Time | Item | Who | Notes |
---|
| Educational Foundation Board | Sal d’Agostino | |
| NIST Privacy Framework | Jeff Brennan | DEFERRED TO NEXT WEEK Jeff, hopefully can provide some initial insight and direction on how best to approach and apply NIST's 3rd draft of the Privacy Framework |
| Third party APIs | Tom Jones | - Need a credential service provider to create APIs Tom validat the User age not and/or device.
- Patient needs to carry credentials with them to be trusted Ted trusted community pcp
- Components to be embedded in packet
- PCP - IAL2
- CSP - AAL2 (device statement, packet within a packet)
- User agent ensures the credential is AAL2
- App puts identity and device proofing together (Tom says this is a policby question)
- Question: should you associate IAL2 credential in the registry? Tom sees them as separate. “User agent trusts itself.”
- Core problem:
- If data leaves covered provider and enters patient possession, need to be able to protect the data, possible repossess it.
- Is there a duty of care to protect data into user agent?
- If passing to another entity agent should understand if the entity should have access (new PCP versus spouse, for example)
- Filtering process is within scope
- Normal login flow for websites are not sufficient. Authentication must happen within phone
- OpenID Enhanced will work
- FIDO won’t work because it doesn’t cover authentication on mobile
- Data labeling: need a taxonomy so agent knows which data to protect: defined in Agent Code of Conduct
- Need labels that are
- Useful
- intelligible to user
- Noreen and Mary can advise on labeling (and cross referenced against terms as defined in regulations)
- Scenarios
- Data once sent to another becomes covered
- PCP may deny data to an app that is not trusted
- Ability to automatically release data to some other EHR
- CSR creates a binding and user agent remembers it
- 21st Century Care Act of 2016, Jeff will review
|
| Google and trustmarks | Tom Jones | Tom is meeting with Google security expert to discuss how to express trust to the user now that they are doing away with trustmarks. Javascript Object Signing and Encryption (JOSE) — jose 0.1 ... https://jose.readthedocs.io/en/latest JOSE is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. https://jose.readthedocs.io/en/latest/ |