Privacy Requirements Definition and Testing in the Healthcare EnvironmentOctober 2013
Privacy laws and regulations articulate many privacy requirements at an abstract level. It can be challenging for system developers to translate these requirements into system and application characteristics. "Privacy testing" refers to specific system tests that are performed to ensure that privacy requirements are implemented correctly in systems. This is an important step to ensure that systems appropriately protect Personally Identifiable Information (PII). Privacy testing is especially vital for systems that process large amounts of Protected Health Information (PHI) to reduce the likelihood of errors in care and fraud, and reduce the overall cost of error in providing healthcare services. However, there has not yet been a broader effort to articulate privacy requirements at the system/application level and address using privacy testing to verify that basic privacy controls are implemented correctly within the healthcare environment.
This presentation presents ideas on how to engage with standards bodies to include healthcare-related privacy requirements and tests in standards and guidance documents used by the healthcare industry. One way to do this would be to revise the existing MITRE privacy risk management tool (PRIME) so that it can be used for privacy requirements definition and testing efforts in the healthcare environment.