This wiki has undergone a migration to Confluence found Here
August 10th 2010 CBCC Conference Call
Jump to navigation
Jump to search
Contents
Community-Based Collaborative Care Working Group Meeting
Attendees
- Jon Farmer
- Suzanne Gonzales-Webb CBCC Co-chair
- John Moehrke Security Co-chair
- Milan Petkovic
- Richard Thoreson CBCC Co-chair
- Serafina Versaggi scribe
- Craig Winter
Agenda
- (05 min) Roll Call, Approve minutes August 3rd, call for additional agenda items & Accept Agenda.
- (55 min) Cookbook for Security Considerations
- We will complete the Security Cookbook for the CDA R2 Implementation Guide for Consent Directives spreadsheet
- Ongoing Projects
- Privacy Policy Reference Catalog
Minutes
1. Action Items
- Team: Please familiarize yourself with the Security Cookbook resource materials, the CDA R2 Implementation Guide for Consent Directives and the Security Cookbook for CDA spreadsheet from last week's meeting prior to our meeting today.
2. Resolutions
3. Updates/Discussion
During this session, the group continued to analyze the risks identified in the original brainstorming session.
- Certain risks were deemed "Out of Scope of the Work Item"
- Type of Impact, Level of Impact, Probability that risk will occur and the Mitigation for each validated risk was captured on the Risk Assessment spreadsheet
- We added a column to the spreadsheet to classify the risk into one of the five risk mitigation strategies identified in the Formal Security Cookbook Paper published on the Security Cookbook wiki page
- Accept: Weigh the cost of the risks versus the cost of mitigating it. Sometimes it is more prudent and more cost effective to create a disaster recovery plan than to try to mitigate the inevitable (or hard-to-inevitable).
- Transfer: Leverage insurance clauses, service level agreements, and other contractual documentation to transfer the cost or recovery from a risk away from the organization. A prime example of this is liability insurance.
- Mitigate: A mitigation plan communicates controlled and well-documented actions that will reduce (not eliminate) the risk level. Some actions may include buying software, providing training, optimizing business processes, hiring more people, etc… The intent is to reduce the risk so that it becomes either completely tolerable or at least tolerable enough that the use of other risk management tactics will make the risk acceptable.
- Avoid: Sometimes there is too much risk associated with something and no effective way to mitigate the risk, so we choose to do something else and avoid the risk altogether. This is often the least desirable or feasible action to take.
- Assign: Some risks can’t be mitigated by the HL7 standards process and thus need to be assigned to the next level of design. That is that the service or application that is consuming the HL7 standard must import these risks into their risk assessment. This is likely the most used category for HL7 standards, and must be clearly documented in the standard.
- Jon Farmer submitted some constructive suggestions for refining the terminology used for the Risk Mitigation Strategy terms above in an email sent to the Security Listserv on 8/13/2010.
- We added a column to the spreadsheet to classify the risk into one of the five risk mitigation strategies identified in the Formal Security Cookbook Paper published on the Security Cookbook wiki page
- Next week, we will complete the Security Risk Analysis and the group will determine ownership and next steps for the assessment.
Meeting was adjourned at 3:00 PM EDT
No significant motions or decisions were made
