Reminder: UMA legal subgroup telecon 2015-09-11
Fri Sep 11 8-9am PT Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines https://www.turbobridge.com/join.html), room code 178-2540# Screen sharing: http://join.me/findthomas http://join.me/findthomas - NOTE: IGNORE the join.me http://join.me/ dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line) UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar http://kantarainitiative.org/confluence/display/uma/Calendar For this call, let us take the following “negative use case”, growing out of the agency and “RS risk” discussion we’ve been having: “I, a US hospital, have an online service that exposed a FHIR API for electronic medical records. Alice set up policies at her consumer-grade AS, and I accepted outsourcing authorization there. The token from the AS told me that it was okay to give client MobileApp and requesting party Bob access, so I did. But then Alice sued me/complained/reported me/(something else bad)”. (Adrian can comment on real-life examples somewhat analogous to this, with breaches and such.) Dazza has offered to facilitate a discussion of the following points: What are the key legal issues presented by this scenario? What legal role(s) and corresponding rules apply to the actions and data of the parties in this scenario? What are the potential or probable outcomes if things go wrong (eg: result of enforcement actions, allocation of loss or other dispute resolutions)? What advice or other resources for parties seeking to adopt UMA could help them manage legal risks and/or structure legal affairs to expand or create new value? And I will scribe. :-) Talk to you soon! Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
To prepare for tomorrow's agenda, here is the composite list of real-life
examples of negatives. Please read these in the context of a Resource
Server holding records for 4.5 Million Alices and accessible to some 10,000
Bobs:
- Was it really Bob that accessed the resource or someone that Bob
shared credentials with in his office?
- Why is it that the Resource Server did not implement a Bob
authentication means that would mitigate sharing of credentials by Bob?
- Why was it that Bob's staff member, who is not an employee of the
Resource Server institution, could get access even though they were not
trained in security practices by the institution?
- Why didn't the Resource Server system notice that Bob had no prior
relationship with this particular patient and kick the request out for
enhanced audit?
- Why doesn't the Resource Server notify Alice of significant events
such as a new Bob in a remote location getting access to her resource?
- Why does the Resource Server depend on an honor code and whistle
blowers to detect breaches?
- Why does it take 6 months and 4.5 Million records breached to detect a
breach had taken place?
- Why did it take a month for the Resource Server to investigate and
respond to Alice's complaint (this escalates the cost of the damages caused
by the breach.)
- Was the Resource Server following typical industry practice in
managing the security of their system? - The jury said yes :-(
Adrian
On Thu, Sep 10, 2015 at 4:51 PM, Eve Maler
- *Fri Sep 11* 8-9am PT - Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines https://www.turbobridge.com/join.html), room code 178-2540# - Screen sharing: http://join.me/findthomas - *NOTE:* *IGNORE* the join.me dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line) - UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar
For this call, let us take the following “negative use case”, growing out of the agency and “RS risk” discussion we’ve been having:
“I, a US hospital, have an online service that exposed a FHIR API for electronic medical records. Alice set up policies at her consumer-grade AS, and I accepted outsourcing authorization there. The token from the AS told me that it was okay to give client MobileApp and requesting party Bob access, so I did. But then Alice sued me/complained/reported me/(something else bad)”. *(Adrian can comment on real-life examples somewhat analogous to this, with breaches and such.)*
Dazza has offered to facilitate a discussion of the following points:
- What are the key legal issues presented by this scenario? - What legal role(s) and corresponding rules apply to the actions and data of the parties in this scenario? - What are the potential or probable outcomes if things go wrong (eg: result of enforcement actions, allocation of loss or other dispute resolutions)? - What advice or other resources for parties seeking to adopt UMA could help them manage legal risks and/or structure legal affairs to expand or create new value?
And I will scribe. :-)
Talk to you soon!
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
participants (2)
-
Adrian Gropper
-
Eve Maler