Minutes - Security WG 2023-10-04
From Health Level 7 Belgium Wiki
Attendees
- Anthony Maton
- Bart Decuypere
- Benny Verhamme
- Brian Thieren
- Dominiek Leclerq
- Elien De Koker
- Félix De Tavernier
- Filoretta Velica
- Hanne Vuegen
- Jean-Michel Polfliet
- José Costa Teixeira
- Karlien Erauw
- Maxime Caucheteur
- Philippe Baise
- Steven Van den Berghe
- Werner De Mulder
Excused/Not present
- Brecht Van Vooren
- Cyprien Janssens
- Didier Temans
- Erwin Bellon
- Filip Veldeman
- Isabelle Pollet
- Jan Lenie
- Jan Stinissen
- Marco Busschots
- Nick Hermans
- Nico Vannieuwenhuyze
- Stef Hoofd
Agenda
- review feedback on pseudonymization of FHIR resources
- proposal on attachments
Minutes
- We review on how the feedback from the 20 Sept meeting on pseudonymization
- is it possible to have a shorthand for f.e. SSIN
- this is possible but however there is no real use for it. The transit info should be used to transform the pseudonym to its eventual form, because the pseudonym is different for every transmission. This form is not suitable to be stored or processed otherwise.
- On top, this will impact the validation of pseudonymized and non-pseudonymized resources, because of the additional slice to be added to pseudonymizable resources.
- extensions are not preferable, what if you don't store it ; but pseudonymized is not an unique identifier so it could not be used this way
- what about blinding/unblinding (see cookbook): not clear yet
- reuse info from header and omit it from the FHIR message
- Each pseudonym has its own transit info, even if you use the “multiple” functionality
- how to solve the search problem for pseudonymized resources?
- size of getRequest is limited, however there is an alternative in the FHIR standard, using post syntax
- search can done using POST and POST url syntax because of the size of the search parameters
- how will we express the parameters ? There are 2 options:
- treat parameter as composite parameter using a separate token, concatenation using a $ sin
- encode pseudonym in a JWE string, this will have a double impact of Base64 encoding
- which option do we agree upon ?
- this is not a FHIR query, therefore the composite
- this is only for solutions that use pseudonymization
- Discuss search for contained resource
- see issues 255 and 257 in referral project
Action items
- Security controls: continue work on valuesets by Brecht
- Position of HL7 Belgium on the FHIR R5 release (to cover the already upcoming questions from players and stakeholders in Belgium)
- FHIR readiness of Belgian metahub-hub system: see preparation work
Next meetings
- Wednesday 18 Oct at 9AM