<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
It may be advantageous to work with IHE USA to create a national
extension and/or implementation guide for the IHE IUA profile, at
least for SMART of FHIR (Argonaut) OAuth scopes. This is because
IHE is more about implementation, while FHIR is a data model.
There is sufficient cross-coordination and cross-membership between
IHE and HL7 for this. <br>
<br>
Developing a strategy for forwarding UMA may need a different
cross-coordination strategy, but I'd still like to see it allied
with IHE IUA.<br>
<br>
<div class="moz-signature">
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: (610) 644-2452<br>
Mobile: (610) 613-3084<br>
<a class="moz-txt-link-abbreviated" href="mailto:gfm@securityrs.com">gfm@securityrs.com</a><br>
<a class="moz-txt-link-abbreviated" href="http://www.SecurityRiskSolutions.com">www.SecurityRiskSolutions.com</a></p>
</div>
<div class="moz-cite-prefix">On 10/6/15 17:41, Justin Richer wrote:<br>
</div>
<blockquote
cite="mid:ylepngh3u5iegtqa2hwbvx7l.1444167685060@email.android.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>Evidence of that cross communication can be found in the fact
that HEART is starting with the Argonauts scope structure.
Remember, this information needs to flow both ways, and it is.
Smart is currently considering supporting HEART style client
authenticating, for instance. </div>
<div><br>
</div>
<div>It doesn't mean that both of us will end where we've started,
but it does mean that w e are not working in a vacuum on either
side. </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="composer_signature"><div< div="">
<div>
<div>-- Justin</div>
<div><br>
</div>
<div>/ Sent from my phone /</div>
</div>
</div<></div>
<br>
<br>
-------- Original message --------<br>
From: Debbie Bucci <a class="moz-txt-link-rfc2396E" href="mailto:debbucci@gmail.com"><debbucci@gmail.com></a> <br>
Date: 10/6/2015 11:08 PM (GMT+01:00) <br>
To: "Glen Marshall [SRS]" <a class="moz-txt-link-rfc2396E" href="mailto:gfm@securityrs.com"><gfm@securityrs.com></a> <br>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-heart@lists.openid.net">openid-specs-heart@lists.openid.net</a> <br>
Subject: Re: [Openid-specs-heart] Health Relationship Trust
Profile for Fast Healthcare Interoperability Resources (FHIR)
OAuth 2.0 Scopes <br>
<br>
<p dir="ltr">John Moerke<br>
Josh Mandel<br>
Bill Kinsley </p>
<p dir="ltr">All actively participate with HL7 and offered their
time here at HEART and it's greatly appreciated. Certain I have
missed others. A quick glance at the Listserv show others are
quietly following along.</p>
<p dir="ltr"> I have been trying to join the security and cbcc
workgroups when I can. </p>
<p dir="ltr">There is cross communication occuring already if you
look close enough.</p>
<div class="gmail_quote">On Oct 6, 2015 2:16 PM, "Glen Marshall
[SRS]" <<a moz-do-not-send="true"
href="mailto:gfm@securityrs.com">gfm@securityrs.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Who on this listserve
is active in HL7? I used to be, but am not now. But I am
fairly certain that if we want to be influential on HL7 and
Argonaut's work, HEART must initiate and become actively
engaged with HL7.<br>
<div>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: <a moz-do-not-send="true"
href="tel:%28610%29%20644-2452" value="+16106442452"
target="_blank">(610) 644-2452</a><br>
Mobile: <a moz-do-not-send="true"
href="tel:%28610%29%20613-3084" value="+16106133084"
target="_blank">(610) 613-3084</a><br>
<a moz-do-not-send="true"
href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><br>
<a moz-do-not-send="true"
href="http://www.SecurityRiskSolutions.com"
target="_blank">www.SecurityRiskSolutions.com</a></p>
</div>
<div>On 10/6/15 11:26, Kinsley, William wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">I
am more concerned with what I interpret as
Argonaut’s hard coding specific security roles and
that they are not representative of the OAuth and
UMA approach. This is serving as a wake call to us
(the HEART WG) that without any guidance from us,
they are going to create a de facto security/privacy
standard that will be difficult to unwind once it is
adopted by other projects in the industry.</span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> Bill</span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a
moz-do-not-send="true"
href="mailto:agropper@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:agropper@gmail.com">agropper@gmail.com</a></a>
[<a moz-do-not-send="true"
href="mailto:agropper@gmail.com" target="_blank">mailto:agropper@gmail.com</a>]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Tuesday, October 06, 2015 11:19 AM<br>
<b>To:</b> Kinsley, William <a
moz-do-not-send="true"
href="mailto:BKinsley@nextgen.com" target="_blank"><a class="moz-txt-link-rfc2396E" href="mailto:BKinsley@nextgen.com"><BKinsley@nextgen.com></a></a><br>
<b>Cc:</b> Justin Richer <a moz-do-not-send="true"
href="mailto:jricher@mit.edu" target="_blank"><jricher@mit.edu></a>;
<a moz-do-not-send="true"
href="mailto:openid-specs-heart@lists.openid.net"
target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] Health
Relationship Trust Profile for Fast Healthcare
