Best approach to test Digital Healthcare applications for FEDRAMP

Indium, now a AWS Advanced Tier Services Partner Know More

Software testing

Best approach to test Digital Healthcare applications for FEDRAMP

June 22, 2022

By

Share
  •  
  •   
  •   
  •   

Healthcare systems are under immense pressure after COVID-19 pandemic. Healthcare providers have now to be prepared to handle unprecedented numbers of patients, which is increasingly bringing new challenges in managing and scaling operations. The federal, state, and local governments were in full crisis response mode.

Contact us for your software testing needs and more!

Get in touch

The COVID-19 pandemic has triggered an acute need for healthcare providers to avail the assistance of technology solution providers that offer solutions based on industry-wide regulations like FedRAMP.

Nowadays, IT and tech solutions are developing applications keeping compliance in mind. Healthcare providers and public agencies can implement such digital applications to address the challenges. However, the best digital healthcare application is the one that has gone through the best testing process. We help you know this by discussing the best testing approach for healthcare applications in the context of FEDRAMP.

About FedRAMP:

The Federal Risk and Authorization Management Program (FedRAMP) is a risk-based approach to adopt and leverage the cloud by the federal government. Established in 2011, it is intended to empower enterprises with new-age cloud capabilities. A cost-effective approach, it emphasizes security of federal information, authorization, and continuous monitoring of cloud’s performance and its products.

Why FedRAMP?

Some of the reasons explaining the importance of FedRAMP are as below:

  • ● FedRAMP governs the security and risk assessment of cloud by providing a set of standards.
  • ● Any application of cloud by a public agency must comply with FedRAMP standards.
  • ● As a rigorous process, FedRAMP evaluation offers a standardized approach to security assessment, authorization, and continuous monitoring. Each of these requirements must be satisfied to prevent falling out of compliance.
  • ● FedRAMP effectively helps reduce duplication and inconsistencies and facilitates cost efficiencies.
  • ● FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies. With FedRAMP, you can forge public-private partnerships and drive innovation for more secured IT framework.
  • ● FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.        FedRAMP helps create transparent standards and processes which agencies can leverage and scale with ease. This feature of FedRAMP accelerates cloud adoption by agencies.

Authorization through an agency and process in FedRAMP: 

The Agency Authorization process allows agencies to work with a CSP (Cloud Service provider as and when required. When a CSP decides to work with an agency to avail Authority to Operate (ATO), they get to work with the agency throughout the FedRAMP authorization lifecycle. Listed below are the  different processes that go into the authorization process.

  • Readiness Assessment –To achieve the FedRAMP-ready tag, it is essential on the part of CSP to partner with a certified 3PAO (Third Party Assessment Organization). It is then only that completing assessment of readiness would be feasible. The RAR (Readiness Assessment Report) records the capability of CSP to meet security requirements.
  • ● Pre-Authorization–  CSP establishes a formal partnership with an agency through requirements specified in the marketplace. In this process, CSP has to ensure that the leadership is committed to implementing FedRAMP process. Moreover, it has to ensure the security categorization. The last step is to initiate the kickoff meeting so that background functionality and technical security are ensured and there are not compliance gaps.
  • ●  Full Security Assessment –Before this process, it is expected that SSP is complete and approved by the agency. An independent audit is conducted by 3PAO with an aim to test the CSP’s system. Security Assessment Report (SAR) are prepared, based on which CSP develops POA&M (Plan of Action for achieving Milestones)
  • ● Agency Authorization Process –. This process involves the agency conducting a review of security authorization package. CSP initiates remediation as per the results of the review. Finally, the agency customer drives risk analysis before issuing an ATO. The CSP and 3ATO then uploads all requisite security material to FedRAMP’s secured repository. This is followed by the review of the security assessment materials to be included in the marketplace.
  • ● Continuous Monitoring – All the agency customers must be kept informed and updated with security deliverables. So, CSP ha to provide periodic deliverables for security. This includes vulnerability scans, annual security assessments, significant change requests, incident reports and updated POA&M. Through the services, each agency conducts periodic (monthly and annual) monitoring of deliverables.

Strategy for compliance testing

Indium will follow several strategies to perform various compliance tests to ensure the application security. Below are the types to testing requirements involved during testing for FEDRAMP requirements.

