This wiki has undergone a migration to Confluence found Here
Difference between revisions of "CMHAFF call, Monday, March 6"
Jump to navigation
Jump to search
(Created page with "Attendees: In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recomme...") |
|||
| Line 1: | Line 1: | ||
| − | Attendees: | + | Attendees: Bill Kleinbecker, Beth Pumo |
| − | In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recommended pointing to NIST framework. | + | *In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recommended pointing to NIST framework. |
| + | * Bill has reached out to a HiTrust contact to see if we can go through the "front door" and use their materials (CSF). | ||
| + | * While HiTrust is addressing providers who need to be HIPAA-qualified, it still may have guidance that can be repurposed for mobile app developers | ||
| + | * David is in process of updating the risk spreadsheet and the cMHAFF document, based on input from OWASP and other sources. | ||
| + | ** It's important to differentiate whether the data stays at rest on the mobile device or not | ||
| + | ** Bill questioned whether OWASP was limited to web browser applications, but it appears to be broader than that | ||
| + | * Beth was concerned about cMHAFF scope | ||
| + | ** It it clearly defined? | ||
| + | ** Does it go beyond the HL7 mission of "Level 7" in the OSI stack? Most of HL7 deals with interoperability e.g., messaging, including securing the exchange | ||
| + | ** David said that the scope is defined in the PSS, which was approved, but of course it can be revisited. David will recirculate the cMHAFF PSS for review. | ||
| + | ** David pointed out that some parts of HL7, such as the EHRS-Functional Model, go beyond interoperability already | ||
| + | * David will circulate the PSS, the updated risk spreadsheet, and the updated cMHAFF document | ||
Revision as of 22:54, 6 March 2017
Attendees: Bill Kleinbecker, Beth Pumo
- In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recommended pointing to NIST framework.
- Bill has reached out to a HiTrust contact to see if we can go through the "front door" and use their materials (CSF).
- While HiTrust is addressing providers who need to be HIPAA-qualified, it still may have guidance that can be repurposed for mobile app developers
- David is in process of updating the risk spreadsheet and the cMHAFF document, based on input from OWASP and other sources.
- It's important to differentiate whether the data stays at rest on the mobile device or not
- Bill questioned whether OWASP was limited to web browser applications, but it appears to be broader than that
- Beth was concerned about cMHAFF scope
- It it clearly defined?
- Does it go beyond the HL7 mission of "Level 7" in the OSI stack? Most of HL7 deals with interoperability e.g., messaging, including securing the exchange
- David said that the scope is defined in the PSS, which was approved, but of course it can be revisited. David will recirculate the cMHAFF PSS for review.
- David pointed out that some parts of HL7, such as the EHRS-Functional Model, go beyond interoperability already
- David will circulate the PSS, the updated risk spreadsheet, and the updated cMHAFF document
