Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software.

Slides:



Advertisements
Similar presentations
Indian Health Service Office of Information Technology RPMS Suicide Reporting Form.
Advertisements

1 Integration Testing CS 4311 I. Burnstein. Practical Software Testing, Springer-Verlag, 2003.
1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 6: Navigation in OBIEE – Completing the Tour of.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Mgt 240 Lecture MS Excel: Decision Support Systems September 16, 2004.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
Measuring (and Driving) the Value of Training Bruce Winner, Los Rios CCD – Government Training Academy Bruce blogs to the training community at -
How to Chart a Medical Records Request in the PHI Log
By: Erin Scott. Step One: Click on the “insert” tab located on the menu bar.
Mgt 20600: IT Management & Applications Decision Support Systems Tuesday April 18, 2006.
The United Nations Demographic Yearbook: In Need of Improvement Expert Group Meeting to Review the United Nations Demographic Yearbook System November.
Functional Testing Test cases derived from requirements specification document – Black box testing – Independent testers – Test both valid and invalid.
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Building a Foundation for the Future: Junior Achievement Entrepreneurship Programs Entrepreneurship Education Forum Columbus, Ohio November 13, 2010 John.
SCOTT KURODA ADVISOR: DR. FRANZ KURFESS Encouraging Secure Programming Practice in Academia.
Stephanie Jones, RN, PhD Student Arthur Labatt School of Nursing University of Western Ontario Lorie Donelle, RN, PhD Arthur Labatt School of Nursing University.
From Use Cases to Test Cases 1. A Tester’s Perspective  Without use cases testers will approach the system to be tested as a “black box”. “What, exactly,
Dr. David Mowat June 22, 2005 Federal, Provincial & Local Roles Surveillance of Risk Factors and Determinants of Chronic Diseases.
ASEF Risk Communication for Public Health Emergencies, 2015 Overview.
Pattern Discovery of Fuzzy Time Series for Financial Prediction -IEEE Transaction of Knowledge and Data Engineering Presented by Hong Yancheng For COMP630P,
Evaluation Proposal Defense Observations and Suggestions Yibeltal Kiflie August 2009.
JA Be Entrepreneurial ™ Entrepreneurship Education Forum Norfolk, Virginia November 9, 2009 John Box Senior Vice President, Education JA Worldwide ®
1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin,
23 July 2003 PM-ITTS TSMOTSMO Information Assessment Test Tool (IATT) for IO/IW Briefing by: Darrell L Quarles Program Director U.S. Army Threat Systems.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 11 Introduction to Information Systems Lecture 12 Objectives  Describe an information system and explain its components  Describe the characteristics.
CPSC 873 John D. McGregor Session 9 Testing Vocabulary.
1 Towards Improved Security Criteria for Certification of Electronic Health Record Systems Andrew Austin Ben Smith Laurie Williams North Carolina State.
CSC 480 Software Engineering Test Planning. Test Cases and Test Plans A test case is an explicit set of instructions designed to detect a particular class.
1 Software Testing Strategies: Approaches, Issues, Testing Tools.
Creating Strategy- Strategic planning process Balance Score Card Deepak Kumar Mitra AIM- Manila.
Summary: Unlike WindowsXP, Windows2000 wireless client utilities are different from vendor to vendor and even within versions of a vendor’s client utility.
Pretty` Pictures Framework Formulas for Success TeamworkPlanning Risky Business $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100.
Training on Safe Hospitals in Disasters Module 3: Action Planning for “Safe Hospitals”
Patricia Alafaireet Patricia E. Alafaireet, PhD Director of Applied Health Informatics University of Missouri-School of Medicine Department of Health.
Win Phillips, Ph.D. Clinical Assistant Professor University of Missouri Columbia, MO.
‘Knowledge Management’ for Health What 'tools' can improve the performance of workgroups, clinicians and patients?
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Software Development and Safety Critical Decisions
Resource 1. Involving and engaging the right stakeholders.
Healthcare Cybersecurity: State of Industry
‘Knowledge Management’ for Health
Integration Testing.
Documentation control
John D. McGregor Session 9 Testing Vocabulary
Approaches to ---Testing Software
Recall The Team Skills Analyzing the Problem
Electronic health record (EHR) software selection and purchase
John D. McGregor Session 9 Testing Vocabulary
An Enhanced Support Vector Machine Model for Intrusion Detection
Component 11/Unit 7 Implementing Clinical Decision Support
Title: Validating a theoretical framework for describing computer programming processes 29 November 2017.
John D. McGregor Session 9 Testing Vocabulary
Malware, Malicious Tools, and Tools
Lecture 09:Software Testing
Regional Architecture Development for Intelligent Transportation
Fail Fail Poor Communication Lack of Documentation Poor Execution.
Computer Simulation with Concert Tour Entrepreneur
Electronic health record (EHR) software selection and purchase
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Evaluation.
Testing Apparatus Construction
Applying Use Cases (Chapters 25,26)
Applying Use Cases (Chapters 25,26)
European Institute of Public Administration (NL)
Component 11 Unit 7: Building Order Sets
Chapter 10 Problem-Solving in Groups
Presentation transcript:

Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software security testing expertise. Need vehicle to capture and disseminate knowledge about how to attack systems that novices can understand. Introduced and evaluated a pattern catalog of software security test patterns. Contributions Introduced the process for empirical development of test patterns using a grounded theory approach. Developed first six test patterns that target the CWE/SANS Top 25. Applied pattern catalog to 284 public requirements for EHR systems. Created 137 black box test cases, and ran these on five EHRs for 685 test executions. Thirty-seven percent (37%) or 253 of the tests revealed vulnerabilities. Different vulnerabilities than static analysis/automated penetration testing. Security Test Pattern Components Keywords Targeted Vulnerability Types CIA Properties Procedure Template Expected Results Template Example Procedure Example Expected Results User Study Conducted a study of 47 novices applying the six patterns on six requirements from the public requirements document. Created a consensus using a panel of seven experts. Novices make similar decisions about which patterns are applicable as experts do. Novices spent less than 18 minutes parsing the requirements and produced on average 15 tests. Novices reported that they thought the exercise would be useful for security. - still less text - make a handout with the pattern on it and maybe just have the component headers - “security testing knowledge transfer” Highlight the lack of expertise in the common developer/tester population. - remove the icons - show STPI with a pre-parsed requirement - indicate that we empirically-developed the patterns to target the CWE/SANS Top 25 - say what the top 25 actually are - remove the problem/object/approach/evaluation stuff and just have the highlights - make andy’s chart: “Requirement” -> a) actor (icon), b) action (icon), c) object (icon) -> test cases - make sure a list of all the patterns is still there - pattern -> “security test pattern” - highlight the fact that I evaluated it. - put the number of failures in addition to the percentage Make sure there is a tracing from the tool to the example pattern. http://securitytestpatterns.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.