<p dir="ltr">John Moerke<br>
Josh Mandel<br>
Bill Kinsley </p>
<p dir="ltr">All actively participate with HL7 and offered their time here at HEART and it's greatly appreciated. Certain I have missed others. A quick glance at the Listserv show others are quietly following along.</p>
<p dir="ltr"> I have been trying to join the security and cbcc workgroups when I can. </p>
<p dir="ltr">There is cross communication occuring already if you look close enough.</p>
<div class="gmail_quote">On Oct 6, 2015 2:16 PM, "Glen Marshall [SRS]" <<a href="mailto:gfm@securityrs.com">gfm@securityrs.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Who on this listserve is active in HL7? I used to be, but am not
now. But I am fairly certain that if we want to be influential on
HL7 and Argonaut's work, HEART must initiate and become actively
engaged with HL7.<br>
<div>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: <a href="tel:%28610%29%20644-2452" value="+16106442452" target="_blank">(610) 644-2452</a><br>
Mobile: <a href="tel:%28610%29%20613-3084" value="+16106133084" target="_blank">(610) 613-3084</a><br>
<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><br>
<a href="http://www.SecurityRiskSolutions.com" target="_blank">www.SecurityRiskSolutions.com</a></p>
</div>
<div>On 10/6/15 11:26, Kinsley, William
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">I
am more concerned with what I interpret as Argonaut’s hard
coding specific security roles and that they are not
representative of the OAuth and UMA approach. This is
serving as a wake call to us (the HEART WG) that without any
guidance from us, they are going to create a de facto
security/privacy standard that will be difficult to unwind
once it is adopted by other projects in the industry.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> Bill</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<a href="mailto:agropper@gmail.com" target="_blank">agropper@gmail.com</a> [<a href="mailto:agropper@gmail.com" target="_blank">mailto:agropper@gmail.com</a>]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Tuesday, October 06, 2015 11:19 AM<br>
<b>To:</b> Kinsley, William <a href="mailto:BKinsley@nextgen.com" target="_blank"><BKinsley@nextgen.com></a><br>
<b>Cc:</b> Justin Richer <a href="mailto:jricher@mit.edu" target="_blank"><jricher@mit.edu></a>;
<a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] Health Relationship
Trust Profile for Fast Healthcare Interoperability Resources
(FHIR) OAuth 2.0 Scopes<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">To begin the discussion, I would suggest
three terms with healthcare / generic names:<u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
Patient / Subject<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
The Subject of the resource when the resource refers to
only one person. The Subject is also the Principal when
they register their resource with the Authorization
Server.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
Custodian / Principal<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
The person that registers a resource with an
Authorization Server. This is typically the Resource
Owner (RO).
<u></u><u></u></li>
<li class="MsoNormal">
When a Custodian is in control of multiple Subjects,
they are able to identify (name) the separate Subjects
any way they choose.
<u></u><u></u></li>
<li class="MsoNormal">
A Custodian can access resources for multiple Subjects
in a single transaction including, for example, a
Patient List.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
User<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
Anyone or anything that is not a Subject or a Custodian.<u></u><u></u></li>
<li class="MsoNormal">
A User can access resources for multiple Subjects in a
single transaction including, for example, a Patient
List.<u></u><u></u></li>
</ul>
</ul>
<p>I hope we can map this to FHIR:<u></u><u></u></p>
<ul type="disc">
<li class="MsoNormal">
Pseudonymous Subject Resource<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
A resource for a single Subject identified by an opaque
pseudonym as registered with the Authorization Server.<u></u><u></u></li>
<li class="MsoNormal">
The resource may contain Subject identity information or
not.<u></u><u></u></li>
<li class="MsoNormal">
When the resource does not contain Subject identity
information, the Authorization Server is responsible for
associating the pseudonyms with an identity.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
Multi-Subject Resource<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
A resource for multiple Subjects registered with the
Authorization Server by a Custodian or a User.<u></u><u></u></li>
</ul>
</ul>
<ul type="disc">
<li class="MsoNormal">
Identified Subject Resource<u></u><u></u></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal">
A resource for a single Subject that includes Subject
identifying information in the resource URI as
registered with the Authorization Server.
