August 3rd CBCC Conference Call
Community-Based Collaborative Care Working Group Meeting
- (05 min) Roll Call, Approve minutes July 27th, call for additional agenda items & Accept Agenda.
- (55 min) Cookbook for Security Considerations
- We will complete the Security Cookbook for the CDA R2 Implementation Guide for Consent Directives
- Ongoing Projects
- Pat Pyette will provide a brief status update on the project on August 10th
1. Action Items
- Team: Please review the Security Cookbook prior to today's meeting
2. Resolutions - none
- Today’s call focused on using the HL7 Security Cookbook to conduct a security risk assessment for the CDA R2 Implementation Guide for Consent Directives.
- The CBCC Work Group is one three work groups selected to pilot and help to refine the security risk assessment process using the CDA IG project. These pilot projects will be used to provide other HL7 work group committees with examples that will aid in the development of their own security risk assessment
- The goal for the Security Cookbook is to ensure that every working group takes security and privacy considerations into account during the normal HL7 standards development process.
- On the Security Cookbook wiki page, there are a number of resources which provide background on the process: **draft tutorial.
- These resources re intended to provide any HL7 committee with materials that help them to conduct their own security risk analysis without help from anyone involved in the development of the process (authors of the formal paper)
- The tutorial will be presented at the Plenary HL7 Working Group Meeting in October on Thursday morning.
- Please encourage folks to sign up for this presentation if you think they may need some guidance.
- The only other scheduled activity for this time slot is the HL7 Certification exams
- The point of doing this cookbook is that dealing with security is an iterative process.
- Things that are built into early parts of the development cycle need to be known that they’re there for specific reasons when that standard is implemented or when it is being revised
- Often times in HL7 standards:
- There is no recognition of the security required (security assumed to be handled somewhere else)
- Security mechanisms are removed during revision of the standard because the risk that caused the security mechanism to be added in the first place was not documented (and the risk may still be present)
- The important part of using a risk model is to focus attention on the issues most important to deal with and less time on issues that have a lesser impact.
- There are two aspect to Risk:
- What is the impact that a particular risk (harm that can be done)
- What is the likelihood (probability) that the risk will occur
- Probability X Impact = Risk
- The draft tutorial explains Risk as “The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization”
- Threat X Vulnerability = Risk (per the presentation)
- Richard has a question about the use of terms in the presentation:
- Here it seems that Threat is the potential damage and that the probability of the event (which I initially thought was threat), vulnerability then becomes the impact
- John: The diagram in the presentation isn’t using the same terminology as the Security paper which uses impact and likelihood. Threat and vulnerability are terms extracted from ISO 13335-1 and we may have decided that we were not at liberty to re-label these terms.
Impact of a threat and the likelihood that that threat will be taken advantage of (vulnerability) So vulnerability is equivalent to the probability, whereas threat is the impact
- Rob suggested these terms be clarified for the Security Cookbook audience
- People who are going to read the Security Cookbook and this tutorial more than likely have not read the ISO document, so as long as the terms are consistent across the documents, it really doesn’t matter
- John will update the presentation for the Boston tutorial to further clarify the difference between the Vulnerability definition, the Threat definition and the Exploit definition. This is part of the process prior to performing the likelihood and impact assessment.
- Five Stages of the HL7 Risk Assessment Process (iterative). These stages represent what can be done in the standard to address the identified risks that the standard presents?
- This assessment often results in the need to change to the standard, and that change then needs to be tracked and documented.
- Clearly define the scope of the standard, including baseline assumptions
- New threat scenarios and describe the type of impact that scenario implies
- The level of impact and likelihood of occurrence for each threat scenario to determine risk
- Prioritize these risks in order to focus on the most important ones
- Plan (for mitigation)
- Determine mitigation strategies that should be implemented for all medium to high risk threat scenarios.
- It was pointed out that mitigation strategies themselves may introduce new risks which then need to be analyzed as well. The risks should be lesser than the original risks hopefully
- Assess the effect of the application of the mitigation strategies
- Reassess the risks by going through steps 2 and 3 until all medium and high risk threat scenarios have been addressed
- Document all security considerations. This includes updating the standard to address the risk(s)
- Taking risk assessment methodology that are usually applied to an operational level and trying to make them fit into a standards development environment. This is somewhat unnatural, but we’re going to try to see how we can make it work.