Interoperability Resources (FHIR) OAuth 2.0 Scopes</span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">To begin the discussion, I would
suggest three terms with healthcare / generic names:</p>
<ul type="disc">
<li class="MsoNormal"> Patient / Subject</li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"> The Subject of the resource
when the resource refers to only one person. The
Subject is also the Principal when they register
their resource with the Authorization Server.</li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal"> Custodian / Principal</li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"> The person that registers a
resource with an Authorization Server. This is
typically the Resource Owner (RO). </li>
<li class="MsoNormal"> When a Custodian is in
control of multiple Subjects, they are able to
identify (name) the separate Subjects any way
they choose. </li>
<li class="MsoNormal"> A Custodian can access
resources for multiple Subjects in a single
transaction including, for example, a Patient
List.</li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal"> User</li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"> Anyone or anything that is
not a Subject or a Custodian.</li>
<li class="MsoNormal"> A User can access resources
for multiple Subjects in a single transaction
including, for example, a Patient List.</li>
</ul>
</ul>
<p>I hope we can map this to FHIR:</p>
<ul type="disc">
<li class="MsoNormal"> Pseudonymous Subject Resource</li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"> A resource for a single
Subject identified by an opaque pseudonym as
registered with the Authorization Server.</li>
<li class="MsoNormal"> The resource may contain
Subject identity information or not.</li>
<li class="MsoNormal"> When the resource does not
contain Subject identity information, the
Authorization Server is responsible for
associating the pseudonyms with an identity.</li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal"> Multi-Subject Resource</li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"> A resource for multiple
Subjects registered with the Authorization
Server by a Custodian or a User.</li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal"> Identified Subject Resource</li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal"> A resource for a single
Subject that includes Subject identifying
information in the resource URI as registered
with the Authorization Server. </li>
<li class="MsoNormal"> An identified subject
resource must be protected as personally
identified information (PII).</li>
</ul>
</ul>
<p class="MsoNormal">Adrian</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Tue, Oct 6, 2015 at 10:05
AM, Kinsley, William <<a moz-do-not-send="true"
href="mailto:BKinsley@nextgen.com"
target="_blank">BKinsley@nextgen.com</a>>
wrote:</p>
<blockquote style="border:none;border-left:solid
#cccccc 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">This
is very informative detail of what the
Argonaut project is doing and I don’t want
to deter the information sharing process.
I also think this is a reminder that these
groups are proceeding without our guidance
and that we need to discuss what is our
timeline to produce some type of guidance
to help them implement a process that is
aligned with the finial product the HEART
workgroup delivers. </span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">Bill
</span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span></p>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Justin Richer [mailto:<a
moz-do-not-send="true"
href="mailto:jricher@mit.edu"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jricher@mit.edu">jricher@mit.edu</a></a>]
<br>
<b>Sent:</b> Tuesday, October 06, 2015
8:12 AM<br>
<b>To:</b> Kinsley, William <<a
moz-do-not-send="true"
href="mailto:BKinsley@nextgen.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:BKinsley@nextgen.com">BKinsley@nextgen.com</a></a>><br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re:
[Openid-specs-heart] Health
Relationship Trust Profile for Fast
Healthcare Interoperability Resources
(FHIR) OAuth 2.0 Scopes</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">To clarify the objective,
we were presenting the first draft of one of
the outputs of this working group.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The HEART working group
exists specifically to create these
technical specifications. All of the
discussions on use cases are intended to
drive work on these specifications. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Also, the group should
note that the terms “patient” and “user”
were imported directly from the Argonauts
projects. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> — Justin</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Oct 5, 2015,
at 11:31 PM, Kinsley, William <<a
moz-do-not-send="true"
href="mailto:BKinsley@nextgen.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:BKinsley@nextgen.com">BKinsley@nextgen.com</a></a>>
wrote:</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif">This
document was presented quickly
during the last few minutes of
our call and I am not sure
what the objective was.
