The most important step to ensuring our privacy and protecting our data starts long before you purchase a device or a new connected devices is added to a hospital or doctors office network.
Security starts in the design of the device and is based on software best practice, many that are not known or enforced in to coder community today. The practice is called Secure Software Development Life Cycle (S-SDLC) an is taught in the first semester of most Computer Science college curriculum. This is where I normally lose the Agile designers, but wait, this will work for Agile as well We just need to consider the sprints as smaller circles/life cycles, more about this later.
There is one large caveat to designing medical software, if it fall under the FDA definition of a medical device it must follow IEC 62304, which is waterfall design, at least for the documentation. Not all software for medical use need FDA approved, e.g., EHR Electronic Health Records do not fall under FDA jurisdiction, why? Good question, however we will leave this for another discussion.
One issue software faces today is the lack of Computer Scientists, there are many great coders doing good work, however the oversight seems to be lax. Oversight is the responsibility of the vendor that owns the software and the customer who purchases the software, e.g., a hospital purchase a solution to store PHI, something goes wrong and the data is compromised. It is the hospital responsibility to report and most likely compensate the patient's that have been damaged by the breach.
S-SDLC
Secure SDLC is based on SDLC, a best practice for designing and delivering robust software.
A series of steps starting at the top of the circle describing the life cycle of the development.
S-SDLC takes into account security at every step of the cycle, e.g., Requirements phase, add Security requirements.
One of the most important parts of the cycle is testing, it is the last chance to catch a problem before it gets to the customer. Because of the emphasis placed on iterations and quick to deliver, many coder today do not agree.
There is a V-Model for SDLC that stresses the testing phase, by including 5 levels of testing. Many in the Agile community feel that this model is to close to Waterfall design, I do not wish to debate, however I did want to show the testing phases that must be implemented in-order to protect data.
- Unit testing
- Integration testing
- System testing
- User acceptance testing
User Acceptance Testing is one of the most important phases because it test in a way that the customer will use the system. I suggest that organization perform this testing themselves to make sure they are getting the protection and operation that was sold to them.
As IoT solutions become more available in healthcare, we will need to be more diligent in protecting our privacy and the privacy of our patients. We can no longer except that notion that a product, service or vendor is secure, we must follow through and be sure.
Security isn't something that you can buy as much as it is a way of thinking, designing testing and implementing. Organization must train their people to think about security first, in everything they do. We also must implement system that allow employees to report suspected security problem without repercussions, i.e., shooting the messaging . Security is a team effort, both strategic and tactical.
That is so extraordinary. I really liked your article. I did not know that to secure with medical office IT and it was even possible. So it was kind of new to me to know this stuff.
ReplyDeleteVery nice article.
ReplyDeleteThanx for sharing this with us.
“Internet of Things” (IoT) is the network or associations between those Internet-connected objects (smart devices) that are able to exchange information by using an agreed method and data schema. Expertise requires knowledge of communication and other protocols, hardware trade-offs, software coding, Big Data impact, security, user experience and the high demands of end users and regulators. These combine into a perfect storm, presenting established and new challenges regarding QA in general, and particularly testing in the IoT ecosystem. This article will highlight the challenges as well as address potential strategies and solutions.
By: Benny Sand
1. Introduction
The Internet of Things (IoT) is a key enabling technology for digital and virtual technologies. Approximately 8.4 billion things were connected in 2017, and the figure is expected to rise to 20.4 billion things by 2020, according to Gartner.
Read more here about the IOT security testing.
Great Article. Kindly share more article.
ReplyDeleteAutomation Testing Service
Thank you so much for providing such a nice information. Keep more updates Mobile app Security testing
ReplyDelete