Minutes - Security WG 2023-05-23
From Health Level 7 Belgium Wiki
Attendees
- Bart Decuypere
- Benny Verhamme
- Brecht Van Vooren (partially online)
- Brian Thieren
- Elien De Koker
- Jean-Michel Polfliet
- José Costa Teixeira
- Karlien Erauw
- Nick Hermans (partially online)
- Steven Van den Berghe
- Werner De Mulder
Excused/Not present
- Anthony Maton
- Cyprien Janssens
- Didier Temans
- Dominiek Leclerq
- Erwin Bellon
- Félix De Tavernier
- Jan Stinissen
- Filip Veldeman
- Isabelle Pollet
- Jan Lenie
- Marco Busschots
- Nico Vannieuwenhuyze
- Philippe Baise
- Stef Hoofd
Agenda
- future work topics and way of working
Minutes
- Determine scope and future action items of this working group
- we need to look at the bigger picture and publish guidelines on a more strategic level
- of course we need to continu to support projects to move towards mature FHIR implementations
- on top of implementation guids we also need transition guides
- what are the important topics that need our attention and for which guidelines are necessary:
- hub/metahub system and FHIR readiness & functionalities
- versioning and FHIR R5 release
- access controls & security labels
- evolution of FHIR: a kind of end of life template is needed
- work on FHIR capability server: have runtime information at one specific moment in time
- one endpoint for all versions, or one endpoint for every version: TBC
- different endpoints will need to be maintained
- can we distinguish major (needing new endpoints so implementers will have to change their endpoint implementation) and minor releases (one endpoint for different versions)
- intended data capabilities need to be written out
- we discuss the presented document
- metadata meta.profile can be used but that should be done with caution ! a written guidance should be put together by HL7 Belgium
- we should aim to have only 2 versions active - advise 6 months in advance that a version will go into end of life, info about versions needs to be documented, more in detail as to what is available now
- aim for stability of FHIR R4 for at least 2 years
- the decision to migrate data to a new FHIR version has to be managed at project level by the project team, taking these rules into account and manage/document the end of life if he wants to move to a new version
- publication page of FHIR profiles has to have an intermediary page to show the different versions
- work on doc has to be continued in a shared doc
- access controls and security labels: see document here
- layering of access (KB78 or non KB 78)
- it is up to the access control to decide what to do with it
- rules on access need to be implementable
- guideline: these are the security labels that are available that can be used for a project
- a specific project can use the security labels for a permission (a scty label is an attribute f.e. psychiatric info)
- a GP soft can automatically label info where the label has a clear meaning ; same for hospital/EPD systems
- we have to work with roles, resources and labels
- labels have to be defined
- roles: check in access matrix
- a patient can override to make all visible
- do we have to talk about security labels or labels or content labels
Action items
- Position of HL7 Belgium on FHIR R5 release and versioniong needs to be written out (to cover the already upcoming questions from players and stakeholders in Belgium)
- FHIR readiness of Belgian metahub-hub system: a guidance document needs to be started
- Security controls & access controls: continue work on use cases for permission and consent, towars a more strategic level
Next meetings
- Wednesday 14 June at 9AM online