Health information systems (HISs) are integral in enhancing clinical operations and improving patient care. To fulfill this role, these systems require a comprehensive design capable of addressing essential health quality attributes such as security. This design, typically embodied in software architecture, must incorporate secure design decisions that adhere to established software security policies and guidelines. Such design decisions are frequently represented by security control (also known as security tactics). Despite the significance of implementing and developing security control to protect information within HISs, there is a paucity of empirical studies that examine which security control are actually used in these systems. This gap significantly hinders the reuse and acceleration of secure design decisions within the software architecture of a system. In this paper, we report a study aimed at identifying security controls in health software projects by utilizing a CodeBERT model. We applied the trained model to 10 open-source projects related to HISs, and classified the identified security tactics.
The findings suggest that the security controls identified in HISs predominantly focus on security-by-design prevention strategies, whereas detection and recovery strategies remain largely unaddressed in the context of attacks. Our study represents an initial effort to elucidate which secure design decisions are prioritized in the development of HISs.

This research will be presented in International Conference of the Chilean Computer Science Society (SCCC)