A framework for the measurement of software quality
Proceedings of the software quality assurance workshop on Functional and performance issues
Threat Modeling
Eliciting security requirements with misuse cases
Requirements Engineering
IEEE Security and Privacy
Software Security: Building Security In
Software Security: Building Security In
Using Static Analysis to Find Bugs
IEEE Software
Proceedings of the second annual workshop on Security and privacy in medical and home-care systems
Hi-index | 0.00 |
The Certification Commission for Health Information Technology (CCHIT) is an electronic health record certification organization in the United States. In 2009, CCHIT's comprehensive criteria were augmented with security criteria that define additional functional security requirements. The goal of this research is to illustrate the importance of requiring misuse cases in certification standards, such as CCHIT, by demonstrating the implementation bugs in an open source healthcare IT application. We performed an initial evaluation of an open source electronic health record system, OpenEMR, using an automated static analysis tool and a penetration testing tool. We were able to discover implementation bugs latent in the application, ranging from cross-site scripting to insecure cryptographic algorithms. Our findings stress the importance that certification security criteria should focus on implementation bugs as well as design flaws. Based upon our findings, we recommend that CCHIT be augmented with a set of misuse cases that check for specific threats against EMR systems and thereby improve this aspect of the certification process.