<u></u><u></u></li>
<li class="MsoNormal">
An identified subject resource must be protected as
personally identified information (PII).<u></u><u></u></li>
</ul>
</ul>
<p class="MsoNormal">Adrian<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Oct 6, 2015 at 10:05 AM,
Kinsley, William <<a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a>>
wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">This
is very informative detail of what the Argonaut
project is doing and I don’t want to deter the
information sharing process. I also think this is
a reminder that these groups are proceeding
without our guidance and that we need to discuss
what is our timeline to produce some type of
guidance to help them implement a process that is
aligned with the finial product the HEART
workgroup delivers. </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a">Bill
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546a"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Justin Richer [mailto:<a href="mailto:jricher@mit.edu" target="_blank"><a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a></a>]
<br>
<b>Sent:</b> Tuesday, October 06, 2015 8:12 AM<br>
<b>To:</b> Kinsley, William <<a href="mailto:BKinsley@nextgen.com" target="_blank"><a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a></a>><br>
<b>Cc:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart]
Health Relationship Trust Profile for Fast
Healthcare Interoperability Resources (FHIR)
OAuth 2.0 Scopes</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">To
clarify the objective, we were presenting the first
draft of one of the outputs of this working group.<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">The
HEART working group exists specifically to create
these technical specifications. All of the
discussions on use cases are intended to drive
work on these specifications. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Also,
the group should note that the terms “patient” and
“user” were imported directly from the Argonauts
projects. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> —
Justin<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On
Oct 5, 2015, at 11:31 PM, Kinsley, William
<<a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a>>
wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">This
document was presented quickly during
the last few minutes of our call and I
am not sure what the objective was.
However, it did raise some questions
that could not be addressed at the
time, specifically paragraph 2.1
“Permission type” raised some
questions which I broke out below:
</span><u></u><u></u></p>
</div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">1.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">The
term “Patient” and “User” seem
misleading and the purpose is not clear.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">a.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">A
patient can have access to multiple
patient records. For example, a parent
who has five children at the same
pediatrician would be a patient that can
access multiple patient records.
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">b.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">It
also sounds like we are hardcoding two
specific security roles, which would
seem to contradict what we are trying to
support in HEART (i.e. RBAC vs ABAC).
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">c.</span><span style="font-size:7.0pt">
</span><span style="font-size:14.0pt;font-family:"Cambria",serif">There
can be resource that are not related to
specific patient or patients in general
such as “Organization”,
“HealthcareService”, “Practitioner”,
etc.</span><u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif">Bill</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
</div>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"><br>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><img src="http://bridge.nextgen.com/Media/3140" border="0" height="40" width="145"><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><u>
________________________________
</u>
<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif">William
Kinsley , CISSP<br>
Enterprise Architect, Ambulatory<br>
<b>NEXTGEN HEALTHCARE<br>
</b>Solutions for: Ambulatory,
Inpatient and Community
Connectivity<br>
795 Horsham Road, Horsham, PA
19044<br>
<a href="tel:%28215%29%20657-7010%20x21128" target="_blank">(215) 657-7010
x21128</a>
<br>
<a href="mailto:BKinsley@nextgen.com" target="_blank">BKinsley@nextgen.com</a></span><u></u><u></u></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><a href="http://www.oneugm.com/" target="_blank"><span style="text-decoration:none"><img src="http://bridge.nextgen.com/Media/3181" border="0"></span></a><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
</div>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#e46c0a">Be
ready for MU and ICD-10 in 2015.
Start your EHR version 5.8 and
KBM version 8.3 upgrade today.
Get the resources you need at <a href="http://www.nextgen.com/upgradecentral" target="_blank">
<b><i><span style="color:#007cb9"><a href="http://www.nextgen.com/upgradecentral" target="_blank">www.nextgen.com/upgradecentral</a></span></i></b></a></span><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif"> </span><u></u><u></u></p>
</div>
<table style="width:448.2pt" border="0" cellpadding="0" width="598">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif">This
message, and any documents
attached hereto, may contain
confidential or proprietary
information intended only for
the use of the addressee(s)
named above or may contain
information that is legally
privileged. If you are not the
intended addressee, or the
person responsible for
delivering it to the intended
addressee, you are hereby
notified that reading,
disseminating, distributing or
copying this message is strictly
prohibited. If you have received
this message by mistake, please
immediately notify us by
replying to the message and
delete the original message and
any copies immediately
thereafter. Thank you for your
cooperation.</span><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><u></u><u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <u></u><u></u></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Adrian Gropper MD<br>
<br>
<span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT
YOUR FUTURE - RESTORE Health Privacy!<br>
HELP us fight for the right to control
personal health data.<br>
DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span>
<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-heart mailing list
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div>