Patient Portal Quality Assessment to Achieve HIPAA Compliance and Improve Security
The Customer is a US company with a number of offices in different states providing professional healthcare services.
The Customer’s website contained a legacy patient portal designed to support the communication between doctors and their patients, set up appointments, monitor patients’ prescriptions, etc. The application comprised a number of user modules: Doctor, Patient, and Control Panel. It was integrated with an EHR system and a database containing patients’ private healthcare information.
The application caused serious concerns as users regularly came across the glitches in its functioning. So, the Customer acknowledged the need of software QA assessment to get an overall view of the existing defects, their possible consequences, and an effective way to treat them. In addition, to ensure that the patient portal complies with HIPAA Security Rule the Customer needed QA assessment to get an insight of their application’s current security state.
The Customer provided ScienceSoft’s QA team with source code, error logs and users’ feedback on the glitches that they had encountered lately. On the basis of the received information, ScienceSoft’s QA manager developed a comprehensive plan of relevant QA activities:
- The validation of glitches provided by the Customer.
- Vulnerability scanning, malware detection, and penetration testing.
- Source code review.
- Database consistency review.
- Final quality assessment report.
ScienceSoft’s QA manager decided to combine automated and manual QA efforts. Automation was introduced to provide sufficient test coverage, minimize the number of missed defects and meet the deadline. At the same time, the QA manager decided on manual checks and reviews for the QA activities that required analytical skills, QA experience, and HIPAA knowledge.
Firstly, ScienceSoft’s QA professionals confirmed that the Patient portal’s glitches found and stated by the Customer were software defects. Their analysis indicated that more severe hidden code and database defects could be a cause of such glitches.
Secondly, the QA team carried out vulnerability scanning, malware detection, and penetration testing of the application for the Customer to be fully aware of the current state of their cybersecurity and be realistic about the risks. During vulnerability scanning, a high-level security issue that could result in database data stealing was highlighted. Manual malware detection was run several-fold to identify any possible malware code being built in source code. Then QA team performed penetration testing. Implemented white box testing resulted in successful unauthorized access to the Customer’s EHR system through the application’s Doctor mode. This became possible due to the poor login protection.
Then, ScienceSoft’s team proceeded to automated source code review. The team aimed not only to detect actual code errors but also to validate such QA aspects in coding as code testability, consistency, and logical structure. Numerous severe errors and warnings (indicated code parts having serious and medium impact on the optimal application’s functioning) were detected during this QA stage. ScienceSoft’s QA professionals described them all in a comprehensive code review report.
Some of the application’s glitches encouraged the QA manager to perform a database consistency review. The team executed manual database inspection to find out that the database had a non-optimal design, poorly described relationships. Besides, the patient portal was vulnerable to SQL injection, which could damage the database.
After summarizing the whole scope of the found web application defects, ScienceSoft’s QA manager evaluated the application’s quality as low. The dedicated manager created a thorough and detailed software quality assessment report. The report focused on making the descriptions of technical details, security requirements and final recommendations easily comprehensible for recipients with no technical background. The recommendations section was formulated in the way familiar to healthcare employees and suggested two alternative approaches: the treatment of the existing faulty software or the progressive substitution of the legacy application with a new one.
The Customer received a comprehensive quality assessment report highlighting acute security, source code and database issues undermining their application performance. The final report contained a detailed list of the found security and source code defects for the Customer to jumpstart the management of the current issues. The two effective approaches to the application’s treatment were worked out. Both the suggested approaches lead to HIPAA compliance, tangible quality and security improvements.
Technologies and Tools
Static Analyzer Security Scanner, PHP Mess Detector, PHP Inspections, PHP Code Sniffer, and PHP Copy/Paste Detector.