CMHAFF call, Monday, February 6
Attendees: David Tao, Beth Pumo (Kaiser Permanente), Suzie Burke Bebee (HHS)
We reviewed the guidance from Security and CBCC workgroups to do risk assessment for cMHAFF. Do cMHAFF requirements mitigate real risks?
Beth has a lot of experience doing risk assessments using standards from NIST and CMS, and is happy to help the project.
We agreed to start with one Use Case (Use Case B in cMHAFF), and start with selected areas relevant to security, following the methodology in the Security Risk Assessment Cookbook. These sections are found in cMHAFF sections 3.x (Use App), e.g., authentication, authorization, audit, security of data at rest, etc. Beth suggested putting the requirements from those sections into a spreadsheet, and we could add columns for the threats and vulnerabilities. Even though this is "backing in" to the risk analysis, rather than starting from scratch, it may shed light on criteria that are not needed, and may also reveal gaps in the requirements.
David will create a spreadsheet, and circulate it along with the link to the Security Risk Assessment cookbook presentation.
Suzie said there was mention of "data standards" on the cMHAFF wiki. David will check and make revisions if necessary, so that the description is not misleading, since we're not dealing with data standards (in the sense of formats like v2/CDA/FHIR, or data vocabularies) at this time.