81% of doctors and nurses used mobile devices in their professional activities in 2015, reports Statista and 66% of U.S. hospitals have an application for patients. This figure continues to rise. So is the development of hospital medical applications for physicians and nurses, which require ensuring HIPAA compliance. We have already commented HIPAA compliance tests for web applications, and fortunately, for mobile applications the points to be met are the same. It is the very nature of mobile applications that offers some differences in the test approach. So what are they? We consider a hospital application to obtain information on relevance Mobile application testing services.
To begin with
To ensure that personal electronic health information (EPHI) is secure in a mobile application, we offer to initiate this type of medical software testing with some preliminary procedures:
Checking push notifications
When performing HIPAA compliance tests, pay attention push notifications. This useful feature poses a potential threat of data breach, as anyone can view them casually. Make sure EPHI is never present in push notifications.
Elaboration of the role matrix
Applications for physicians and nurses, such as medical web applications, should use a role-based approach (RBA) to provide access to EPHI. Thus, an array of roles that reflects relevant user roles and their access to EPHI will be useful for planning testing efforts.
Creation of test data
Occasionally, EPHI may appear when you are testing secure data transmission, access control, and so on. Therefore, you should replace the actual EPHI with test data to prevent data leakage during the test.
HIPAA technical guarantees: mandatory and addressable
Like other health software products involving EPHI, mobile medical applications should meet HIPAA technical warranties, which contain two sets of specifications: mandatory and addressable. When testing health software to comply with HIPAA, you should keep in mind that the requirements of your product are as important as the technical warranties of HIPAA. In the event that your product requires the implementation of addressable specifications, they should be covered with relevant test cases. If any required specifications are beyond the scope of your project, you should not worry.
We will now specifically present the applicable technical warranties hospital applications.
Access control
- Unique user identification (required)
User ID is a unique name and / or number to identify and track the user’s identity.
- Authentication (required)
Enterprise-to-employee (B2E) mobile medical applications should use two-factor authentication. The first factor is the correct login and password that you should try using not only positive but also negative test cases (empty login or password field, invalid login or password, etc.). Regarding the second factor, biometrics is the best option. Biometrics saves time, as the app can check the second factor (fingerprint, retinal scan, etc.) while the doctor fills in the password field.
Use positive / negative tests to verify that the application grants access to authorized users and denies it to others. Still, you should make sure that even an authorized user has access to the minimum information needed to work, but nothing more.
- Emergency access procedure (mandatory)
While medical applications can run on devices for personal use (the trend Bring Your Own Device), they are still work-related software, which means that emergency access must be guaranteed. Emergency controls typically give access to the application to hospital IT professionals. This way, IT specialists can recover the necessary EPHI if needed. You can test the emergency access procedure by applying a relevant user scenario.
- Automatic closing (addressable)
For hospital applications, the addressable requirement to automatically log out of the session is a must. You should ensure that the application logs out and forces the user to repeat two-factor authentication when left idle for a while. In some cases, developers use the lock screen password feature to renew the session, so you should try it too.
Audit controls (mandatory)
For medical applications, user activity should only be logged on the caregiver’s server. As with web applications, you should check the activity logs of various types of users looking for access to EPHI. At the same time, make sure that EPHI is not filtered in the log files.
Integrity (required)
To ensure integrity, developers use certain features that protect EPHI from unauthorized changes or deletions. These features include backup accuracy, controls that protect the product from human errors, and program that can corrupt data. You should test these features by applying relevant user scenarios and log analysis.
Transmission security
• Encryption (addressable) and integrity checks (addressable)
Transmission security is one of the key points of medical mobile applications. Whenever transmitted, EPHI must be securely encrypted, delivered to the recipient without any unwanted changes, and decrypted. Data encryption must be observed at all transfer points. Sounds easy, right? In fact, it is not.
Transmission security is the hardest part of HIPAA compliance for an application. Mobile devices use different protocols for exchanging information, such as unencrypted SMS and MMS. Other media (email, database / API calls, etc.) only work to send EPHI in case the ISP is the caregiver. business partners (Compatible with HIPAA 3rd party). Therefore, use positive / negative tests to ensure that the EPHI is only sent through commercially associated channels.
Additional challenges
Ensuring security
Mobile app security testing is critical to ensuring that the app can withstand piracy attacks, and here you can’t just limit yourself to black box or white box penetration testing. While black box pentesting will reveal application vulnerabilities with a special focus on EPHI leak sources, white box pentesting will examine the internal structure of the application and address possible weaknesses in the code. Perform both types of penetration testing to make sure the application is stable and immune to piracy attacks.
Human factor
Unfortunately, mobile devices are often the victims of our negligence. Stolen mobile devices left in restaurants or taxis can lead to possible data breaches. Fortunately, healthcare software developers can address this challenge by using remote wipe when a user reports the loss of the device. Remote deletion is a technology that applies a network administrator or device owner to delete data from a lost or stolen device. Remote cleaning offers four implementations:
- Deleting data from selected folders.
- Repeat overwriting data to prevent recovery.
- Returning the device to the factory settings.
- Removal of all software from the device.
Simulate the device loss situation and make sure there is a remote wipe implementation.
To finish
Although HIPAA is a large and complex document, HIPAA compliance testing for software products is based on HIPAA technical warranties. The main point of HIPAA technical guarantees is to protect the privacy of the EPHI, which in the case of mobile applications is a difficult task. Therefore, HIPAA compliance tests for medical applications should have the following:
- Implementations of HIPAA technical guarantees for mobile applications (special attention to secure data transmission).
- Project requirements (special attention to the participation of the EPHI in potentially vulnerable areas of the application).
- Application security (integral pentesting).
- Human factor (special care to protect EPHI in case a device is lost).
As you can see, in medical software testing, mobile technologies make quality control engineers go beyond functional requirements and mimic real-life situations to ensure that EPHI is protected. However, it is possible to achieve this challenge by applying an elaborate test strategy.
Discuss your needs
HIPAA compliance testing for ScienceSoft hospital mobile applications
In healthcare computing since 2005, ScienceSoft verifies HIPAA compliance of hospital applications focused on access control, data integrity, and transmission security.
