A method and validation for auditing e-Health applications based on reusable software security requirements specifications

Abstract

Objective

This article deals with the complex process of obtaining security requirements for e-Health applications. It introduces a tailored audit and validation methodology particularly designed for e-Health applications. Additionally, it presents a comprehensive security catalog derived from primary sources such as law, guides, standards, best practices, and a systematic literature review. This catalog is characterized by its continuous improvement, clarity, completeness, consistency, verifiability, modifiability, and traceability.

Methods

The authors reviewed electronic health security literature and gathered primary sources of law, guides, standards, and best practices. They organized the catalog according to the ISO/IEC/IEEE 29148:2018 standard and proposed a methodology to ensure its reusability. Moreover, the authors proposed SEC-AM as an audit method. The applicability of the catalog was validated through the audit method, which was conducted on a prominent medical application, OpenEMR.

Results

The proposed method and validation for auditing e-Health Applications through the catalog provided a comprehensive framework for developing or evaluating new applications. Through the audit of OpenEMR, several security vulnerabilities were identified, such as DDOs, XSS, JSONi, and CMDi, resulting in a “Secure” classification of OpenEMR with a compliance rate of 66.97%.

Conclusion

The study demonstrates the proposed catalog’s feasibility and effectiveness in enhancing health software security. The authors suggest continuous improvement by incorporating new regulations, knowledge from additional sources, and addressing emerging zero-day vulnerabilities. This approach is crucial for providing practical, safe, and quality medical care amidst increasing cyber threats in the healthcare industry.