However, it did raise some
questions that could not be
addressed at the time,
specifically paragraph 2.1
“Permission type” raised some
questions which I broke out
below: </span></p>
</div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif">1.</span><span
style="font-size:7.0pt"> </span><span
style="font-size:14.0pt;font-family:"Cambria",serif">The term
“Patient” and “User” seem
misleading and the purpose is
not clear.</span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif">a.</span><span
style="font-size:7.0pt"> </span><span
style="font-size:14.0pt;font-family:"Cambria",serif">A patient
can have access to multiple
patient records. For example, a
parent who has five children at
the same pediatrician would be a
patient that can access multiple
patient records. </span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif">b.</span><span
style="font-size:7.0pt"> </span><span
style="font-size:14.0pt;font-family:"Cambria",serif">It also
sounds like we are hardcoding
two specific security roles,
which would seem to contradict
what we are trying to support in
HEART (i.e. RBAC vs ABAC). </span></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif">c.</span><span
style="font-size:7.0pt"> </span><span
style="font-size:14.0pt;font-family:"Cambria",serif">There can
be resource that are not related
to specific patient or patients
in general such as
“Organization”,
“HealthcareService”,
“Practitioner”, etc.</span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif">Bill</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif"> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></p>
</div>
<table style="width:448.2pt"
border="0" width="598"
cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt
.75pt .75pt"><br>
</td>
<td style="padding:.75pt .75pt
.75pt .75pt">
<p class="MsoNormal"><img
moz-do-not-send="true"
src="http://bridge.nextgen.com/Media/3140"
id="1444167511323"
border="0" height="40"
width="145"></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif"> </span></p>
<table style="width:448.2pt"
border="0" width="598"
cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt
.75pt .75pt">
<p class="MsoNormal"><u>
________________________________
</u> </p>
<div>
<p class="MsoNormal"> </p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif"> </span></p>
<table style="width:448.2pt"
border="0" width="598"
cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt
.75pt .75pt">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif">William
Kinsley , CISSP<br>
Enterprise Architect,
Ambulatory<br>
<b>NEXTGEN HEALTHCARE<br>
</b>Solutions for:
Ambulatory, Inpatient
and Community
Connectivity<br>
795 Horsham Road,
Horsham, PA 19044<br>
<a
moz-do-not-send="true"
href="tel:%28215%29%20657-7010%20x21128" target="_blank">(215) 657-7010
x21128</a> <br>
<a
moz-do-not-send="true"
href="mailto:BKinsley@nextgen.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:BKinsley@nextgen.com">BKinsley@nextgen.com</a></a></span></p>
</td>
<td style="padding:.75pt .75pt
.75pt .75pt">
<p class="MsoNormal"><a
moz-do-not-send="true"
href="http://www.oneugm.com/"
target="_blank"><span
style="text-decoration:none"><img
moz-do-not-send="true" src="http://bridge.nextgen.com/Media/3181"
id="1444167511326"
border="0"></span></a></p>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif"> </span></p>
</div>
<table style="width:448.2pt"
border="0" width="598"
cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt
.75pt .75pt">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#e46c0a">Be
ready for MU and ICD-10
in 2015. Start your EHR
version 5.8 and KBM
version 8.3 upgrade
today. Get the resources
you need at <a
moz-do-not-send="true"
href="http://www.nextgen.com/upgradecentral" target="_blank"> <b><i><span
style="color:#007cb9"></span></i></b></a><b><i><a moz-do-not-send="true"
href="http://www.nextgen.com/upgradecentral" target="_blank">www.nextgen.com/upgradecentral</a></i></b></span></p>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Cambria",serif"> </span></p>
</div>
<table style="width:448.2pt"
border="0" width="598"
cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt
.75pt .75pt">
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial",sans-serif">This
message, and any
documents attached
hereto, may contain
confidential or
proprietary information
intended only for the
use of the addressee(s)
named above or may
contain information that
is legally privileged.
If you are not the
intended addressee, or
the person responsible
for delivering it to the
intended addressee, you
are hereby notified that
reading, disseminating,
distributing or copying
this message is strictly
prohibited. If you have
received this message by
mistake, please
immediately notify us by
replying to the message
and delete the original
message and any copies
immediately thereafter.
Thank you for your
cooperation.</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-heart@lists.openid.net"
target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-heart"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-heart@lists.openid.net"
target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-heart"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- </p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Adrian Gropper MD<br>
<br>
<span
style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT
YOUR FUTURE - RESTORE Health
Privacy!<br>
HELP us fight for the right to
control personal health data.<br>
DONATE: <a moz-do-not-send="true"
href="http://patientprivacyrights.org/donate-2/" target="_blank"><span
style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-heart mailing list
<a moz-do-not-send="true" href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-heart"
rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>