Process applied to this project (CDA Implementation Guide)
- We began walking through the risk assessment process using the template spreadsheet
- The template included on the Security Cookbook wiki page will be updated to include three worksheets:
- Scope and Baseline
- Risk Assessment
- Parking Lot Risks
- Step #1: Define the scope and baseline assumptions using a brainstorming exercise:
- Scope: This risk assessment covers the CDA R2 Implementation Guide for Consent Directives
- Part of scoping the risk assessment is being explicit about documenting the assumptions that are made when identifying the scope
- The scope is bounded by how we’ve assembled the parts that are included in a CDA (Release 2) document that carries a Consent
- This assessment will not identify or cover any generic risks inherent in CDA Release 2 (that applies to any implementation guide for CDA
- We are not defining generic risks with RBAC vocabulary
- We presume that the transport is any transport for any CDA document because we haven’t explicitly indicated any particular transport mechanism in this implementation guide
- Other assumptions that can be included are: specific vocabularies, physical environment restriction, etc.
- If something is called out in the standard undergoing risk assessment that poses potential risk, it should be identified in the assumptions (for example, electronic signatures cannot be captured in CDA R2 documents, but the CDA R2 Implementation Guide for Consent Directives supports the ability to include a reference to an external digital signature using RIM-based extensions).
- Scope: This risk assessment covers the CDA R2 Implementation Guide for Consent Directives
- We then moved to the Risk Assessment worksheet to capture the risks identified in the brainstorming process:
- How to identify the items that a consent specifies as important for differentiating access versus information that is readily available within the object that is being considered for access. This falls into two general categories:
- Things that are knowable without any new work (e.g., who create it, when it was created, etc.) This makes it easy to say that I consent to give access to anyone that was generated by this hospital on this date, versus
- Things that require some knowledge about the object - don’t share my HIV information with anyone
- The first (things that are already knowable) is a relevant risk, but not specific to this CDA implementation guide
- The HL7 confidentialityCode is used in two ways within the context of this CDA document (for Consent Directives)
- the confidentialityCode that is used to identify the confidentiality of the CDA consent document instance itself. This is the risk that is inherent in all CDA documents
- The risk we need to capture in this risk assessment is that confidentialityCode is used to describe the concept of sensitivity but has not been well enough identified in the confidentialtyCode value set to support the data segmentation required to support “confidentiality/sensitivity” of the data being referred to by the Consent Directive
- We will have to ask Ioana how this was encoded in the Consent Directive implementation guide. I’m not sure that we have a way in this revision to specify restriction at the level of something like HIV data.
- There was a question as to whether we scoped this out of this version of the consent directive guide
- John thought that we ended up with something close to BPPC with a few additional attributes that were deterministic
- We will follow up next week on this issue when Ioana is on the call
- What is the best way to describe this issue:
- Richard: We may not have done a good enough job of identifying the content of the record that we want to protect. This may be a risk.
- Rob: Another way to say this is that we haven’t yet fleshed out how to align the level of detail of a consent with information that we can know about data objects
- We added as the first risk: “The object that we want to protect may not be specifically identified well enough to be protected (templates for categorizing the other objects)”
- We continued to brainstorm ideas and captured them without getting bogged down in analyzing them as these will be discussed further in the analysis step of the process
- Some of the risks identified during this brainstorming session brought to light that under ideal conditions, the security risk assessment would be conducted during the initial draft of a standard. Risks that are identified after a standard goes to ballot may require re-work of the standard
- The expectation is that eventually this will become part of the standards development process, so analysis would take place prior to going to ballot.
- So this will have to be built into the ballot process timeline
- There are a few ways that risks will flow from the assessment process:
- Into changes to the standard
- Other risks can be turfed to other work groups or areas that will handle the risk
- The risks can lead to new projects or new work item requests to the Security Work Group
- One of the major goals of the pilot security risk assessment exercises is to establish the criteria to help the HL7 Project Services folks build the security risk assessment process into the HL7 standards development process e.g., how long does the process take, etc.
- The spreadsheet updated during today’s brainstorming session will be posted on GForge and distributed to the work group members via the list serv along with these minutes.
- Team: Please familiarize yourself with the Security Cookbook resource materials and the CDA R2 Implementation Guide for Consent Directives prior to next week’s call where we will continue the risk analysis process next week.
- We then will validate that these are truly problems and that the standard does not deal with the identified risks, for those that are risks, come up with the likelihood and impact for the risks, and go through the rest of the process steps in the cookbook.
Meeting was adjourned at 3:05 PM EDT No significant decisions or motions were made