2019-09-24 Meeting notes

Date

Attendees

  • Jeff Brennan
  • Sal D’Agostino
  • Tom Jones
  • Jim Kragh
  • Noreen Whysel

Regrets:

  • Bev Corwin
  • Mary Hodder

Agenda

  • Healthcare 
  • ISO
  • FIRE Minutes

Discussion items

TimeItemWhoNotes
Phone as Healthcare CredentialTom Jones
  • https://wiki.idesg.org/wiki/index.php/Phone_as_Health_Care_Credential 

    and if we want to get really geeky, lets talk about the API message that I think we need now for that solution.

    https://wiki.idesg.org/wiki/index.php/Consent_to_Create_Binding 

  • Sal referenced:

    3.5 WG 5 – Identity management and privacy technologies  

    After completion of foundational frameworks (especially ISO/IEC 24760 A framework for identity management and ISO/IEC 29100 Privacy framework) priorities for Working Group 5 are to develop related standards and Standing Documents on supporting technologies, models, and methodologies.  


    3.5.1 WG 5 accomplishments  

    The following products were published during 2018-10/2019-09  

    • ISO/IEC 20889-2018-11 (1st edition), Privacy enhancing data de-identification techniques  
    • ISO/IEC 24760-1:2019-05 (2nd edition), IT security and privacy -- A framework for identity management -- Part 1: Terminology and concepts 
    • ISO/IEC TR 27550:2019-09 (1st edition), Privacy engineering for system life cycle processes  
    • ISO/IEC 27701:2019-08 (1st edition), Security techniques -- Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management -- Requirements and guidelines [this was developed as ISO/IEC 27552]  
    • WG 5 Standing Document 2 – Privacy references list  
    • WG 5

Tom is focusing on JSON Web Token which is not compatible with SAML, which is XML.

Can write a program that translates from SML to JSON but it doesn’t translate the protocol.

JSON Web Token is a translation gateway like Microsoft ADFS.

Sequoia is building national interoperability framework, but appears to be addressing it only technologically, not via trust or patient/consumer concern.

Need trust registry to function: basis for registry to have trust.

Sequoia received $900,000 on first year of a 4 year award for measuring compliance.

Jeff asks if they have thought through beyond measuring the data? Tom says no, just measuring.

No incentive for consumers to go to IAL2 because EPIC does a good job with their REST portal without this level of assurance.

Tom has two assumptions:

  • Consumer will get level 2 authentication assurance?
  • Consumer get ability to transfer data to another party?

So need to make sure level 2 assurinac is something they can tolerate

  • Sal: if you don’t use level 2 you don’t access it.
  • Tom: TEFCA may not have the strength of AML regulation in banking.


GOAL: create consumer IAL2 assurance

Consent to create binding
https://wiki.idesg.org/wiki/index.php/Consent_to_Create_Binding

Our registry could have requirements for patient agents, similar to those for services.

Q: Can the phone protect the key?

How can we help NIST understand how a patient controlled device can be a level 2 device? Right now patient devices aren’t controlled by any central agent. But there is a central authority that can measure control (FIRE WG).

In order for an identity to be useful, you need to be able to create a binding. Needs to be approved by OpenID Connect. (OpenID Connect self-identity has some problems).

Redress/recovery requires some identification (GUID as in above image) to process, such as an email or text or other way to sent a notification to the user. Would require its own set of requirements. (Tom currently has it running on Windows and Android).

All physicians are registered at AAL3 by federal government. Critical to signing process of authentication sequence.

AML is similar to what drives healthcare via TEFCA (preventing fraud).


Research for Next CallSal D'Agostino

UMA Legal Subgroup Notes: creating vocabulary for legal terminology (versus branding)

UMA home page

https://kantara.atlassian.net/wiki/display/uma/Home

UMA Meeting notes

https://kantara.atlassian.net/wiki/display/uma/UMA+legal+subgroup+notes#UMAlegalsubgroupnotes-2019-09-24<https://kantara.atlassian.net/wiki/display/uma/UMA+legal+subgroup+notes>  

UMA Business Model Report (draft)

https://kantarainitiative.org/file-downloads/uma-business-model-0-7e-2018-02-01-pdf/

Business Model Mapping Graphics PPT https://docs.google.com/presentation/d/1uigCMQI_TKuFyOstQTngYuZaqs36wwbE3BBjBB7xGb4/edit?usp=sharing

(requires permission to access)


FIRE MinutesJim Kragh

Colin and Andrew requested more formal documentation of our minutes on the Kantara FIRE wiki pages: https://kantara.atlassian.net/wiki/display/WT/Meeting+notes

Action items

  • Research for Next Call
  • Tom to take notes from call and integrate into his model.
  • Sal/Noreen suggested format for meeting minutes to be posted to wiki.