Mining and Analysing Security Goal Models in Health Information Systems

Large-scale health information software systems have to adhere to complex, multi-lateral security and privacy regulations. Such regulations are typically defined in form Of natural language (NL) documents. There is little methodological support for bridging the gap between NL regulations and the requirements engineering methods that have been developed by the software engineering community. This paper presents a method and tool support, which are aimed at narrowing this gap by mining and analysing structured security requirements in unstructured NL regulations. A key value proposition of our approach is that requirements are mined "in-place", i.e., the structured model is tightly integrated with the NL text. This results in better traceability and enables an iterative rather than waterfall-like requirements extraction and analysis process. The tool and method have been evaluated in context of a real-world, large scale project, i.e., the Canadian Electronic Health Record.