Proposing regulatory-driven automated test suites for electronic health record systems

In regulated domains such as finance and health care, failure to comply with regulation can lead to financial, civil and criminal penalties. While systems vary from organization to organization, regulations apply across organizations. We propose the use of Behavior-Driven-Development (BDD) scenarios as the basis of an automated compliance test suite for standards such as regulation and interoperability. Such test suites could become a shared asset for use by all systems subject to these regulations and standards. Each system, then, need only create their own system-specific test driver code to automate their compliance checks. The goal of this research is to enable organizations to compare their systems to regulation in a repeatable and traceable way through the use of BDD. To evaluate our proposal, we developed an abbreviated HIPAA test suite and applied it to three open-source electronic health record systems. The scenarios covered all security behavior defined by the selected regulation. The system-specific test driver code covered all security behavior defined in the scenarios, and identified where the tested system lacked such behavior.

[1]  Annie I. Antón,et al.  Assessing the accuracy of legal implementation readiness decisions , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[2]  Roberto Salama,et al.  A regression testing framework for financial time-series databases: an effective combination of fitnesse, scala, and kdb/q , 2011, OOPSLA Companion.

[3]  Annie I. Antón,et al.  The production rule framework: developing a canonical set of software requirements for compliance with law , 2010, IHI.

[4]  Matt Wynne,et al.  The Cucumber Book: Behaviour-Driven Development for Testers and Developers , 2012 .

[5]  Ned Chapin,et al.  Software maintenance in complying with IT governance: A report from the field , 2009, 2009 IEEE International Conference on Software Maintenance.

[6]  Geir Kjetil Hanssen,et al.  Automated Acceptance Testing: A Literature Review and an Industrial Case Study , 2008, Agile 2008 Conference.

[7]  John Mylopoulos,et al.  Establishing Regulatory Compliance for Software Requirements , 2011, ER.

[8]  Grigori Melnik,et al.  Empirical analyses of executable acceptance test driven development , 2007 .

[9]  William N. Robinson,et al.  Implementing Rule-Based Monitors within a Framework for Continuous Requirements Monitoring , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[10]  Laurie A. Williams,et al.  Towards improved security criteria for certification of electronic health record systems , 2010, SEHC '10.

[11]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[12]  Rick Mugridge,et al.  Fit for Developing Software: Framework for Integrated Tests (Robert C. Martin) , 2005 .

[13]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.