CMHAFF call, Monday, February 20

Attendees: Nathan Botts, Bill Kleinbecker, David Tao

In response to Security and CBCC workgroups' request to identify the risk domains, cMHAFF has identified some excellent resources:

• OWASP, which recently published their "Top 10 Mobile Risks" -- https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
• Online Journal of Public Health Informatics, "Mobile medical and health apps: state of the art, concerns, regulatory control and certification" published February 2014. --https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3959919/
• HITRUST, which provides HITRUST CSF, a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. -- https://hitrustalliance.net/

David will continue gathering information from the literature, and map these against the cMHAFF categories, identifying gaps. The end result will be a clearer statement of "what" areas of risk cMHAFF aims to mitigate.

David will also modify one of the Exemplary Use Cases (probably #3, the most complex), to more explicitly illustrate the risk domains within the use case, so that it will be clear how cMHAFF can help the developer fulfill the use case while addressing the risks.

cMHAFF's intent is not to rewrite or paraphrase existing standards and best practices, but rather to "cover the ground" and inform vendors of what they should be aware of.