[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ***RSA 2008 - 10 AM EST TODAY***
Just a reminder for the call today at 10:00AM EDT; Conference Dial-in Number: (605) 772-3100 Host Access Code: 505991* Participant Access Code: 505991# International Dial-in Numbers Austria: 0820 4000 1552 Belgium: 070 35 9974 France: 0826 100 256 Germany: 01805 00 76 09 Ireland: 0818 270 021 Italy: 848 390 156 Netherlands: 9004 353 535 Spain: 902 886025 Switzerland: 0848 560 179 UK: 0870 35 204 74 -----Original Message----- From: Dee Schur [mailto:dee.schur@oasis-open.org] Sent: Friday, November 09, 2007 12:02 PM To: 'xacml@lists.oasis-open.org'; 'xacml-demo-tech@lists.oasis-open.org'; 'xacml-demo-mktg@lists.oasis-open.org' Cc: 'Dilli.Dorai@Sun.COM'; 'Staggs, David (SAIC)'; 'Anil Saldhana'; 'Prateek Mishra'; 'Andrew.Rappaport@ca.com'; 'erik@axiomatics.com'; 'Anthony Nadalin'; 'Howard Ting'; 'sampo@symlabs.com'; 'susie@symlabs.com' Subject: RSA 2008 Importance: High Hi, We had a very invigorating and useful conversation yesterday regarding the RSA XACML demo. David Staggs was kind enough to put forth a scenario but other members felt as if it was too aggressive and possibly unachievable. We have set a call for next Tuesday, 13 Nov at 10 AM EST. We need to get this sorted out, so I firmly hope that ALL potential participants set this as a priority call. David just sent an additional overview to the list titled 'Use Case Models' (which I have attached) - let me know if you need more information. ***I have also included David's follow-up email related to this document and our meeting at the end of this message for your review. Here is the call-in info: Coordinator Name: deeschur Email: dee.schur@oasis-open.org Free Conference Call Conference Dial-in Number: (605) 772-3100 Host Access Code: 505991* Participant Access Code: 505991# International Dial-in Numbers Austria: 0820 4000 1552 Belgium: 070 35 9974 France: 0826 100 256 Germany: 01805 00 76 09 Ireland: 0818 270 021 Italy: 848 390 156 Netherlands: 9004 353 535 Spain: 902 886025 Switzerland: 0848 560 179 UK: 0870 35 204 74 Please let me know your status if you are unable to attend. Regards, Dee -----Original Message----- From: Staggs, David (SAIC) [mailto:David.Staggs@va.gov] Sent: Friday, November 09, 2007 11:51 AM To: Prateek Mishra; Anthony Nadalin Cc: Dee Schur; xacml@lists.oasis-open.org; xacml-demo-mktg@lists.oasis-open.org; xacml-demo-tech@lists.oasis-open.org Subject: RE: [xacml] Re: [xacml-demo-tech] RE: [xacml] RSA 2008 Dear Colleagues, Sorry for the long e-mail; here is a summary: 1. Proposal for a "focus" call next Tuesday, 11/13/07 for the RSA demo. 2. Explanation of HITSP's interest in an XACML "privacy" scenario. 3. Summary of were we are at. 4. Link to the document "Using XACML for Privacy Control." 5. Sources for use case ideas. 1. ---------- As stated in the 11/08 minutes, I suggest a focus call next Tue Nov 13 at 10 AM EST. 2. ---------- Anil requested a summary of the role the Healthcare Information Technology Standards Panel (HITSP) plays (specifically concerning the RSA demonstration): HITSP has no direct role in the demonstration. HITSP SPTC has identified OASIS XACML as a necessary standard to meet DHHS ONC AHIC healthcare use cases requirements for secure authorization for security and privacy. The RSA demonstration is consistent with the HITSP Access Control construct. HITSP's goal is develop a Security and Privacy Access Control profile in support of the American Health Information Community (AHIC) access control use case in a standards-based manner for the U.S. Department of Health and Human Services. Selection of standards will drive government agencies, like the Department of Veterans Affairs, in IT. HITSP is administered by the American National Standards Institute (ANSI). A gap in standards has been uncovered by HITSP addressing the security and privacy requirements for enforcing privacy and access control policies between multiple healthcare information systems. So the VHA, as a participant in HITSP, is very interested in the proposed RSA demonstration as a step forward in establishing consensus on how a Security and Privacy Access Control profile. Additional information at: www.ansi.org/hitsp/ 3. ---------- It may be helpful to discuss the current status of the RSA opportunity. Neither HITSP nor the VHA has a particular approach selected. The VHA wants to stimulate discussion in this area to support the future (obvious) need to address privacy and access control in the VHA's mission to supply healthcare to US veterans and dependants. We suggest the TC focus just on the XACML piece of the puzzle for the RSA demonstration - which is only a part of the larger HITSP construct. I have discussed the opportunity to address privacy using XACML at several TC meetings and with several TC members, including the co-chair (Hal). I think using the previous demonstration would be helpful if it allows us to focus the effort on the goal of administering patient privacy electives using XACML. That would mean switching the text from stockbrokers to clinicians but may save us from reinventing the infrastructure. The immediate task is to identify one or two use cases and settle on the preferred XACML approach. Finally, the description circulated at the last TC meeting was written as a quick "placeholder" to meet Dee's deadline for maintaining our opportunity to participate in the upcoming RSA conference. The text is very general and I believe whatever the TC comes up will agree with the general wording. 4. ---------- Here is a link to the document discussed briefly at the last XACML TC call entitled "Using XACML for Privacy Control:" http://www.nm.ifi.lmu.de/pub/Publikationen/homm05a/PDF-Version/homm05a.p df The paper was found on the cover pages hosted by OASIS: http://xml.coverpages.org/xacml.html The paper may be a useful starting point, or it may not. 5. ---------- I feel this is a great time to construct a use case using XACML to support privacy enforcement. The question is "how can access to patient information be secured per a patient's privacy elections" after it has been received by another institution or department. Since I believe the immediate task is to identify one or two use cases, I will attach a document discussing some scenarios for discussion. The document is the entire Use Case Model document that was produced as part the work that was funded last year by Canada Health Infoway on Consent Management (courtesy of Patrick Pyette). The "Create Consent Directive to Disclose PHI" and the two "Override Consent to Disclose" Use Cases may be useful as a starting point. They are all oriented to the Canadian experience, but with a bit of work I think could be reworked to be applicable to any scenario. I realize some may have strongly held opinions on these use cases, they are merely suggestions, we can make up own use case based on the decision of the TC. Sorry for cross-posts. Thanks David David Staggs, JD, CISSP (SAIC) Veterans Health Administration Chief Health Informatics Office Emerging Health Technologies
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]