Best approach to test Digital Healthcare applications for FEDRAMP

Healthcare systems are under immense pressure after COVID-19 pandemic. Healthcare providers have now to be prepared to handle unprecedented numbers of patients, which is increasingly bringing new challenges in managing and scaling operations. The federal, state, and local governments were in full crisis response mode.

The COVID-19 pandemic has triggered an acute need for healthcare providers to avail the assistance of technology solution providers that offer solutions based on industry-wide regulations like FedRAMP.

Nowadays, IT and tech solutions are developing applications keeping compliance in mind. Healthcare providers and public agencies can implement such digital applications to address the challenges. However, the best digital healthcare application is the one that has gone through the best testing process. We help you know this by discussing the best testing approach for healthcare applications in the context of FEDRAMP.

This blog might be of your interest: Mobile Application Testing Solutions For New-age Mobile Applications

About FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a risk-based approach to adopt and leverage the cloud by the federal government. Established in 2011, it is intended to empower enterprises with new-age cloud capabilities. A cost-effective approach, it emphasizes security of federal information, authorization, and continuous monitoring of cloud’s performance and its products.

Why FedRAMP?

Some of the reasons explaining the importance of FedRAMP are as below:

• FedRAMP governs the security and risk assessment of cloud by providing a set of standards.

• Any application of cloud by a public agency must comply with FedRAMP standards.

• As a rigorous process, FedRAMP evaluation offers a standardized approach to security assessment, authorization, and continuous monitoring. Each of these requirements must be satisfied to prevent falling out of compliance.

• FedRAMP effectively helps reduce duplication and inconsistencies and facilitates cost efficiencies.

• FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies. With FedRAMP, you can forge public-private partnerships and drive innovation for more secured IT framework.
• FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.        FedRAMP helps create transparent standards and processes which agencies can leverage and scale with ease. This feature of FedRAMP accelerates cloud adoption by agencies.

Authorization through an agency and process in FedRAMP: 

The Agency Authorization process allows agencies to work with a CSP (Cloud Service provider as and when required. When a CSP decides to work with an agency to avail Authority to Operate (ATO), they get to work with the agency throughout the FedRAMP authorization lifecycle. Listed below are the  different processes that go into the authorization process.

• Readiness Assessment –To achieve the FedRAMP-ready tag, it is essential on the part of CSP to partner with a certified 3PAO (Third Party Assessment Organization). It is then only that completing assessment of readiness would be feasible. The RAR (Readiness Assessment Report) records the capability of CSP to meet security requirements.
• Pre-Authorization–  CSP establishes a formal partnership with an agency through requirements specified in the marketplace. In this process, CSP has to ensure that the leadership is committed to implementing FedRAMP process. Moreover, it has to ensure the security categorization. The last step is to initiate the kickoff meeting so that background functionality and technical security are ensured and there are not compliance gaps.
• Full Security Assessment –Before this process, it is expected that SSP is complete and approved by the agency. An independent audit is conducted by 3PAO with an aim to test the CSP’s system. Security Assessment Report (SAR) are prepared, based on which CSP develops POA&M (Plan of Action for achieving Milestones)
• Agency Authorization Process –. This process involves the agency conducting a review of security authorization package. CSP initiates remediation as per the results of the review. Finally, the agency customer drives risk analysis before issuing an ATO. The CSP and 3ATO then uploads all requisite security material to FedRAMP’s secured repository. This is followed by the review of the security assessment materials to be included in the marketplace.
• Continuous Monitoring – All the agency customers must be kept informed and updated with security deliverables. So, CSP ha to provide periodic deliverables for security. This includes vulnerability scans, annual security assessments, significant change requests, incident reports and updated POA&M. Through the services, each agency conducts periodic (monthly and annual) monitoring of deliverables.

Strategy for compliance testing

Indium will follow several strategies in its digital assurance solutions to perform various compliance tests to ensure the application security. Below are the types to testing requirements involved during testing for FEDRAMP requirements.