Web Application/ Mobile Application /Application Program Interface (API) Testing:

  • ● Cloud Access – Roles associated to the cloud access and access limitations.
  • ● Configuration – Web server configuration level validation.
  • ● Authentication and Session Management – Validates how session is created between browsers/devices and maintains session state.
  • ● Data Storage – Verify Encryption outside application platform.
  • ● API – Perform internet searches to identify any publicly available information on the target web application and make sure all input elements are validated.

High-level Testing activities to meet the FedRAMP Req.:

Security ControlsValidation Name
ACCESS CONTROLPUBLICLY ACCESSIBLE CONTENT
ACCESS CONTROLACCOUNT MANAGEMENT | ROLE-BASED SCHEMES
ACCESS CONTROLCONCURRENT SESSION CONTROL
ACCESS CONTROLSESSION LOCK
ACCESS CONTROLSESSION TERMINATION
ACCESS CONTROLUNSUCCESSFUL LOGON ATTEMPTS
ACCESS CONTROLPRVILAGED ACCESS/DENIED ACCESS
ACCESS CONTROLAUTHENTICATION AND ENCRYPTION
AWARNESS AND TRAININGROLE-BASED SECURITY TRAINING
AWARNESS AND TRAININGSECURITY AWARENESS TRAINING
AUDITAUDIT EVENTS
AUDITAUDIT REVIEW, ANALYSIS, AND REPORTING
AUDITRESPONSE TO AUDIT PROCESSING FAILURES
SECURITY ASSESSMENT AND AUTHORIZATIONCONTINUOUS MONITORING | INDEPENDENT ASSESSMENT
SECURITY ASSESSMENT AND AUTHORIZATIONPENETRATION TESTING
CONFIGURATION MANAGEMENTCONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES
CONFIGURATION MANAGEMENTSECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS
CONFIGURATION MANAGEMENTACCESS RESTRICATIONS FOR CHANGE
CONFIGURATION MANAGEMENTALERTS FOR UNAUTHORIZED INSTALLATIONS
CONTINGENCY PLANNINGCONTINGENCY PLAN TESTING
CONTINGENCY PLANNINGBACKUP ACTIVITIES – PRIMARY and SECONDARY REGION
CONTINGENCY PLANNINGTESTING FOR RELIABILITY / INTEGRITY
IDENTIFICATION AND AUTHENTICATIONVALIDATION OF LOCAL ACCESS, REMOTE ACCESS, NETWORK ACCESS
IDENTIFICATION AND AUTHENTICATIONAUTHENTICATOR MANAGEMENT
INCIDENT RESPONSEIR TRAINING AND TESTING
MAINTANANCECONTROLLED MAINTENANCE
MAINTANANCESYSTEM MESSAGES  – MANUAL AND AUTOMATIC

Network & Penetration Testing:

Below is the process that will be ensured as a part of network and penetration testing to ensure the FEDRAMP requirement

• Security assessment schedule
• Describe Tools for security controls
• Injection Analysis & Broken Authentication / Authorization (API & Web)
• Vulnerability Assessment & Penetration Test on API (request & response) & Web.
• Vulnerability analysis on API, APK & iOS

Stages in Vulnerability assessment:

Web Application Security Analysis
Injection Analysis & Broken Authentication / Authorization (API & Web)
Vulnerability Assessment & Penetration Test on API (request & response) & Web.
Vulnerability analysis on API, APK & iOS
Improper usage of platform and poorly secured data storage (API, APK & iOS)
Poorly secured Authorization & Communication (API, APK & iOS)
Code Tampering & Reverse Engineering (APK & iOS)
Runtime / Dynamic Analysis (APK & iOS)
Component exploitation
SSL Pinning
Root & Emulator detection

Tools to validate:

PlatformTools
WebOWASP-ZAP, NMAP, Nessus essentials
Web & MobileBurp Suite
APKADB, Drozer, JD-GUI, Dex2Jar, APK Tool
APK & iOSMob-SF,Frida
iOSCydia, Objection
VAPT – API – Scenarios:
Broken object level authentication
Injection attacks
Authentication and Authorization
Access ControlSecurity Misconfiguration
Sensitive Data exposure
MITM attacks
Components with vulnerabilities
Indirect object reference
VAPT – Mobile & Web Scenarios:
Poor platform usage
Poor data storage
Poor communication
Weak authentication
Weak Cryptography
Poor authorization security
Quality of client code(apk)
Code tamperingMITM Attacks

Share
  •  
  •   
  •   
  •