REGISTER

C u r e C o d e

Security Level Classification

Define the right security assurance category for your healthcare web application based on contextual risks and adapted NIST SP 800-63 guidelines.

Informative Section

According to the OWASP ASVS, web applications can be categorized in three security verification levels:

  1. ASVS Level 1: For low assurance levels, completely penetration testable.
  2. ASVS Level 2: Applications that contain sensitive data, which requires protection and is the recommended level for most applications.
  3. ASVS Level 3: Most critical applications — applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.

It may seem logical to assume that web applications used in the healthcare domain should automatically be classified as ASVS Level 3. However, there are situations in which a web application, even within a clinical context, can be considered low or medium risk. The table below provides examples to illustrate how security level can be defined in clinical settings:

Security Level Healthcare web app type Rationale
ASVS Level 1 Health education portal with no login, publishing articles and infographics on healthy lifestyle (no user data collected, only technical cookies). Reduced attack surface: no accounts, no uploads, no sensitive APIs. An attack would bring more of a reputational damage, but zero impact on data or patient care.
ASVS Level 2 Medical appointment booking portal that manages patient profiles with demographics information and agenda, accessible via username + password and CAPTCHA; includes REST API to synchronize with the outpatient clinic's queue management system. It exposes PII and integrates APIs. However, it doesn't contain detailed clinical data or functionality that directly affects diagnosis/therapy.
ASVS Level 3 Electronic prescribing and drug therapy system used on the ward, with Single Sign-On authentication and digital signature, which updates the medical record in real time and sends orders to smart infusion pumps. It allows PDF report uploads and manages complete clinical data. Multiple attack surfaces. Any compromise can alter therapies or expose PHI. More weaknesses, thus high probability of accident if advanced controls are not implemented rigorously.

To evaluate the level of security, the following healthcare-specific harm and impact categories will be considered:

Code Risk Category Description
H1 Health data integrity compromise Any unauthorized alteration, corruption, or deletion of clinical data. Such incidents may cause misdiagnosis, inappropriate treatments, or the loss of historically important clinical information.
H2a Demographic data breach (PII) Exposure of Personally Identifiable Information (PII) of patients or staff, without exposing clinical content.
H2b Identifiable clinical information breach (PHI) Unauthorized access to or dissemination of identifiable medical data, including lab results, diagnostic images, prescriptions, or detailed clinical reports.
H3 Healthcare financial fraud or abuse Attacks that compromise billing systems, payment authorizations, or insurance data fall into this category.
H4 Other clinical delays or errors Any impact that slows, prevents, or alters diagnostic/therapeutic decisions.
H5 Reputational/legal damage A breach or incident may lead to loss of patient and public trust, and potential violations of laws such as GDPR or NIS2.
H6 Disruption of clinical services System downtime or malfunction that impedes care delivery, e.g., a radiology system becoming unavailable, or electronic prescriptions failing.
H7 Risk to patient physical safety Data alteration or unavailability that may lead to injury or death.
H8 Invalidation of trial data For systems involved in clinical trials, any breach that alters or exposes research data may invalidate scientific works.
H9 Re-identification of pseudonymized data When data is pseudonymized, there's a risk that attackers may cross-reference it with external datasets to reconstruct patient identities.
1

Step 1: High level risk categories evaluation

The first step involves assessing the highest-level risk categories, which would directly affect patient or healthcare personnel, data confidentiality, or healthcare information.

Use the following interactive workflow to decide the security level that should be applied to your healthcare web application:

Layer 1 NO STEP 1 CLEAR STEP 1 YES 1 To provide the service, do you need any personal and/or clinical information? What are the risks (to the organization or the subject) of providing the service? 2 H2a Demographic data breach High Mod Low None H1 Health data integrity compromise High Mod Low None H2b Identifiable clinical information breach High Mod Low None H3 Healthcare financial fraud or abuse High Mod Low None H4 Other clinical delays or errors High Mod Low None 3 for any of the above? Did you assess at high 4 for H2a and/or H2b? Did you assess at moderate 5 for H1, H3 and/or H4? Did you assess at moderate YES YES YES NO NO NO L2 L3 L1 Go to step 2
The interactive workflow is available on screens wider than 960px. Please use a desktop or laptop to interact with Step 1.
2

Step 2: Low level risk categories evaluation

If none of the high level critical risks listed in Step 1 reach moderate or high levels, the assessment continues with categories which can be direct or indirect consequences of the high level risk categories.

Use the following interactive workflow to decide the security level that should be applied to your healthcare web application:

Layer 1 STEP 2 CLEAR STEP 2 YES H6 Disruption of clinical services High Mod Low None H5 healthcare organizations High Mod Low None H7 Risk to patient physical safety High Mod Low None H8 Invalidation of trial data High Mod Low None H9 info from pseudonymized data High Mod Low None 1 moderate for H7 and/or H9? Did you assess at high or 2 for H5, H6 and/or H8? Did you assess at moderate YES NO L2 L3 L1 Reputational/legal damage to Possible re-identification of sensitive NO
The interactive workflow is available on screens wider than 960px. Please use a desktop or laptop to interact with Step 2.
An unhandled error has occurred. Reload 🗙