This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

CMHAFF call, Monday, March 6

From HL7Wiki
Jump to navigation Jump to search

Attendees: David Tao, Bill Kleinbecker, Beth Pumo

  • In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recommended pointing to NIST framework.
  • Bill has reached out to a HiTrust contact to see if we can go through the "front door" and use their materials (CSF).
  • While HiTrust is addressing providers who need to be HIPAA-qualified, it still may have guidance that can be repurposed for mobile app developers
  • David is in process of updating the risk spreadsheet and the cMHAFF document, based on input from OWASP and other sources.
    • It's important to differentiate whether the data stays at rest on the mobile device or not
    • Bill questioned whether OWASP was limited to web browser applications, but it appears to be broader than that
  • Beth was concerned about cMHAFF scope
    • It it clearly defined?
    • Does it go beyond the HL7 mission of "Level 7" in the OSI stack? Most of HL7 deals with interoperability e.g., messaging, including securing the exchange
    • David said that the scope is defined in the PSS, which was approved, but of course it can be revisited. David will recirculate the cMHAFF PSS for review.
    • David pointed out that some parts of HL7, such as the EHRS-Functional Model, go beyond interoperability already
  • David will circulate the PSS, the updated risk spreadsheet, and the updated cMHAFF document
  • There will be a call on 3/13, but NOT on 3/20