Minutes and Recording from the Community Call on Cybersecurity for VistA - March 23, 2016

Thank to those who attend the Cybersecurity for VistA meeting.  We continued the discussion on the four questions (see below) from Dr.Tibbits.  For those who missed the meeting, here are the Powerpoint presentation and the recording from the meeting.

Here are the discussions associated with each question.

1.  Does the open source community have a focus on cybersecurity? (Mun - OSEHRA)

OSEHRA does not have a focus (yet).  There are examples cybersecurity focused open source commnity such as http://www.open-scap.org/.  

2.  Are projects to enhance cybersecurity proposed to OSEHRA by the open source community? If so, have any been completed? (Hewitt - OSEHRA)

OSEHRA previously had a special project for vulnerability remediation associated with M2M Broker. The successful completion set a precedent and established a process for working with the community to remediate future security vulnerability.

Russ Holm of Horton Works suggested other open source cybersecurity projects such as Apache Metron and Nifi that could be a great fit for VistA.

VA has proposed an open source project for a code scanning tool for M code.

3.  Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? (Hilburg - Red Hat)

Mark Hilburg discussed securing open source to HIPPA and NIST Standards including automated build system and compliance with NIST 800-53 supply chain management standard.    

Mark also discussed how Red Hat supports secure installation and monitor via Security Content Automation Protocol - SCAP (NIST standard).  Although the HIPPA to NIST control is already available from NIST, Red Hat is currently building the SCAP content for the controls.

4.  What is the relationship of OSEHRA certification to cybersecurity? (Hewitt - OSEHRA)

Currently there is no overt security certification by OSEHRA.  However substantial contribution to security of the open source code are made by the use of automated scan tools, open code review, and the requirement for unit test.  As tools improve (e.g. XINDEX), OSEHRA contribution to security will increase.

Weekly Wednesday 1 PM Call Schedule:  March 30, April 6, April 13 (submission to VA)

Please sign up for the OSEHRA Cybersecurity Work Group to participate in the discussion.