Wednesday, July 28, 2010

Tutorial on HL7 Security Cookbook at Boston HL7 meeting

The HL7 24th Annual Plenary and Working Group Meeting is going to be held in Cambridge, MA on October 3-8, 2010. There is a fine Plenary agenda focused on "Future of Healthcare Using Genomics as a Key Tool". 

In addition to the Plenary and all the workgroup meetings, there is yet one more reason to attend. I will be presenting the HL7 Security Cookbook as a Tutorial. I will be presenting Thursday Morning. The Security Cookbook is the process that HL7 is adopting to assure that as standards are written they have incorporated appropriate security considerations and document relevant risks that need to flow down. I discussed this in prior blog post How to Write Secure Interoperability Standards

The formal name I gave to this tutorial: Security Risk Assessment Cookbook: Incorporating Security in HL7 Standards (clearly it got shortened for the web site)

Brief General Description Of This Tutorial:
Healthcare today has some of the most diverse needs with regard to sharing of data and the need to securely move patient information among systems. Within Health Level Seven (HL7) there are multiple verticals that consider messaging, structures, data models, coding and the like. Security is the common thread that connects all of them. Increasingly, healthcare organizations and technology vendors are performing assessments (threat risk assessments, privacy impact assessments, business impact assessments, etc.) to ensure installed healthcare technology will have a positive impact on healthcare delivery. These assessments, often called risk assessments, are even mandated for healthcare delivery organizations in some countries. Unfortunately, key decision makers often have difficulty understanding the relevance of the risks identified, and often overlook them when writing standards.

This Security Risk Assessment Cookbook is intended to enable HL7 domain committees and working groups to publish standards that have taken privacy and security considerations into account. This guide introduces security risk assessments and a process to facilitate completing a security risk assessment for a specific standard. Using this process will facilitate the identification of gaps in a standard’s baseline security and privacy, allowing the working group to either update the standard on their own or to send a request to the Security Working Group for assistance in filling the gap. This will lead to standards that include privacy and security as part of their base, reducing the need to “bolt” security on later. As a result, the HL7 standards will better support patient safety and improved patient outcomes.

Who Will Benefit From This Tutorial?:
  • HL7 committee members to understand how to consider Security when writing standards
  • All those using HL7 standards to understand how to use the Security Considerations
Upon completion of this tutorial, students will know:
  • How to publish standards that have taken privacy and security considerations into account.
  • Introduction to security risk assessments and a process to facilitate completing a security risk assessment for a specific standard.
  • Method of identification of gaps in a standard’s baseline security and privacy
  • Method to send a request to the Security Working Group for assistance in filling the gap.
  • How to interpret the security considerations when implementing systems based on standards