NIEM COI Meeting
Host: Cait Ryan
Presenters:
- Michael Savoie
- Don Clysdale
- Mike Abramson
Topic: NIEM COI
Length: 1:08:54 minutes
Venue: Virtual
Agenda
- Welcome, Upcoming Events, and Activities (Cait Ryan)
- NIEM in Canada (Veejay Mara, Michell (?), and Don Clysdale: Advanced Systems Management Group and KYM Advisors)
- Opening Remarks
- Presentation
- Information Exchange Framework Applied to Structured Data (Mike Abramson)
- Q&A (All Participants)
- Closing Remarks (Cait Ryan)
Slides
NIEM Health Deliverables
Cait Ryan
- Three tutorial/educational documents are in final their draft stage:
- NIEM 101: An Introduction to Health Information Exchange
- NIEM 102: An Introduction to Security and Privacy of Protected Healthcare Information
- NIEM 201: Architecting NIEM IEPDs using Health Information Models
- Communications team will do a final review and format the three documents
- Scheduled for April 12, the documents will go to FHA leadership for final FHA review and edits
- Documents will be published to the NIEM Health COI space on Get Hub
- Documents will be sent to ENTAC teams for their final review
ACTION ITEM: Send documents to FHA Leadership team by April 12 for final FHA review and edits
Mapping to US Core Data for Interoperability
Cait Ryan
- Mapping will produce canonical and authoritative mapping that will align the NIEM community with standard fields, value sets, and codes used in clinical standards as required by USCDI
- A thorough review of this project was conducted at the March 14 FHA Federal Architects Council
- Those not present on March 14 are encouraged to contact Cait for reporting information and to learn about that exercise
COI: Coming Up
Cait Ryan
- The Patient Unified Lookup System for Emergencies (PULSE) – 2017 and 2018 California Wildfires Use Case
- When: April 16 from 2:00 PM to 3:00 PM ET
- What: The Patient Unified Lookup System for Emergencies (PULSE) is a nationwide health IT disaster response platform that can be deployed at the city, county, or state level to authenticate disaster healthcare volunteer providers
- PULSE allows disaster workers to query and view patient documents from all connected healthcare organization
- Who: The Sequoia Project
Care to Share
Cait Ryan
- Meeting participants are invited to express use cases they are interested in hearing about
- Meeting participants are invited to express if they would like to give a presentation to the group
Brian Handspicker (Introduction)
- This session continues discussions surrounding security and privacy for NIEM Health Information Exchange
- Just in time authorization to access and modify protected health information is an ongoing challenge for NIEM Information Exchange and a concern with the healthcare community and healthcare standards
- Regarding a highly-responsive security and privacy information exchange framework, Veejay Mara, who is Vice President and Principal Consultant from KYM Advisors, Co-Chair of OMG IEF Working Group, former Co-Chair of the Threat and Risk Information Sharing ONG Workgroup, and a driver behind NIEM UML Technical work is introduced
- Veejay will help the group understand security and privacy surrounding NIEM information exchanges
- Mike Abramson, President and CEO of Event Systems Management Group of Canada, Co-Chair of the OMG C4I Task Force and IEG Working Group is introduced
NIEM in Canada
Veejay Mara (Additional Introductions)
Michell (?), Don Clysdale , and Mike Abramson (Presenters)
- Veejay Mara introduces Michael Savoie and Don Clysdale, and reintroduces Mike Abramson
- (audio difficulty with Veejay Mara)
Employment and Social Development Canada (slide 1 of 2 title)
Michell (?)
- The mission of Employment and Social Development Canada (ESDC), including the Labor Program and Service Canada, is to build a stronger and more inclusive Canada, support Canadians by in helping them live productive and rewarding lives
- ESDC fulfils its mission by:
- Developing policies that ensure Canadians can use their talent, skills, and resources to participate in learning, work, and their community
- Delivering programs to help Canadians through life transition, from school to work, job to job, unemployment to employment, and workforce to retirement
- Providing income support to seniors, families with children, and those unemployed due to job loss, illness, or caregiving responsibilities
- Helping Canadians with distinct needs such as Indigenous people, those with disabilities, the homeless, travelers, and recent immigrants
- Ensuring labor relations stability by providing mediation services
- Promoting fair and healthy workplaces by enforcing minimum working conditions, promoting decent work and employment equity, and fostering respect for international labor standards
- Delivering programs and services
- When people require government services, ESDC is involved one way or another
Employment and Social Development Canada (slide 2 of 2 title)
Michell (?)
