Agenda
Tuesday, August 8 (EDT)
9:00 - 9:05 am
Welcome & Announcement from the Office of the National Coordinator for Health IT (ONC)
9:05 - 9:30 am
HHS Cybersecurity Priorities
Brian Mazanec and Syed Mohiuddin
View Description
The US Department of Health & Human Services (HHS) is committed to protecting the healthcare and public health sector from threats such as cyberattacks while building capacity for preparedness and response. Syed Mohiuddin, HHS Office of the Secretary and Brian Mazanec, ASPR will discuss HHS’s role in addressing cybersecurity threats to healthcare organizations and strategic priorities for the agency in the future.
9:30 - 10:15 am
FHIR Security Overview
Grahame Grieve
10:15 - 11:00 am
SMART on FHIR and SMART Health Links
Josh Mandel, MD
View Description
Join us for an overview of SMART on FHIR (an app platform for healthcare) and SMART Health Links (a technology for sharing verifiable clinical information). We'll share the motivation behind SMART and take a tour of the core components, focusing on SMART's ability to support both clinician- and consumer-facing apps, and the UX integration with Electronic Health Records (EHRs). We'll review SMART's authorization model that leverages OAuth 2.0, ensuring patient data security while providing developers with a robust framework for app creation. We'll touch on some of the latest features including fine-grained permissions and App State management. Finally, we'll provide an overview of the SMART Health Links technology for sharing verifiable clinical information.
11:00 - 12:00 pm
Cybersecurity Roundtable: Impact to Consumers
Liz Turi (moderator), Kristen Valdes, Jan Oldenburg, Kathleen Connor
12:00 - 1:00 pm
Lunch
General Session
1:00 - 1:45 pm
TEFCA Security - Policy and Technical Requirements
Johnathan Coleman
View Description
Provide information on the Security requirements for TEFCA: The Qualified Health Information Networks (QHINs), Participants, Sub-participants, and Individuals seeking access to their data through Individual Access Services.
1:45 - 2:30 pm
A Basic Overview of API Security and Test Tools
Matt Blackmon
View Description
This course is intended to provide an entry level overview of the basics of API security and a practical introduction to the tools that test those APIs for common vulnerabilities.
2:30 - 3:15 pm
ONC Certified FHIR APIs: A Deep Dive into FHIR Security in the ONC Certification Program and Inferno Conformance Testing
Keith Carlson
View Description
Deep dive into FHIR API security requirements within the ONC Health IT Certification Program and conformance testing using Inferno. Learn about the relevant requirements in ONC regulations, see a demo of how conformance testing works using Inferno and hear about other important security considerations when implementing FHIR in the US realm.
3:15 - 4:00 pm
Cybersecurity Roundtable: Executive Perspective
Malikah Smith (moderator), Bezawit Sumner, Luis de Barros
Developer Track
1:00 - 2:00 pm
FHIR Security and Privacy for Developers
John Moehrke
2:00 - 3:00 pm
FHIR Security Capabilities
John Moehrke
View Description
Provenance: Basic, Digital Signature; Audit Logging: Audit Reporting, Audit Purging; Consent for Privacy, HEART; Attribute Based Access Control, Security Tags, Compartments/Clearance, Obligations; Break-Glass; De-Identification
3:00 - 4:00 pm
FHIR Security Practical Application
John Moehrke
View Description
Provider Directory; Guide Management; Simple ABAC; Extra-Sensitive Treatment: Share with Protections; Proxy server to multiple; De-Identified Research: Re-Identification
4:00 - 4:15 pm
Wrap Up
Diego Kaminker
Wednesday, August 9 (EDT)
9:00 - 9:05 am
Welcome and Morning Announcements
Diego Kaminker
9:05 - 10:00 am
Building a Secure, Patient-Centered Ecosystem for FHIR APIs
Cooper Thompson and Danielle Friend
View Description
This session will review the patient experience when managing access to data, with a deep dive into Epic's approach. This includes a review of what information about apps is made available to the patient during authorization, how data scopes are presented to the patient, how patients can see an audit of which apps have accessed their data, and how they might revoke access if they choose. We will also review both the technology and processes involved in Epic’s API ecosystem, including components such as client registration and scope selection, endpoint publication and trust, application governance, user-based access control and more.
