May 08, 2020 13:59
Mobile Health has reviewed and votes to affirm, only comment need to assess security concerns (GDPR, HIPPA, FERPA) at Implementation.
The link to the project repository returns a 404 to https://github.com/hl7/smart-web-messaging and searching for SMART didn't show the repository.
Agree with Matthew that this PSS needs to assess security concerns (GDPR, HIPPA, FERPA) at Implementation.
Security WG is concerned that 3c. Security Risk is still blank. Please address this entry.
Not sure the PSS is valid unless addressed in some way.
Paul Knapp Searching and link is now working.
Does this only apply when HL7 provides a piece of software? My memory is this field got added after Josh Mandel identified a security risk in the CDA.xsl.
I agree security review is important at implementation, but I don't quite understand the 'inherent risk' in the standard, it's at deployment. SMART on FHIR didn't mark this yes. Maybe John Moehrke has memory of why this wasn't checked.
The security line in the PSS is limited to asking if there will be executable code (javascrypt) provided as part of the publication. This was added to the PSS years ago when the CDA project produced a stylesheet (code) that was not protected against code injection.
PSS Appendix A - Instructions#SecurityRisks
The field does need to be filled with either YES, NO, or Unknown.
I don't think this is a good question now days, but it is the question we have on the PSS today.
Thank John Moehrke. I have updated to a no.
FYI - MaxOverD is Andrew Statler is Structured Documents
Powered by a free Atlassian Confluence Community License granted to Health Level Seven International. Evaluate Confluence today.