Security system testing on electronic integrated antenatal care (e-iANC)

ABSTRACT

Healthcare providers must be able to ensure that the pregnancy is normal, to detect early problems and illnesses, and to intervene adequately so that pregnant women are ready to undergo a normal delivery.Antenatal Care (ANC) services provided by Indonesian midwives include taking vital measurements, assessing nutritional status, measuring fundal height, assessing the presentation of fetus and Fetal Heart Rate (FHR), screening for tetanus toxoid immunization status and giving tetanus toxoid if needed, dispensing Iron supplements (Fe tablets), ordering laboratory tests (routine and special), managing cases, and counseling [4].Midwives must complete several forms to the provision documents of Integrated ANC, including basic medical records, detailed pregnancy-related information known as a "Mother Card", the "Mother and Child Int J Elec & Comp Eng ISSN: 2088-8708  Security system testing on electronic integrated antenatal care (e-iANC) (Hosizah) 347 Health Handbook" (a record provided to the mother), public health reporting forms used for local and national monitoring known as a "Mother Cohort", and District Health Reports.Data on these paper forms often incomplete and/or inaccurate, thus limiting possibilities for quality improvement analyses [4].
Our interviews identified several difficulties with the paper-based Integrated Antenatal Care (ANC) processes at primary health center in Bangkalan, including: redundancy in ANC data leading to inconsistencies; difficulties in using and interpreting paper records leading to delay on risk screening and service interventions; delay in accessing data; and inaccurate calculation and data analysis.Participants found the integrated ANC forms to be burdensome and redundant.Some felt that completion of the forms interfered with providing necessary antenatal care.In fact, many health information systems did not retain the real data in the form of an individual patient record.Instead the data are collected in the form of patients total summary which was obscuring the individual patient history and make it difficult to follow patients record over time [6][7][8][9][10].
Electronic Integrated Antenatal Care (e-iANC) was built as a web-based application to assist midwives in recording ANCs data including Patient Registration; Anamnesis; Physical Examination; Laboratory Test, Screening of Risk Pregnancy; Communication, Information and Education; Treatment and follow-up; Patient Disposition [6].
A web-based application (include e-iANC) is a media which is containing many informations that can be accessed quickly and freely by the public [11][12][13].This condition made it difficult to prevent the introduction of vulnerability, and limited skills and lack of security culture.All these factors web applications more vulnerable and exploitable by hackers.In addition, network security and the installation of firewalls lack to provide adequate protection against Web-based attacks [14][15][16][17].
Several communities were born with the aim of improving the security of web applications, one of them is Open Web Application Security Project (OWASP) [18].To ensure e-iANC becomes a safe system, security system testing was needed.This study aimed to test the security level of e-iANC web-based application by using the OWASPZAP.

RESEARCH METHOD
The website security vulnerability testing was conducted using Open Web Application Security Project Zed Attack Proxy (OWASPZAP) with 4 parameters of vulnerability levels including Informational, Low, Medium and High.
OWASP as an open source community dedicated to develop and maintain a web-based application and released top 10 risk components include Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Level Access Control, Cross Site Request Forgery (CSRF), Using Known Vulnerable Components, Unvalidated Redirects and Forwards [13].
The GET method used in this OWASPZAP test (to e-iANC web-apps) with the scheme in Figure 1.

Figure 1. OWASPZAP test scheme on e-iANC
As shown in Figure 1, the OWASP application used as a media to scan and detect the security level of an e-iANC website.The URL of e-iANC will be inserted over the process it will give the result.

RESULTS AND ANALYSIS
The OWASPZAP application will be released the results in the form of tables.The top table contains the risk level of the security gap, the number of loopholes that can be detected and the next table contains the level of risk gap, the category or name of the gap, the location of the gap, the last method, parameters and tables containing solutions to security holes.In this study the possibility of an attack used consisted of 3 attacks as shown in Table  All of that possibility of an attack in the e-iANC web-apps have been examined with the result.Table 2 shows vulnerability (security gap) reports of cross domain Javascript source file inclusion and Figure 2 shows the solution to handling that.Features of e-iANC Electronic Integrated Antenatal Care (e-iANC) is being an implementing of Electronic Medical Records (EMR).An electronic medical record is a real-time patient health record with access to evidence-based decision support tools that can be used to aid clinicians on making the decisions [19][20][21][22].The EMR can automate and streamline a clinician"s workflow, ensuring that all clinical information is well-communicated.It also prevent the delay in response that would make the gaps in care.Moreover, The EMR can support the collection of data for uses other than clinical care, such as billing, quality management, surveillance and reporting the public health diseases [23][24][25].
Int J Elec & Comp Eng ISSN: 2088-8708  Security system testing on electronic integrated antenatal care (e-iANC) (Hosizah) 351 Below are the features of e-iANC: a. Patient Registration: enabling entry of demographic and financial sources data, including whether a patient pays in cash or is financed by the Healthcare and Social Security Agency [23].b.Anamnesis, including history of current or previous pregnancy as well as labor history, as needed to identify high-risk patients.The first day of the last menstrual period is used to estimate the expected date of birth (Figure 2).c.Physical Examination: results of physical examinations, including vital signs used to detect early pregnancy risks such as of CPD, Preeclampsia, etc [4].d.Laboratory test: Urine protein; HBs Ag; BTA etc., as medically indicated.e. Screening of Risk Pregnancy, described as low, high, or very high risk [26].f.Communication, Information and Education (CIE): Education materials related to factors such as delivery planning; nutritional problems; tetanus toxoid immunization; HIV/AIDS and other communicable diseases; exclusive breastfeeding, brain booster etc. g.Treatment and follow-up: key treatments administered, including injection of tetanus toxoid and the e provision of multivitamins.Midwives can enter the number and doses defined and administration instructions.h.Patient Disposition: follow-up instructions including discharge or referral if necessary to other healthcare provider or health care facilities with more complete equipment.i. Diagnosis: Entry of specific antenatal diagnosis, using ICD-10 codes as required to process claimsreimbursement [27].j.Graphics of the maternal weight and Body Mass Index (BMI), can be used to monitor maternal weight before for each visit.This novel visualization of health information was seen as necessary to expedite.k.Reports: display and printing of Mother Cohort and District Health Reports on rural and primary health centers.Reports are available both to midwives and to the head of primary health center.

CONCLUSION
Electronic Integrated Antenatal Care (e-iANC) is an innovation which is combining electronic medical record and web-based.Therefore with only one entry of Antenatal Care (ANC) data, midwives can access real-time individual and aggregate health information of pregnant women.This can be employed for clinical service and organization decision making; research; performance improvement; and education.The results indicated the risk level of e-iANC was the low (which is represented by number 3) category in the aspect of Cross-Domain JavaScript Source File Inclusion, Private IP Disclosure, XSS Protection Not Enabled Web Browser.

Figure 2 . 349 Figure 3 and
Figure 2. Solution on handling the vulnerability of cross domain javascript source file inclusion

Figure 3 .
Figure 3. Vulnerability report of private IP disclosure

Figure 4 .
Figure 4. Solution on handling vulnerability on private IP disclosure

Figure 5 .Figure 6 .
Figure 5. Vulnerability report on web browser XSS protection not enabled