Difference between revisions of "CMHAFF call, Monday, March 6"

Attendees: Bill Kleinbecker, Beth Pumo

• In response to my email, John Moehrke (Security) and Johnathan Coleman (CBCC) both are very supportive of using OWASP framework, as we suggested. They also recommended pointing to NIST framework.
• Bill has reached out to a HiTrust contact to see if we can go through the "front door" and use their materials (CSF).
• While HiTrust is addressing providers who need to be HIPAA-qualified, it still may have guidance that can be repurposed for mobile app developers
• David is in process of updating the risk spreadsheet and the cMHAFF document, based on input from OWASP and other sources.
  • It's important to differentiate whether the data stays at rest on the mobile device or not
  • Bill questioned whether OWASP was limited to web browser applications, but it appears to be broader than that
• Beth was concerned about cMHAFF scope
  • It it clearly defined?
  • Does it go beyond the HL7 mission of "Level 7" in the OSI stack? Most of HL7 deals with interoperability e.g., messaging, including securing the exchange
  • David said that the scope is defined in the PSS, which was approved, but of course it can be revisited. David will recirculate the cMHAFF PSS for review.
  • David pointed out that some parts of HL7, such as the EHRS-Functional Model, go beyond interoperability already
• David will circulate the PSS, the updated risk spreadsheet, and the updated cMHAFF document
• There will be a call on 3/13, but NOT on 3/20