- Services include:
- Find a job
- Hire a temporary foreign worker
- Public pensions including Canada Pension Plan, Old Age pension and related benefits
- Disability benefits
- Training
- Funding programs through grants and contributions that support jobs, training, and social development
- Workplace standards
- The list above comprises the main services ESDC is involved in
- Internal lingo was revised last year to include semantics and the information aspect of accompany the already existing emphasis on technology and application
- Still in use is the “same old way” of mapping which created a lot of complexities and diminishing the benefit of the technology being used
- This was alleviated by addressing the information aspect and the NIEM model fulfilled that gap
Achieving Interoperability
Don Clysdale
- Goal was to achieve interoperability across departments so the business would be more in charge
- One of the key tenets is to have a common information exchange model
- They started trying to achieve this goal on their own and then decided to go with NIEM
Use of NIEM in Interoperability Solutions
Don Clysdale
- ESDC interoperability team began using NIEM as their enterprise information exchange model in November 2017
- Interoperability solutions have been developed in the following areas:
- Finance
- Human Resources
- Labor/Employment
- Case Management
- Document Management
- Interactive Voice Response
- People getting information over the phone through interactive voice responses
- Interoperability Partners:
- (Other) Federal government departments
- Provinces, Territories and
- First Nations, Inuit and Metis communities
- Employers
- This slide shows evidence of a big spectrum of partners from a variety of areas
Managing NIEM Subset and Extensions
Don Clysdale
- Enterprise Information Exchange Model
- Subset of NIEM core/domains (want list)
- Extensions to complete requirements
- New Requirements
- Augment NIEM subset (larger want list)
- Augment/refactor extensions
- It was understood from the beginning the work they were going to do had substantial overlap from solution to solution
- NIEM has a second layer noted as “Optional”; however, ESDC felt it was mandatory to leverage the work they were doing
- That work was to develop and Enterprise Information Exchange Model that would be common across all interoperability solutions
- Extensions were created extensions or use standards already in place according to the NIEM approach and have an ever-growing model as more solutions were made
- From a team of 60 to 70 developing these solutions, four members are dedicated to information models
Don Clysdale
- Slide displays where ESDC stands as of two days prior to this meeting
- ESDC subset now includes 47% of NIEM Core–47% in use on one of ESDCs applications
- Of the 47% in use, 97% is being used for infrastructure protection
- Human services, immigration, and justice hits on ESDCs core business of managing people entering Canada as well as managing “people” data
- Several extensions were made, including:
- Address
- Documents
- Employment
- Finance
- Personal
- Technical
Strategy – Commoditized Data Assets
Don Clysdale
- If ESDC has four providers, they want those providers to “speak” NIEM using their version and extensions
- Why? That is where the most value comes from
- If some providers cannot “speak” NIEM (such as those with a Legacy system), ESDC wants to promptly convert them to NIEM so other consumers, departments, obligation can “speak” NIEM with ESDC
- This is where most of the money is spent
Enterprise-wide Implementation Challenges
Don Clysdale
- Defining and validating constraints
- Enterprise Model is more open that each business use
- The Model cannot have everyone’s constraints built into it
- For instance, middle name is mandatory but not everyone has a middle name
- When someone needs middle name to be mandatory, there needs to be a way of defining those constraints in a common way
- Implementing NIEM models in partner development environments
- NIEM XML schema use constructs in partner development environments
- Substitution groups (across schema)
- Type extensions (from base type)
- Enumerations
- XML to JSON
- Partner-specific policy/restrictions
- Data subset (sharing agreement)
- Data redaction (data sensitivity)
- The true first challenge is nobody wants to go with one model
- The challenge of moving NIEM model into other environments is they don’t “speak our language”
