UMA telecon 2021-10-21

UMA telecon 2021-10-21

Date and Time

Agenda

Minutes

Roll call

  • Quorum: No

Approve minutes

Deferred



IIW closing thoughts

(see initial thoughts from last weeks minutes)

  • a lot of SSI focus, main OAuth-y topics we're in relation to the interop/connection to SSI


FHIR Vulnerability Review

and how UMA could address, maybe a 1-2 page position

https://www.scmagazine.com/analysis/application-security/critical-flaws-found-in-interoperability-backbone-fhir-apis-vulnerable-to-abuse

https://www.healthcareitnews.com/news/cybersecurity-briefs-olympus-it-outage-fhir-vulnerabilities-and-more

Summary of articles: a white-hat security company (https://approov.io/) have looked at some health care mobile applications that access FHIR apis. Patients were authenticating against the API/EHR, however the applications were able to access all FHIR data regardless of the authenticated user. There were also issues raised around static client credentials embedded in the mobile applications (public SMART on FHIR app using confidential client creds?)

  • no patient/RO segmentations, seems that any authenticated user could access the full API
    • coarse grained api access, no RO compartmentalization 
  • want apps to conform to their requirements and protect data

want to avoid a 'shut down access' reactive response


Potential Outline:

  • summary of the issues found
  • assumed oauth/oidc api model being used
    • identity is often an invitation model for EHRs
  • present a uma architecture to show the fine grained RO resources
    • how that helps the FHIR API provider properly restrict access. only one patients at a time
    • direct responses to the 'Recommendations to FHIR API Owners" 
    • use of high assurance identity
  • other uma benefits
    • multiple idps, don't make the FHIR API provider deal with authentication/identity. UMA AS is connection between identity/authN systems and the FHIR AuthZ
    • sharing and delegation to Bob
  • links to CARIN recommendations and app certification processes (eg as provided by AEGIS)


application of provider authZ setup to patient access

difference of patient/*.* (what they should've done) and user/*.* (what they did)


Patient empowerment group (hl7 group) is meeting and the article writer is presenting these findings.


Let's use confluence, Alec will create a page and move these notes over then share the link on the mailing list


AOB



  • moving gdocs working docs to confluence, will create a working docs space in confluence to upload these docs
    • confluence has a 'import word doc' feature, need an approach for slide decks


Conference roundup

In person is coming back!

  • Identity North
  • HLTH: https://www.hlth.com/
    • in-person w/ 6000 people in attendance!
  • FIDO Authenticate
  • National Cyber Summit in Nashville
    • zero trust was a main topic
    • 2500 people!


Topic Candidates (from previous week's telcon)

  • Delegation and Guardianship
  • Outcome of user stories discussion

  • PDP architecture includes the concept of governance registry/discovery

  • TOIP/SSI are starting to define this ecosystem function

  • ANCR records update

  • Privacy as Expected/ANCR update : 2/3 weeks out (Sal?)


Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

  1. Eve
  2. Alec
  3. Domenico

Non-voting participants:

  1. Scott G, working with Healthcare team at Forgerock
  2. Nancy
  3. Vladimir
  4. Scott 

Regrets:

  1. Steve