
  • Plan to go forward:
  • benefits of using middleware
  • encountered issues when using middleware
  • Question: how to interrogate multiple FHIR servers
Minutes
  • Hannes presents "Access control in FHIR" that was also
  • care provider has to go through id & auth and there has to be a control to assess if he has access to the resource (access management): check patient consent, exlusions, therapeutic relationship and access matrix for care providers
  • id: solutions FAS or eID, itsme, TOTOP
  • access management: need for standardised manner to manage interactions
  • solution 1: generic : IAM connect, client communicates through middleware/component to assess access to resource before entering in the FHIR server - adaptions outside of FHIR server - more difficult for client to know why he doesn't have access
  • solution 2: more specific - using SMART on FHIR - client can talk directly to FHIR server- controls happen in step 4 - suggestion for setp 4B to connect with metahub (pip)
  • RSW has its own authentic source for therap relationships that has to be taken into account in their SMART on FHIR solution