CMHAFF joint with Security/CBCC, Tuesday, January 31
Summary of January 31st meeting
David Tao and Nathan Botts attended the CBCC/Security joint meeting, and led a discussion of cMHAFF for the last 30 minutes of the call.
- The agenda followed the approach of the email sent on January 30th (see text below)
- The primary outcome was a recommendation for cMHAFF to document its Risks in terms of threats, vulnerabilities, and mitigations.
- The "3 pillars" of Integrity, Availability, and Confidentiality should certainly be among the areas for risk assessment.
- Two key documents were recommended to guide cMHAFF's risk analysis: the Security Risk Assessment Cookbook (Security wiki), and the Privacy Risk Assessment Cookbook (CBCC wiki).
- cMHAFF will be modified accordingly, after reviewing the two cookbooks
- cMHAFF will notify CBCC/Security when it wants to meet next, to go beyond the use cases to review of the risk analysis and the impacts upon cMHAFF as it stands.
Email to co-chairs of CBCC and Security, sent January 30th
A clean copy of cMHAFF as a work in progress is available at this link: http://wiki.hl7.org/index.php?title=File:HL7_cMHAFF_Informative_Ballot_Draft_Clean_2017-01-30.docx
To recap how we'd like to start this discussion in our half hour on Tuesday, we plan the following, as I emailed last week. Blue text is new and refers to the cMHAFF document, if you have a chance to look at it. Otherwise, we'll just walk you through the relevant parts. Start with a Use Case from cMHAFF which we will walk through, involving a consumer device, a consumer smartphone, and a cloud-based storage (e.g., PHR) of consumer PII/PHI. See pages 6-13, but especially page 11 for the first Use Case, and pages 12-13 for the second if we get to it. Get the Security and CBCC WG's input as to what types of risk domains/assessments need to be done for such a use case. Sections 1.1 and 1.2 on pages 15 and 16 deal in a general sense with regulatory and overall product risk assessments, but let's see what the group comes up with independent of those. Map those to cMHAFF as it currently stands, and see if there are gaps Expand the use case by adding exchange from the consumer app to a provider EHR, and see what domains are added. Before the meeting, we will clean up the current cMHAFF document, which is currently in a transitional state. We'll mark it up to highlight the Use Case(s) and the conformance sections that we believe are in scope for Security and CBCC, and send it to you.