If you are in distress, you can text 988 at any time. If it is an emergency, call 9-1-1 or go to your local emergency department.

Assessment Framework for Mental Health Apps

6. Security and Technical Stability Standards

 

Criteria

Criteria Origin

6a — Q1 Does the application connect to an internet-based application programming interface (API) (e.g., an application developer web service, social media, advertisements)? ORCHA
6a — Q2 List the APIs. ORCHA
6a — Q3 Does the application integrate with a device? ORCHA
6a — Q4 Does the application integrate with any of the following: electronic medical record (EMR), electronic health-care record (EHR), personal health record (PHR), or clinical specialty system (CSS)? MHCC
6a — Q5 Does the application operate without Wi-Fi? ORCHA
6a — Q6 Does the application operate without a cellular network? ORCHA
6a — Q7 Does the application access, process, or store personal and/or sensitive data? ORCHA
6a — Q8 Is sensitive data persisted[1] to the mobile device? ORCHA
6a — Q9 Does the application access, process, or store personal and/or sensitive data? ORCHA
6a — Q10 What permissions does the application request? ORCHA
6a — Q11 Does the application provide alerts or notifications? ORCHA
6a — Q12 Does the application provide suggestions? ORCHA
6a — Q13 Does the application undertake calculations? ORCHA
6a — Q14 Is the source code and any configuration items for the product version-controlled with all changes audited? ORCHA
6a — Q15
  • Provide details of any associated processes/procedures and tools that are used.
ORCHA
6a — Q16 Do you have the capacity to roll back to previous versions of your product? ORCHA
6a — Q17
  • Provide details of any associated processes/procedures and tools that are used.
ORCHA
6a — Q18 Describe your processes for accepting and responding to technical faults from end-users. ORCHA
6a — Q19 Do you provide online support for user queries? ORCHA
6a — Q20 Do you proactively monitor the running of systems and system components to automatically identify faults and technical issues? ORCHA
6a — Q21
  • Provide details of any associated processes/procedures and tools that are used.
ORCHA
6a — Q22 Do you have a documented roadmap for future development of your product? ORCHA
6a — Q23
  • Provide details of planned development, technical updates.
ORCHA
6a — Q24 Provide details of how you will ensure the continued availability of your product. ORCHA
6a — Q25 Do you have a plan for decommissioning your product? ORCHA
6a — Q26 Describe your processes for decommissioning your product and dealing with any identifiable data. ORCHA
6a — Q27 Do you have a plan for dealing with any identifiable data in the event that an individual stops using your product (e.g., by uninstalling or unsubscribing)? ORCHA
6a — Q28
  • Provide details of any associated processes/procedures and tools that are used.
ORCHA
6a — Q29 Does the organization follow any formal testing standards? ORCHA
6a — Q30
  • Provide details of any associated processes/procedures and tools that are used.
ORCHA
6a — Q31 For each of the following that are carried out, please describe the people/roles involved and the processes they work on, even if they are informal. ORCHA
6a — Q32
  • unit
ORCHA
6a — Q33
  • regression
ORCHA
6a — Q34
  • end to end/integration
ORCHA
6a — Q35
  • user acceptance
ORCHA
6a — Q36  A/B Guidance: A form of UX testing in which two variants of something (A and B) are tested to determine the better of the two variants. ORCHA
6a — Q37
  • PEN/vulnerability
ORCHA
6a — Q38
  • testing across devices
ORCHA
6a — Q39
  • load/performance
ORCHA
6a — Q40
  • security
ORCHA
6a — Q41
  • other non-functional tests
ORCHA
6a — Q42
  • other testing
ORCHA
[1] Persistence enables data to continue after the process that created it has ended.

 

Criteria

Criteria Origin

6b — Q1

Is the application a native application for a mobile device?

ORCHA

6b — Q2

Is the application a web application?

ORCHA

6b — Q3

Are web APIs accessed?

ORCHA

6b — Q4

Does the application access, process, or store personal and/or sensitive data?

ORCHA

6b — Q5

Is sensitive data persisted to the mobile device?

ORCHA

6b — Q6

What permissions does the application request?

ORCHA

6b — Q7

What OWASP level is the app categorized as?

Guidance:

The assessor should use the information below to determine the app’s OWASP level.

IF Mobile = Y

IF “personal and/or sensitive data is accessed, processed, or stored” = Y

OWASP level then MASVS = 2

IF sensitive data is persisted to the device then MASVS = 2+R

ELSE

OWASP level then MASVS = 1

IF Web = Y

IF “personal and/or sensitive data is accessed, processed, or stored” = Y

OWASP level then ASVS = 2

ELSE

OWASP level then ASVS = 1

ORCHA

6b — Q8

Does the application connect to national/regional EHRs?

ORCHA

6b — Q9

Does the application provide alerts or notifications?

ORCHA

6b — Q10

Does the application provide suggestions?

ORCHA

6b — Q11

Does the application undertake calculations?

ORCHA

6b — Q12

Does the application support in-application purchases?

ORCHA

6b — Q13

Has a security assessment been undertaken by an accredited external third party?

ORCHA

6b — Q14

Is the external third party a CREST/APMG/CHECK registered supplier?

ORCHA

6b — Q15

Does the scope of the report cover the full technical architecture of the application?

ORCHA

6b — Q16

Has an industry standard been used for the risk model in the associated PEN/vulnerability testing?

ORCHA

6b — Q17

Have all medium risks/issues identified been mitigated and resolved, and can this be demonstrated through retesting within six weeks of the original PEN/vulnerability testing?

ORCHA

6b — Q18

Has the PEN testing been undertaken within the last 12 months?

ORCHA

6b — Q19

Has the code-level security assessment been undertaken against the correct OWASP level?

ORCHA

6b — Q20

Is the methodology for the security review proportional to the attack service and risk of the application?

ORCHA

6b — Q21

Does the organization have CyberSecure Canada certification?

MHCC

6b — Q22

Does the organization have CIS Top 20 Compliance?

US DHAF

6b — Q23

Does the organization have SOC-2 certification?

US DHAF

6b — Q24

Does the organization have ISO 27001 certification?

ORCHA