10:00 - 10:45 am
Data Segmentation for Privacy and Security Labeling
Mohammad Jafari
10:45 - 11:15 am
Who Should You Trust? Implementing Security at Scale for FHIR
Luis Maas
View Description
The HL7 UDAP Security Implementation Guide layers extensions to OAuth and OpenID Connect onto the FHIR standard that, together with Public Key Infrastructure, allow FHIR to be securely scaled. This session gives participants a deeper sense of the implementation guide and its benefits.
11:15 - 12:00 pm
Cybersecurity Roundtable: Tales from the Field - Hear from FHIR Implementers
Luis Maas (moderator), Dan Cinnamon, Jason Vogt, Joseph Shook, Tom Loomis
View Description
Cybersecurity as barrier to sharing; is this an issue? What strategies do they use to be certain of cybersecurity risk?
12:00 - 1:00 pm
Lunch
General Session
1:00 - 1:45 pm
Quantum Computing and Cybersecurity: A realistic perspective of progress, risks, solutions and opportunities for healthcare APIs
Eric Heflin
View Description
Provide a backgrounder on quantum computing, followed by the current state-of-the-art and rate of progress. Then I'd discuss the risks to FHIR and other healthcare APIs solutions, and new opportunities enabled by quantum computing.
1:45 - 2:30 pm
The Problem with Consent: How to record, assert and evaluate: IHE Privacy Consents on FHIR
John Moehrke
2:30 - 3:15 pm
Audit Tracing in FHIR
Matt Jenks
View Description
In this session, we will discuss using the FHIR AuditEvent resource to trace security and business events across a Payor and Provider ecosystem that uses CDS Hooks and SMART on FHIR Applications.
3:15 - 4:15 pm
Interoperable Digital Identity and Patient Matching
Julie Maas and Ryan Howells
View Description
Learn how to improve security through better identity management and patient matching: hear an overview of this recently published HL7 Implementation Guide, complete real world exercises in identity verification, identity management, digital identity, and patient matching utilizing components of the IG, and provide feedback to the next version and implementation guidance.
4:15 - 4:45 pm
De-identification of FHIR: Unlocking additional value and use cases
Bob Lou, MD
View Description
De-identification is the process of removing identifying information from healthcare data, such as names, addresses, and dates of birth. This is done to protect patient privacy while still allowing the data to be used for non-clinical care purposes, such as population health, machine learning, and research. HIPAA regulations provide guidelines on what qualifies as sufficient de-identification. In this talk, we will discuss the importance of de-identification, the different methods that can be used, and the Google Healthcare API's integrated tools for de-identification of data stored in Google's FHIR API.
Developer Track
1:00 - 1:45 pm
UDAP Deep-Dive Session
Luis Maas
1:45 - 2:45 pm
UdapEd: Diagnostics tool showcasing the udap-dotnet open source reference implementation
Joe Shook
View Description
A diagnostic visual demonstration of UDAP. The UdapEd UI tool show cases the udap-dotnet open-source reference implementation. It lights up the UDAP protocol details so the developer can learn UDAP faster and accelerate interoperability. All the code in this demonstration is open source. Components are published as NuGet packages. Example servers are deployed to GCP and in the source code.
2:45 - 3:45 pm
A Mobile Application Dissection - FHIR API Security
Brett Stringham
View Description
Spotlight a few, valuable open source tools engineers can leverage to gain a insights to data flows between a mobile application and FHIR APIs as during the Secure Development Life Cycle to ensure alignment with essential API security – access control best practices.
3:45 - 4:45 pm
FHIR at Scale Taskforce (FAST) Access Control & Testing
Abigail Watson
View Description
We will discuss lessons learned during the FAST National Directory project as we implemented a Consent Engine to address the Playing With FHIR vulnerability disclosure, and subsequent security testing activities.
4:45 - 5:00 pm
Wrap Up
Daniel Vreeman