Tuesday, October 12, 2010

HL7 Tutorial on Security Considerations Cookbook at Boston

The Tutorial on HL7 Security Cookbook at Boston HL7 meeting went really well. See the link for a description of the Tutorial.

I had the additional assistance of Diana, who covered the deep details of 'risk'. She is one of the co-authors of the white paper and the presentation. A clear expert in executing risk assessments on system administration and operational environments.

We had 10 excellent students from various places around the globe and various levels of experience.  I didn't look at all the evaluations but those that I did look at were very positive on the subject matter and had good material for us to help improve the tutorial and process. One clear message is that the HL7 Security workgroup needs to create some outreach material that provides a general overview of Security in HL7.

The layout of the tutorial covers two 'quarters':
1) Introduction to the process - Whole Presentation top-to-bottom
- Break
3) Review the risk assessments from the pilot projects (CDA-Consent, and PASS-Audit)
4) Execute the risk assessment process on a class-suggested standard

We do have an updated risk assessment templates (V3), and updated Presentation now available on the HL7 Wiki Cookbook for Security Considerations landing page. You can also find the risk assessments spreadsheets from the CDA-Consent and PASS-Audit projects that were used as a pilot. These pilots showed that the process can be executed and produce reasonable results. The process took about 3 separate 1 hour telephone conference calls.

This Tutorial has been asked for by the Australia HL7 for presentation in Australia in January. I will not be traveling to Australia so I hope we can find someone willing and able to give the Tutorial.

The Risk Assessment Cookbook process is moving into a new phase in HL7. We have been asked to ballot this to a wider audience. I am working with the HL7 leadership to determine how this will be done. Given that it is a process that we want everyone to follow and not a 'standard'; I am unclear on how to use the normal HL7 ballot process. I suspect I will be learning much more about the sausage-maker that is HL7.  I welcome this chance to get more input on the process, especially if it gets us closer to creating HL7 standards that have Security Considerations.


  1. John, I expect that this could go through either the Normative or Informative balloting tracks, but would recommend informative. Looking at this from the HL7 SAIF perspective, which is an arbitrary set of filters, what you are describing are some best practices for identifying and mitigating risk. That's upper left quadrant in SAIF, more at a conceptual, business level.

    If you think that these are not simply a set of best practices, but THE set of best practices, then maybe you want to ballot it as a normative track artifact.

  2. Keith, This is a proposed 'process for HL7 workgroups to use'. so this would be more similar to the SAIF process it-self, than any portion of SAIF. Given that I have never seen SAIF balloted, and the old HDF is dead; I simply don't have something to compare it to.