CMHAFF call, Monday, March 6
Jump to navigation Jump to search
Attendees: David Tao, Bill Kleinbecker, Beth Pumo
- In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recommended pointing to NIST framework.
- Bill has reached out to a HiTrust contact to see if we can go through the "front door" and use their materials (CSF).
- While HiTrust is addressing providers who need to be HIPAA-qualified, it still may have guidance that can be repurposed for mobile app developers
- David is in process of updating the risk spreadsheet and the cMHAFF document, based on input from OWASP and other sources.
- It's important to differentiate whether the data stays at rest on the mobile device or not
- Bill questioned whether OWASP was limited to web browser applications, but it appears to be broader than that
- Beth was concerned about cMHAFF scope
- It it clearly defined?
- Does it go beyond the HL7 mission of "Level 7" in the OSI stack? Most of HL7 deals with interoperability e.g., messaging, including securing the exchange
- David said that the scope is defined in the PSS, which was approved, but of course it can be revisited. David will recirculate the cMHAFF PSS for review.
- David pointed out that some parts of HL7, such as the EHRS-Functional Model, go beyond interoperability already
- David will circulate the PSS, the updated risk spreadsheet, and the updated cMHAFF document
- There will be a call on 3/13, but NOT on 3/20