HL7 Secure Transactions Special Interest Group Meeting Minutes --May 22-23, 2000 Attendees Bern Blobel, HL7 Germany Myrtle Burton, MetroHealth Alan Chan, Dept. of Veterans Affairs Blair Cockenline, University of Washington Renard Currie, Healthdyne Ron Gans, MedSeek Mary Kratz, Internet2 Glen Marshall, SMS Hendrick du Plessis, QEDI Rick Nelson, Epic Gregg Seppala, Dept. of Veterans Affairs Points Discussed 1. Glen Marshall presented the status of progress made toward a common audit record definition. The basic reception of the proposed standard was that it is a go-forward document. The intent is for it to be balloted as in informative document in the Fall voting, and then to become a normative standard with a timeline TBD. Here is the presentation … Comments from the attendees ... a) This record transcends HIPAA. It represents a general need in the healthcare community, both for the US as well as international. b) HL7 will work with the ASTM E31.17 committee to harmonize the HL7 effort with their provisional standard PS-115-99. c) Implementation advice Establishing various roles and policies about disclosure audits by role will lead to clearer understanding plus administrative and technical efficiencies. Consider bandwidth brokering/metering as a way to fund auditing for people that want it. d) The UUID field (for unambiguous & permanent user identification) It is a common meeting-point with various standards efforts to define PKI and generic person objects. In essence, it can be used as a key to a fairly robust person record with history, etc. Local user-ID strings don't have this implicit power, and it can be important for investigational audits. e) Role ID Field (introduced by HL7 in the January '00 meeting, not in SMS' definition) The Role ID field could be better viewed as "authorization source" Roles are ambiguous. It is better to have a taxonomy of roles derived from smaller atomic tasks. These can be stored in a directory (LDAP). Additional use cases are needed for roles in respect to auditing. f) The Policy Modeling aspect can use G-CPR in addition to the new European ISO standard. This is an area of work that needs to be done for the Fall meeting. 2. Bernd Blobel presented his work on Policy Modeling. This will be used in further development of the audit record work. Here is the presentation … 3. Bernd Blobel also presented an overview of the W3C working draft "XML-Signature Core Syntax and Processing". In discussion we determined that we should move this work forward to be balloted as an informative document. Here is the presentation … Issues Resolved None Follow-up Items & Assignments 1. Glen Marshall – Prepare informative document for the Audit Record for balloting in Fall 2000 2. Bernd Blobel – Prepare an update presentation on digital signatures for XML, in preparation for a subsequent informative document for HL7 v3.0. NOTE: Input to and discussion about these topics will be welcome on the SIG Secure listserve. Schedule for the next meeting The next meeting date for the Secure Transactions SIG will be Tuesday, September 12, 2000, morning and afternoon. Agenda items are: 1. Status of Audit record definition, including results from the planned ballot on the informative document. 2. A discussion of PKI for healthcare and its applicability to HL7 authentication for messages and the CCOW user context subject. 3. An update presentation on digital signatures for XML, in preparation for an informative document for HL7 v3.0. 4. A report and discussion on healthcare security efforts in other Standards development organizations (such as the ASTM E31 committee), HL7's international affiliates, and efforts to coordinate and harmonize HL7's work with them.