2019-09-17 Meeting notes

Date

Attendees

  • Jeff Brennan
  • Sal D’Agostino 
  • Tom Jones
  • Jim Kragh 
  • Noreen Whysel

Not attending:

  • Bev Corwin
  • Mary Hodder

Agenda

  • Educational Foundation Board
  • NIST Privacy Framework

Discussion items

TimeItemWhoNotes
Educational Foundation BoardSal d’Agostino
  • Sal to discuss Kantara's first Educational Foundation Board meeting where he, as a member, shared the FIRE Charter activities with board members in attendance.

    We can present state of grant writing at next board meeting
  • Currently have $13,000 in bank account, we should think which funders to approach.
  • Sal shared an older  business plan deck from IDESG

NIST Privacy FrameworkJeff Brennan

DEFERRED TO NEXT WEEK Jeff, hopefully can provide some initial insight and direction on how best to approach and apply NIST's 3rd draft of the Privacy Framework


Third party APIs

Tom Jones
  1. Need a credential service provider to create APIs Tom validat the User age not and/or device.
  2. Patient needs to carry credentials with them to be trusted Ted trusted community pcp
  3. Components to be embedded in packet
    1. PCP - IAL2
    2. CSP - AAL2 (device statement, packet within a packet)
    3. User agent ensures the credential is AAL2
    4. App puts identity and device proofing together (Tom says this is a policby question)
    5. Question: should you associate IAL2 credential in the registry? Tom sees them as separate. “User agent trusts itself.”
  4. Core problem: 
    1. If data leaves covered provider and enters patient possession, need to be able to protect the data, possible repossess it. 
      1. Is there a duty of care to protect data into user agent?
      2. If passing to another entity agent should understand if the entity should have access (new PCP versus spouse, for example)
      3. Filtering process is within scope
      4. Normal login flow for websites are not sufficient. Authentication must happen within phone
        1. OpenID Enhanced will work
        2. FIDO won’t work because it doesn’t cover authentication on mobile
    2. Data labeling: need a taxonomy so agent knows which data to protect: defined in Agent Code of Conduct
      1. Need labels that are 
        1. Useful
        2. intelligible to user
      2. Noreen and Mary can advise on labeling (and cross referenced against terms as defined in regulations)
    3. Scenarios
      1. Data once sent to another becomes covered
      2. PCP may deny data to an app that is not trusted
      3. Ability to automatically release data to some other EHR
        1. CSR creates a binding and user agent remembers it
    4. 21st Century Care Act of 2016, Jeff will review

Google and trustmarksTom Jones

Tom is meeting with Google security expert to discuss how to express trust to the user now that they are doing away with trustmarks. 

Javascript Object Signing and Encryption (JOSE) — jose 0.1 ... https://jose.readthedocs.io/en/latest JOSE is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. 

https://jose.readthedocs.io/en/latest/

Action items

  •