- There are certain areas of NIEM that that the partners don not support, for which cases SAP is being used even though they don’t support certain advanced techniques the way NIEM does, such as substitution groups, in their schema model
- Issues can occur when going back and forth from XML to JSON
- There are partner-specific policy restrictions with HR departments and ESDC wants to create a way for HR systems to share certain data with the interoperability platform, and then have the interoperability platform share only specific pieces of information that the HR people want to share with the partners
- Certain sensitive data may not be protected as well as it should be, ESDC wants to be to redact such data
Defining and Validating
Don Clysdale
- Level 0 validation (local constraint): Schema Validation
- Validation of a single element/attribute
- Consistency with expected IT structural requirements
- It was decided the best way to add business constraints was to use XML Schema assertion
- Level 1 validation (co-constraint): Business Validation
- Validation of more than one element/attribute within the same dataset
- Consistency with other data in the dataset (document/message)
- Implement a standard approach to put in their platform [inaudible] that had the same business validation capability which would be implemented in a standard way
- If both the schema and business validation were good, ESDC would process those messages to documents in the common way
- If that could not be done, because it was invalid, or the business rules were not respected, it would be handled in the standard air-handling way; ESDC has created a standard way of doing this
NIEM Models in Partner Development Environments
Don Clysdale
- Commercials tools have problems implementing complex XML Schema
- Don’t support specific XML Schema constructs
- Substitution groups, extension/restriction from base type, choice…
- Import tools don’t support specific XML Schema constructs
- Especially substitution groups across schema files
- Converting XML Schema to reusable object model
- JAXB is available for Java objects
- Able to generate enterprise-wide object model, which was successful
- One enumeration too large
- .Net tools exist, but are no longer supported, this was not as successful
- Schema by example
- Using project message examples to produce simplified XML Schema
- Resulting schema is specific to interfaces within project and subject to change if interface changes
- Since this slide was made ESDC started using pure JAVA script using JSON as the base and will convert back and forth
- Several big projects done with SAP with 60 different messaging operations
- Example messages are created for SAP which are used to create a simpler, NIEM-compliant schema that support what ESDC is doing with that partner
- The partner is given the NIEM-compliant, simpler schema which they use to create NIEM messages with ESDC
- The difficulty with that is if the schema changes, the information must be recreated, and the partner must implement that again
XML to JSON
Don Clysdale
- More than one approach
- XSLT
- XML to Java object to JSON
- Challenges converting to other models
- Class/property versus type/element/attribute
- Need associative process so transformations, or their order, do not change the original message structure in any way
- If the message is not identical, businesses rules cannot be applied to the XML message that was there when started, which something is not going to work properly, such as business rule checking
Partner Specific Policy/Restrictions
Don Clysdale
- Data minimization (to match data sharing agreement)
- Sharing agreement defines for each partner which operations and subset of the data they can consume
- Standard authorization policies available to enforce operation access
- Develop standard processes (policy enforcement) to enforce the data subset
- Data Redaction (to match data protection regime)
- Need to extend authorization policies for data sensitivity, classification, privacy
- Develop standard processes (policy enforcement) to enforce the data redaction
- Work in progress
- Extend data subset approach
Mike Abramson
- Solution to Policy-driven Data-centric Information Sharing and Safeguarding January 2019
- Focus is on selective sharing of information between partners
Mike Abramson
- “At the heart of the intelligence effort lies a paradox.”
- Intelligence is valuable only if it can be shared with consumers who need it
- More sharing equals an increased risk of compromise
- Need to find best balance between adequate sharing and effective information security
- “Sharing and safeguarding are two side of the same coin.”
