@article{morrison_holmgreen_massey_williams_2013, title={Proposing Regulatory-Driven Automated Test Suites}, DOI={10.1109/agile.2013.8}, abstractNote={In regulated domains such as finance and health care, failure to comply with regulation can lead to financial, civil and criminal penalties. While systems vary from organization to organization, the same regulations apply for all systems. As a result, efficiencies could be gained if the commonalities between systems could be captured in public, shared, test suites for regulations. We propose the use of Behavior-Driven-Development (BDD) technology to create these test suites. With BDD, desired system behavior with respect to regulatory requirements can be captured as constrained natural language 'scenarios'. The scenarios can then be automated through system-specific test drivers. The goal of this research is to enable organizations to compare their systems to regulation in a repeatable and traceable way through the use of BDD. To evaluate our approach, we developed seven scenarios based on the HITECH Act Meaningful Use (MU) regulations for healthcare. We then created system-specific code for three open-source electronic health record systems. We found that it was possible to create scenarios and system-specific code supporting scenario execution on three systems, that iTrust can be shown to be noncompliant, and that emergency access procedures are not defined clearly enough by the regulation to determine compliance or non-compliance.}, journal={2013 AGILE CONFERENCE (AGILE)}, author={Morrison, Patrick and Holmgreen, Casper and Massey, Aaron and Williams, Laurie}, year={2013}, pages={11–21} }
 @inproceedings{morrison_holmgreen_massey_williams_2013, title={Proposing regulatory-driven automated test suites for electronic health record systems}, DOI={10.1109/sehc.2013.6602477}, abstractNote={In regulated domains such as finance and health care, failure to comply with regulation can lead to financial, civil and criminal penalties. While systems vary from organization to organization, regulations apply across organizations. We propose the use of Behavior-Driven-Development (BDD) scenarios as the basis of an automated compliance test suite for standards such as regulation and interoperability. Such test suites could become a shared asset for use by all systems subject to these regulations and standards. Each system, then, need only create their own system-specific test driver code to automate their compliance checks. The goal of this research is to enable organizations to compare their systems to regulation in a repeatable and traceable way through the use of BDD. To evaluate our proposal, we developed an abbreviated HIPAA test suite and applied it to three open-source electronic health record systems. The scenarios covered all security behavior defined by the selected regulation. The system-specific test driver code covered all security behavior defined in the scenarios, and identified where the tested system lacked such behavior.}, booktitle={2013 5th international workshop on software engineering in health care (sehc)}, author={Morrison, P. and Holmgreen, C. and Massey, A. and Williams, L.}, year={2013}, pages={46–49} }
 @inproceedings{massey_smith_otto_anton_2011, title={Assessing the accuracy of legal implementation readiness decisions}, DOI={10.1109/re.2011.6051661}, abstractNote={Software engineers regularly build systems that are required to comply with laws and regulations. To this end, software engineers must determine which requirements have met or exceeded their legal obligations and which requirements have not. Requirements that have met or exceeded their legal obligations are legally implementation ready, whereas requirements that have not met or exceeded their legal obligations need further refinement. Research is needed to better understand how to support software engineers in making these determinations. In this paper, we describe a case study in which we asked graduate-level software engineering students to assess whether a set of software requirements for an electronic health record system met or exceeded their corresponding legal obligations as expressed in regulations created pursuant to the U.S. Health Insurance Portability and Accountability Act (HIPAA). We compare the assessment made by graduate students with an assessment made by HIPAA compliance subject matter experts. Additionally, we contrast these results with those generated by a legal requirements triage algorithm. Our findings suggest that the average graduate-level software engineering student is ill-prepared to write legally compliant software with any confidence and that domain experts are an absolute necessity. Our findings also indicate the potential utility of legal requirements metrics in aiding software engineers as they make legal compliance decisions.}, booktitle={2011 19th ieee international requirements engineering conference (re)}, author={Massey, A. K. and Smith, B. and Otto, P. N. and Anton, A. I.}, year={2011}, pages={207–216} }
 @article{massey_otto_hayward_anton_2010, title={Evaluating existing security and privacy requirements for legal compliance}, volume={15}, ISSN={["1432-010X"]}, DOI={10.1007/s00766-009-0089-5}, number={1}, journal={REQUIREMENTS ENGINEERING}, author={Massey, Aaron K. and Otto, Paul N. and Hayward, Lauren J. and Anton, Annie I.}, year={2010}, month={Mar}, pages={119–137} }