This wiki has undergone a migration to Confluence found Here

Difference between revisions of "Cookbook for Security Considerations"

From HL7Wiki
Jump to navigation Jump to search
Line 26: Line 26:
  
 
* HL7 gForge folder with resources http://gforge.hl7.org/gf/project/security/docman/?subdir=144
 
* HL7 gForge folder with resources http://gforge.hl7.org/gf/project/security/docman/?subdir=144
* [http://gforge.hl7.org/gf/download/docmanfileversion/5473/6915/Stds_20100107_SW_7.4_HL7_Security_WG_Risk_Assessment_Cookbook_Tutorial_Outline-DRAFT.pptx Tutorial Presentation on the Security Risk Assessment Cookbook] Version 7.4
+
** [http://gforge.hl7.org/gf/download/docmanfileversion/5907/7639/HL7_Security_WG_Risk_Assessment_Cookbook_Tutorial_7.6_20101006.ppt Tutorial Presentation on the Security Risk Assessment Cookbook] Version 7.6
* [http://gforge.hl7.org/gf/download/docmanfileversion/5519/7013/Stds_20100107_SW_7.4_HL7_Security_Cookbook_v2.41_DRAFT.docx Formal Security Cookbook Paper] Version 2.41
+
** [http://gforge.hl7.org/gf/download/docmanfileversion/5519/7013/Stds_20100107_SW_7.4_HL7_Security_Cookbook_v2.41_DRAFT.docx Formal Security Cookbook Paper] Version 2.41
* [http://gforge.hl7.org/gf/download/docmanfileversion/5484/6935/Template_Risk_assessment_and_mitigation_table_V1.xls Template Spreadsheet for Risk Assessment] Version 1
+
** [http://gforge.hl7.org/gf/download/docmanfileversion/5908/7640/Template_Risk_assessment_and_mitigation_table_V3.xls Template Spreadsheet for Risk Assessment] Version 3
  
 
* [http://wiki.ihe.net/index.php?title=Cookbook_for_Security_Considerations IHE Equivalent Process]
 
* [http://wiki.ihe.net/index.php?title=Cookbook_for_Security_Considerations IHE Equivalent Process]
  
 
Do NOT use [http://www.crypto.com/bingo/pr this tool]  :-)
 
Do NOT use [http://www.crypto.com/bingo/pr this tool]  :-)
 +
 +
= Mitigation Tools =
 +
The following are Security and Privacy standards that HL7 has published and may be used as a Mitigation.
 +
 +
This list is under construction:
 +
* HL7 ConfidentialityCode vocabulary (2.16.840.1.113883.5.25)
 +
* Implementation Guide for CDA Release 2.0 Privacy Consent Directive
 +
* RBAC Permissions Catalog
 +
* SAIF - Privacy, Access and Security Services (PASS)
 +
** Access Control Service
 +
** Healthcare Audit Services
 +
* EHR Functional Model
 +
** (TBD)
 +
* Transport Specification
 +
** Transport Layer Security (TLS)
  
 
= Examples of Risk Assessment Spreadsheets =
 
= Examples of Risk Assessment Spreadsheets =

Revision as of 18:17, 12 October 2010

Healthcare today has some of the most diverse needs with regard to sharing of data and the need to securely move patient information among systems. Within Health Level Seven (HL7) there are multiple verticals that consider messaging, structures, data models, coding and the like. Security is the common thread that connects all of them. Increasingly, healthcare organizations and technology vendors are performing assessments (threat risk assessments, privacy impact assessments, business impact assessments, etc.) to ensure installed healthcare technology will have a positive impact on healthcare delivery. These assessments, often called risk assessments, are even mandated for healthcare delivery organizations in some countries. Unfortunately, key decision makers often have difficulty understanding the relevance of the risks identified, and often overlook them when writing standards.

The Goal

This Security Risk Assessment Cookbook is intended to enable HL7 domain committees and working groups to publish standards that have taken privacy and security considerations into account. This guide introduces security risk assessments and a process to facilitate completing a security risk assessment for a specific standard. Using this process will facilitate the identification of gaps in a standard’s baseline security and privacy, allowing the working group to either update the standard on their own or to send a request to the Security Working Group for assistance in filling the gap. This will lead to standards that include privacy and security as part of their base, reducing the need to “bolt” security on later. As a result, the HL7 standards will better support patient safety and improved patient outcomes.

The Process

The formal cookbook is documented and training is available in the Resources section below. This text comes from section 2 of the cookbook document

When considering security and privacy issues associated with a standard, one must:

  1. Identify (See section 2.2)
    1. And clearly define the scope of the standard, including the baseline assumptions
    2. New threat scenarios and describe the type of impact that scenario implies
  2. Analyze (See section 2.3)
    1. The level of impact and likelihood of occurrence for each threat scenario to determine risk
    2. Prioritize these risks in order to focus on the most important ones
  3. Plan (See section 2.4)
    1. Determine mitigation strategies that should be implemented for all medium to high risk threat scenarios
  4. Track (See section 2.5)
    1. Assess the effect of the application of the mitigation strategies
    2. Reassess the risks by going through steps 2 and 3 until all medium and high risk threat scenarios have been addressed
  5. Document all security considerations (See section 2.6)

Resources

Do NOT use this tool :-)

Mitigation Tools

The following are Security and Privacy standards that HL7 has published and may be used as a Mitigation.

This list is under construction:

  • HL7 ConfidentialityCode vocabulary (2.16.840.1.113883.5.25)
  • Implementation Guide for CDA Release 2.0 Privacy Consent Directive
  • RBAC Permissions Catalog
  • SAIF - Privacy, Access and Security Services (PASS)
    • Access Control Service
    • Healthcare Audit Services
  • EHR Functional Model
    • (TBD)
  • Transport Specification
    • Transport Layer Security (TLS)

Examples of Risk Assessment Spreadsheets