- This paradox exists in every domain where sensitive (Private, Confidential, Legally-significant, or classified) information needs to be shared
- Sharing and safeguarding priorities are often seen as mutually exclusive; they are mutually reinforcing
- By implementing mechanisms to strengthen protections for sensitive information one helps to build trust within the user and stakeholder communities and increase their willingness to share
- Achieving an effective balance between Sharing and Safeguarding
- Targets responsible information sharing
- Represents a data management challenge more than a technology limitation
- Could not find a solution allowing to define an interface that had variances between the different people that information is being shared with
- After working with NIEM and other common messaging protocols, individual interfaces would need to be defined for individual partners even though the same exchange protocol was being used
Mike Abramson
- Inform Decisions
- Shared situational awareness (hindsight, insight)
- Shared intelligence (foresight)
- Enable collaboration and collective action
- Improve operational posture – higher quality information
- Timely, accurate, current, actionable, complete, concise, accessible, relevant, consumable, understandable, reliable, etc., trusted (quality of information)
- Get better information to people to get better decisions
- Resource multiplier
- If able to make better decision based on better information, limited resources can better be applied to “the things we have to deal with”
- Foundation and enabler of: situational awareness, intelligence, collaboration, planning, command (coordination), cyber, etc.
Data Collection, Processing, and Analysis
Mike Abramson
- Data is collected from all available sources and:
- Tagged, labeled, and catalogued to facilitate discovery, processing, sharing, and safeguarding
- Transitioned into a form (institutional standards) that enables and facilitates processing and analysis
- Staged for analytics, machine learning, and business intelligence services analytics inform intelligence, situational awareness, and planning
- The ability to gather all-source data and create quality information for decision makers is the primary role of IM/IT
- Provide better information to front-line workers
- Support collaborative planning between different organizations and agencies
Data Sharing and Safeguarding
Mike Abramson
- Once created, situational awareness, intelligence, and planning data is only useful if it can be shared
- Data and information elements must be tagged and labeled to facilitate discovery, processing, sharing, and safeguarding
- Data must be transformed into quality information (timely, accurate, current, actionable, complete, concise, accessible, relevance, consumable/understandable, reliable, etc., trusted
- Information must be structured and formatted in accordance with individual information sharing agreements
- The ability to share information in a responsible and trusted manner is the cornerstone of a digital strategy
- Responsible sharing
- Maximizing the sharing and availability of information, while simultaneously protecting sensitive (private, confidential, legally-significant, and classified) information from unauthorized access, use, release, or manipulation
- Quality information
- Provision of information that is timely, complete, concise, actionable, relevant, consumable/understandable, reliable, trusted, etc.
- Must get information out to groups that have varying levels of trust
Mike Abramson
- Identified that many people want to start controlling information that gets into our environments in a better manner
- IEF is at both ends of the spectrum as shown on slide graph
What is OMG IEF?
Mike Abramson
- IEF is an integration pattern of security services that enable the selective sharing of information with partners based on privacy, security, different levels of trust, and different levels of need
- IEF is simply a set of services
- The reference architecture defines how these services come together
- Information Exchange Framework (IEF) is a collection of open standards developed under the Office Management Group (OMG), a global standards organization of status Beta 2 (completing finalization)
- Information exchange packing policy vocabulary (IEPPV):
- The policy vocabulary is a Unified Modeling Language (UML) profile that specifies how to create a policy model based on the rules documented in a policy artifact, and associate these rules with datasets at a granular level
- Rules can be associated with data element, meta data, tags for PII or security classification, or even data values depending on mission requirements
- This approach allows for rapid creation/update of policies as policy instruments change, and retention of institutional knowledge in a model versus buried in code
- UML based policy models are serialized for deployment into a runtime environment
- Currently support XML or binary code (can be mapped to SAML/XACML assertion if needed
- IEF Reference Architecture (IEF-RA):
- The IEF reference architecture specifies how policy models are interpreted and implemented in a runtime environment
- Decisions for redaction/enrichment or sub-setting data are made based on the policies defined, and their association with attributes of the runtime environment (content, metadata, date tags, fabric, target audience, and their need-to-know, back-end attribute, or specific data values)
- The outcome is a mechanism to disseminate different subsets of the same information in different formats to support partner conformance needs
- The runtime environment is mission agnostic and can be used for one or multiple missions in a shared capability configuration