Web Application/ Mobile Application /Application Program Interface (API) Testing:

• Cloud Access – Roles associated to the cloud access and access limitations.
• Configuration – Web server configuration level validation.
• Authentication and Session Management – Validates how session is created between browsers/devices and maintains session state.
• Data Storage – Verify Encryption outside application platform.
• API – Perform internet searches to identify any publicly available information on the target web application and make sure all input elements are validated.

High-level Testing activities to meet the FedRAMP Req.:

Security Controls	Validation Name
ACCESS CONTROL	PUBLICLY ACCESSIBLE CONTENT
ACCESS CONTROL	ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES
ACCESS CONTROL	CONCURRENT SESSION CONTROL
ACCESS CONTROL	SESSION LOCK
ACCESS CONTROL	SESSION TERMINATION
ACCESS CONTROL	UNSUCCESSFUL LOGON ATTEMPTS
ACCESS CONTROL	PRVILAGED ACCESS/DENIED ACCESS
ACCESS CONTROL	AUTHENTICATION AND ENCRYPTION
AWARNESS AND TRAINING	ROLE-BASED SECURITY TRAINING
AWARNESS AND TRAINING	SECURITY AWARENESS TRAINING
AUDIT	AUDIT EVENTS
AUDIT	AUDIT REVIEW, ANALYSIS, AND REPORTING
AUDIT	RESPONSE TO AUDIT PROCESSING FAILURES
SECURITY ASSESSMENT AND AUTHORIZATION	CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT
SECURITY ASSESSMENT AND AUTHORIZATION	PENETRATION TESTING
CONFIGURATION MANAGEMENT	CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
CONFIGURATION MANAGEMENT	SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS
CONFIGURATION MANAGEMENT	ACCESS RESTRICATIONS FOR CHANGE
CONFIGURATION MANAGEMENT	ALERTS FOR UNAUTHORIZED INSTALLATIONS
CONTINGENCY PLANNING	CONTINGENCY PLAN TESTING
CONTINGENCY PLANNING	BACKUP ACTIVITIES – PRIMARY and SECONDARY REGION
CONTINGENCY PLANNING	TESTING FOR RELIABILITY / INTEGRITY
IDENTIFICATION AND AUTHENTICATION	VALIDATION OF LOCAL ACCESS, REMOTE ACCESS, NETWORK ACCESS
IDENTIFICATION AND AUTHENTICATION	AUTHENTICATOR MANAGEMENT
INCIDENT RESPONSE	IR TRAINING AND TESTING
MAINTANANCE	CONTROLLED MAINTENANCE
MAINTANANCE	SYSTEM MESSAGES  – MANUAL AND AUTOMATIC

Check this out : Automation Testing for Financial Services Application

Network & Penetration Testing:

Below is the process that will be ensured as a part of network and penetration testing to ensure the FEDRAMP requirement

• Security assessment schedule
• Describe Tools for security controls
• Injection Analysis & Broken Authentication / Authorization (API & Web)
• Vulnerability Assessment & Penetration Test on API (request & response) & Web.
• Vulnerability analysis on API, APK & iOS

Stages in Vulnerability assessment:

Tools to validate:

Platform	Tools
Web	OWASP-ZAP, NMAP, Nessus essentials
Web & Mobile	Burp Suite
APK	ADB, Drozer, JD-GUI, Dex2Jar, APK Tool
APK & iOS	Mob-SF,Frida
iOS	Cydia, Objection

VAPT – API – Scenarios: Broken object level authentication Injection attacks Authentication and Authorization Access ControlSecurity Misconfiguration Sensitive Data exposure MITM attacks Components with vulnerabilities Indirect object reference

VAPT – Mobile & Web Scenarios: Poor platform usage Poor data storage Poor communication Weak authentication Weak Cryptography Poor authorization security Quality of client code(apk) Code tamperingMITM Attacks