FHIR Chat · CUI · terminology

Stream: terminology

Topic: CUI

Grahame Grieve (Mar 14 2019 at 22:26):

The US government has a Controlled Unclassified Information (CUI) system. For documentation, see:

These CUIs were used in the HIMSS demo this year, and some participants want to push their use into production. How should they be represented in Resource.meta.security?

Grahame Grieve (Mar 14 2019 at 22:28):

I propose that it's the code system http://www.archives.gov/cui, and the codes are the list from https://www.archives.gov/cui/registry/category-marking-list, where the display is the CUI category

Grahame Grieve (Mar 14 2019 at 22:29):

also, we should publish a map between the HCS codes and the CUI codes.

Mohammad Jafari (Mar 14 2019 at 23:43):

@Grahame Grieve we worked on an implementation guide which also covers FHIR. Perhaps @k connor can comment whether it's ready to share. I'm wondering we can publish that via the Security WG.

Grahame Grieve (Mar 14 2019 at 23:44):

can you explain how this is related?

Mohammad Jafari (Mar 14 2019 at 23:49):

It's a implementation guide for CUI with recommendations on how to use CUI codes in HL7 v2, CDA, and FHIR. Is that not what your question refers to?

How should they be represented in Resource.meta.security?

Grahame Grieve (Mar 14 2019 at 23:50):

sure sounds like the same thing. So what does your IG say about it?

Mohammad Jafari (Mar 15 2019 at 02:02):

For FHIR, our recommendation was to use the Resource.meta.security for the labels and render the human-readable marking according to the CUI guidelines in the narrative section, e.g. Resource.text.

k connor (Mar 15 2019 at 02:41):

CUI codes have already been added to v3 ActCode_ActPolicy_SecurityPolicy_PrivacyMark_ControlledUnclassifiedInformation and to value sets as of last harmonization meeting. I'll have to get the print names fixed in July because of miscommunication about the need for parens, but no big deal. The use as displayed banners based on Privacy Mark Security Labels was demonstrated at HIMSS this year in the Consumer Centered Care Planning Interoperability Showcase track using the HSPC Sandbox EHR and Perspecta security labeling capabilities. VA Demonstration area had a CUI kiosk as well. Presentation is @ https://confluence.hl7.org/download/attachments/40743226/20190227_HIMSS_CUI_2019_WITH_NAVIGATION%20for%20Confluence.pptx?version=2&modificationDate=1552413477781&api=v2, which includes CUI examples in V2 ARV, CCDA text, and FHIR Bundle security labels. DS4P needs to be updated to support computable CUIs as these aren't just about display to end users. CUI marked content must be protected at least to NIST 800-171, and may need additional security enforcement if the CUI authority is specified, e.g., HIPAA Security safeguards or OMB Circular A-130. Mike Davis has been driving this work at HL7 and participating at the federal agency level. My guess is that he'll want to see an X-paradigm IG. Also, the FHIR narrative will need a profile with rules on how to display the CUI security label codes in required concatentation as specified in the CUI Marking Handbook Grahame cited •https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf

Grahame Grieve (Mar 15 2019 at 04:53):

I do not understand why we would duplicate the code system into a v3 code system? what on earth would we do something so stupid for?

Grahame Grieve (Mar 15 2019 at 04:55):

and also, why would we create duplicative concepts in the code system?

John Moehrke (Mar 15 2019 at 12:35):

I propose that it's the code system http://www.archives.gov/cui, and the codes are the list from https://www.archives.gov/cui/registry/category-marking-list, where the display is the CUI category

I didn't realize there was a managed vocabulary elsewhere. Yes, use a managed vocabulary rather than re-invent.

Joyce Dunlop (Mar 15 2019 at 13:50):

My concern would be related to the category-marking-list that seems to be all government activities and does not have a singular focus on health care. I do not see more that a dozen of the categories that could be applied to healthcare data. It looks like Kathleen is focusing on one category of "CUI Category: Health Information".

Grahame Grieve (Mar 15 2019 at 22:28):

@Ted Klein @Rob Hausam @Robert McClure

Ted Klein (Mar 15 2019 at 22:56):

If this is an external vocabulary source, then it should just be implemented as reference to an external vocabulary in UTG. Reinventing the wheel would be...dumb.

Grahame Grieve (Mar 16 2019 at 01:08):

but apparently we did that in the last harmonization, see above

Grahame Grieve (Mar 16 2019 at 01:09):

CUI codes have already been added to v3 ActCode_ActPolicy_SecurityPolicy_PrivacyMark_ControlledUnclassifiedInformation

k connor (Mar 16 2019 at 03:12):

CUI in the NARA Registry are not maintained as a vocabulary and don't include details like how portion markings are to be displayed.

k connor (Mar 16 2019 at 03:23):

You may want to look at what you are talking about before deciding that a wheel was reinvented. See https://www.archives.gov/cui/registry/category-marking-list, which is the list of displayed markings, which are not coded concepts and are only intended for display to end users. But CUIs are more complex than just the rendered mark. They should also be used as security label codes so that Access Control Systems know (per policy rules) that the marked information may only be accessed/disclosed to those with clearance/need to know, that the markings must be persisted and managed, must be reapplied upon disclosure, and may need to be revised/declassified at some point. Also, anything marked with CUI, as I noted above has specific security protection requirements, at a minimum NIST 800-171, and if a specified CUI, additional requirements per law. All of this was documented and discussed with the Security WG and included in the Harmonization proposals. Also, as stated above, there's a link to thorough background on why CUIs need to be included in a standard interoperable vocabulary.

Last updated: Apr 12 2022 at 19:14 UTC

Main menu