- Two additional initiatives underway with OMG
- Information Exchange Packaging and Processing Service (IEPPS)
- New specification for [packaging and processing messages
- Data tagging: Standardized taxonomy for data tagging
Mike Abramson
- Structured data that describes, explains, locates, or otherwise makes it possible to retrieve, use, handle, protect or manage an information resource
- Provide better information on the messages
- There are many types of structured data:
- Descriptive (title, author, owner, abstract)
- Structural (Schema)
- Administrative (version number, creation date, archiving date, and other technical information for purposes of file management, rights management, and preservation
- Provenance and pedigree
- Security/confidentiality tags (which identify what information is allowed for each person)
- Discovery
- Handling instructions
- AS NIEM messages are prepared by machines in real-time, there is a need to provide the ability to automate the tagging and labeling for the exchanges
- No capacity to put an operator in front of every message being shipped over the network and to different partners
- Needed to automate application of the rules about the data
- As many of the underlying data sources do not contain the tags and labels, the interface needs the ability to enforce tagging and labeling policy (rules) as the messages (products) are generated
Mike Abramson
- Three basic concepts
- Enforce information sharing policy
- Enforce information safeguarding policy
- Cannot separate sharing of information from safeguarding of information
- Enforce data, packaging, and processing policy
- Structure data being built as machine speeds in real time have a different context to things such as email files or text messages
IEF Reference Architecture (IEF-RA)
Mike Abramson
- http://www.omg.org/spec/IEF-RA/
- IE-RA: Defined elements (structure data)
- Want to put EIF environments among existing configurations without any requirement so users of the EIF do not have to change the environment
- User provisional elements
- Trustmark interface
- Other security services
- Identity management services
- Privilege management services
- Key management services
Keys to a Solutions Success
Mike Abramson
- Separate business, IM, and IT concerns
- The business wants to make sure that the information is effectively used
- IM wants solid architecture for the information that is storage sharing in that environment
- IT wants to deploy a stable infrastructure that does not change every time the information or business changes
- Augment and not replace user applications and infrastructure
- Increase flexibility, adaptability, and agility during development and operations
- Speed up the process for defining interfaces
- Model-driven architecture/use of MBSE
- Traceability: Business need to operations; retention of Institutional Memory; deduction in programing requirement
- Rule-based applications/separate business rules from the code
- Run load of business rules
- Runtime administration of rules
- Increased flexibility, adaptability, and agility
- Enhanced logging and auditing
- Able to demonstrate responsible, trusted, and auditable; Real-time monitoring; Forensic auditing
- Integration of open standards
Mike Abramson
- IEF is an architecture ecosystem to manage and address long-term support for all interfaces being designed
- The UAF is the evolution of the Unified Profile for DODAF and MODAF
- The UAF is not another Framework; it is a common ontology, UML Profile and domain model for aligning Architecture Frameworks with Standard Modeling Languages
- It was originally developed by DoD and Ministry of Defense in the UK to apply standard modeling techniques to their architecture frameworks
- IEF seeks to exploit architecture to develop and maintain ISS policy and solutions, and sustain interoperability
- Created Information Exchange Pacing and Policy Vocabulary which allows use of UML profile to define interfaces to aggregate, integrate, transform, and redact information as necessary to selectively share information with individual partners
- Use those models to generate an executable exchange policy
- Extending is being done using the UML for NIEM profile
- Using the UML to store storage schema mapping can be done from the storage models to the exchange models, and apply the policies which determine how the data is transacted
- With everything in the architecture, what can now be done is:
- Start thinking about analytics
- Look at threat risks of sharing information
- Certify exchanges of information
- Develop automatic statements of sensitivity of privacy profiles
- Help strategic and architecture planning for how to expand the use of the data in a secure and safeguarded manner
- By having it done and generated in architecture, institutional knowledge is retained
Full Traceability IER to Data Element
Mike Abramson
- IEF seeks to exploit architecture to develop and maintain ISS policy and solutions, and sustain interoperability
- STANAG 5525 example
- A detailed, multi-diagram is shared which can be viewed on the Policy Models for Structured Messaging PDF
Mike Abramson
- Standards Specifications free to access and use:
Cait Ryan
- Cait will follow up regarding the next Community of Interest meeting on April 16 from 2:00 PM to 3:00 PM
- Cait invites recommendations on topics for CI meeting going forward
- Brian Handspicker thanks the presenters for raising important point and technologies for security and privacy that NIEM Health needs to start pushing forward
ACTION ITEM
- Send documents to FHA Leadership team by April 12 for final FHA review and edits