<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body ><div>I have been involved at HL7 but not on this specific topic. I am sure we could talk to Jaffe and find out how best to proceed if that is a shared sentiment.</div><div><br></div><div><br></div><div><div style="font-size:10px;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br><div>-------- Original message --------</div><div>From: Josh Mandel <Joshua.Mandel@childrens.harvard.edu> </div><div>Date:10/06/2015 2:24 PM (GMT-05:00) </div><div>To: "Glen Marshall [SRS]" <gfm@securityrs.com> </div><div>Cc: openid-specs-heart@lists.openid.net </div><div>Subject: Re: [Openid-specs-heart] Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes </div><div><br></div><div dir="ltr">I know at least John Moehrke and I are both actively involved in HL7.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 6, 2015 at 2:16 PM, Glen Marshall [SRS] <span dir="ltr"><<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Who on this listserve is active in HL7? I used to be, but am not
now. But I am fairly certain that if we want to be influential on
HL7 and Argonaut's work, HEART must initiate and become actively
engaged with HL7.<br>
<div>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: <a href="tel:%28610%29%20644-2452" value="+16106442452" target="_blank">(610) 644-2452</a><br>
Mobile: <a href="tel:%28610%29%20613-3084" value="+16106133084" target="_blank">(610) 613-3084</a><br>
<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.SecurityRiskSolutions.com&d=BQMDaQ&c=qS4goWBT7poplM69zy_3xhKwEW14JZMSdioCoppxeFU&r=c7b1QeR755-dBx2b0xnlepDTylromoEzcLl-6ixmBL3TpXSxSvtAvT553fzSgLpm&m=FsQgoq46bRmOqCySw198Y0iOVMnu5TiUxBEmCJRgfZ8&s=TRfcsXlWu0ZZaAB5L0f7zfb6fSUG5VwWtYr9ynPqSBs&e=" target="_blank">www.SecurityRiskSolutions.com</a></p>
</div><div><div class="h5">
<div>On 10/6/15 11:26, Kinsley, William
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">I
am more concerned with what I interpret as Argonaut’s hard
coding specific security roles and that they are not
representative of the OAuth and UMA approach. This is
serving as a wake call to us (the HEART WG) that without any
guidance from us, they are going to create a de facto
security/privacy standard that will be difficult to unwind
once it is adopted by other projects in the industry.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> Bill</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<a href="mailto:agropper@gmail.com" target="_blank">agropper@gmail.com</a> [<a href="mailto:agropper@gmail.com" target="_blank">mailto:agropper@gmail.com</a>]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Tuesday, October 06, 2015 11:19 AM<br>
<b>To:</b> Kinsley, William <a href="mailto:BKinsley@nextgen.com" target="_blank"><BKinsley@nextgen.com></a><br>
<b>Cc:</b> Justin Richer <a href="mailto:jricher@mit.edu" target="_blank"><jricher@mit.edu></a>;
<a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] Health Relationship
Trust Profile for Fast Healthcare Interoperability Resources
(FHIR) OAuth 2.0 Scopes<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">To begin the discussion, I would suggest
three terms with healthcare / generic names:<u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
Patient / Subject<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
The Subject of the resource when the resource refers to
only one person. The Subject is also the Principal when
they register their resource with the Authorization
Server.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
Custodian / Principal<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
The person that registers a resource with an
Authorization Server. This is typically the Resource
Owner (RO).
<u></u><u></u></li>
<li class="MsoNormal">
When a Custodian is in control of multiple Subjects,
they are able to identify (name) the separate Subjects
any way they choose.
<u></u><u></u></li>
<li class="MsoNormal">
A Custodian can access resources for multiple Subjects
in a single transaction including, for example, a
Patient List.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
User<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
Anyone or anything that is not a Subject or a Custodian.<u></u><u></u></li>
<li class="MsoNormal">
A User can access resources for multiple Subjects in a
single transaction including, for example, a Patient
List.<u></u><u></u></li>
</ul>
</ul>
<p>I hope we can map this to FHIR:<u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
Pseudonymous Subject Resource<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
A resource for a single Subject identified by an opaque
pseudonym as registered with the Authorization Server.<u></u><u></u></li>
<li class="MsoNormal">
The resource may contain Subject identity information or
not.<u></u><u></u></li>
<li class="MsoNormal">
When the resource does not contain Subject identity
information, the Authorization Server is responsible for
associating the pseudonyms with an identity.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
Multi-Subject Resource<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
A resource for multiple Subjects registered with the
Authorization Server by a Custodian or a User.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
Identified Subject Resource<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
A resource for a single Subject that includes Subject
identifying information in the resource URI as
registered with the Authorization Server.
<u></u><u></u></li>
<li class="MsoNormal">
An identified subject resource must be protected as
personally identified information (PII).<u></u><u></u></li>
</ul>
</ul>
<p class="MsoNormal">Adrian<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Oct 6, 2015 at 10:05 AM,
Kinsley, William <<a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a>>
wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">This
is very informative detail of what the Argonaut
project is doing and I don’t want to deter the
information sharing process. I also think this is
a reminder that these groups are proceeding
without our guidance and that we need to discuss
what is our timeline to produce some type of
guidance to help them implement a process that is
aligned with the finial product the HEART
workgroup delivers. </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">Bill
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Justin Richer [mailto:<a href="mailto:jricher@mit.edu" target="_blank"></a><a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>]
<br>
<b>Sent:</b> Tuesday, October 06, 2015 8:12 AM<br>
<b>To:</b> Kinsley, William <<a href="mailto:BKinsley@nextgen.com" target="_blank"></a><a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a>><br>
<b>Cc:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart]
Health Relationship Trust Profile for Fast
Healthcare Interoperability Resources (FHIR)
OAuth 2.0 Scopes</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">To
clarify the objective, we were presenting the first
draft of one of the outputs of this working group.<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">The
HEART working group exists specifically to create
these technical specifications. All of the
discussions on use cases are intended to drive
work on these specifications. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Also,
the group should note that the terms “patient” and
“user” were imported directly from the Argonauts
projects. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> —
Justin<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On
Oct 5, 2015, at 11:31 PM, Kinsley, William
<<a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a>>
wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">This
document was presented quickly during
the last few minutes of our call and I
am not sure what the objective was.
However, it did raise some questions
that could not be addressed at the
time, specifically paragraph 2.1
“Permission type” raised some
questions which I broke out below:
</span><u></u><u></u></p>
</div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">1.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">The
term “Patient” and “User” seem
misleading and the purpose is not clear.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">a.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">A
patient can have access to multiple
patient records. For example, a parent
who has five children at the same
pediatrician would be a patient that can
access multiple patient records.
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">b.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">It
also sounds like we are hardcoding two
specific security roles, which would
seem to contradict what we are trying to
support in HEART (i.e. RBAC vs ABAC).
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">c.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">There
can be resource that are not related to
specific patient or patients in general
such as “Organization”,
“HealthcareService”, “Practitioner”,
etc.</span><u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">Bill</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
</div>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"><br>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><img border="0" height="40" width="145"><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><u>
________________________________
</u>
<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u><</u></p></div></div></blockquote></div></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></body>