Security in SOA-Based Healthcare Systems

Abstract

Healthcare organizations need to handle many kinds of information and integrate different support systems, which may be accessed from external corporations. Service Oriented Architecture (SOA) provides the means to achieve a common platform to deploy services that can be used across the organization and its boundaries, but introduces new security concerns that need to be evaluated in order to implement a secure system, while still suffering from standard threats. Web Services are the common way to implement SOA applications, having several standards related to security (such as XML Encryption, XML Signature and WS-Security). Still, other security mechanisms such as input validation and SSL/TLS need to be thought of as well. A penetration test based on recognized methodologies and guidelines, such as the NIST Technical Guide to Information Security Testing and Assessment, OWASP Testing Guide and SIFT Web Services Security Testing Framework, was performed on a case study system. A proof of concept application making use of a set of middleware (web) services, the MPOWER platform, was audited in order to expose vulnerabilities. After conducting the penetration test on the system, 10 out of 15 scenarios presented security issues. The vulnerabilities found were described, demonstrating several risks from misusing, or not implementing at all, security mechanisms. As a consequence, countermeasures and recommendations were proposed in an attempt to improve the overall security of SOA-based (healthcare) systems. The results of the assessment show us how important is to validate the security of a system before putting it into production environment. We also come to the conclusion that security testing should be an inherent part of a secure software development life cycle. Moreover, not only healthcare systems may benefit from this study, and also not only SOA-based ones.