Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • TF_Legit.Health_Plus
    • Legit.Health Plus TF index
    • Legit.Health Plus STED
    • Legit.Health Plus description and specifications
    • R-TF-001-007 Declaration of conformity
    • GSPR
    • Clinical
    • Design and development
    • Design History File (DHF)
      • Version 1.0.0.0
        • Requirements
          • REQ_001 The user receives quantifiable data on the intensity of clinical signs
          • REQ_002 The user receives quantifiable data on the count of clinical signs
          • REQ_003 The user receives quantifiable data on the extent of clinical signs
          • REQ_004 The user receives an interpretative distribution representation of possible ICD categories represented in the pixels of the image
          • REQ_005 The user can send requests and get back the output of the device as a response in a secure, efficient and versatile manner
          • REQ_006 The data that users send and receive follows the FHIR healthcare interoperability standard
          • REQ_007 If something does not work, the API returns meaningful information about the error
          • REQ_008 Notify the user if the image does not represent a skin structure
          • REQ_009 Notify the user if the quality of the image is insufficient
          • REQ_010 The device detects if the image is of clinical or dermatoscopic modality
          • REQ_011 The user specifies the body site of the skin structure
          • REQ_012 Users can easily integrate the device into their system
          • REQ_013 The user receives the pixel coordinates of possible ICD categories
          • ignore-this
            • SWR-001- Users of the REST API can log in and receive an access token
            • SWR-002- The REST API enforces HTTPS for all communications to ensure data security
            • SWR-003- The REST API implements rate limiting to prevent abuse
            • SWR-004- The REST API verifies the access token for every request to secure endpoints
            • SWR-005- Data exchanged with clinical endpoints of the API adhere to the FHIR standard
            • SWR-006- The REST API only accepts and outputs images in Base64 format
            • SWR-007- The diagnosis support service accepts multiple images to deliver more accurate results
            • SWR-008- The user's password is stored in the database as a hashed password
            • SWR-009- New users of the device are only created by an internal user registration service
        • Test plans
        • Test runs
        • 🥣 SOUPs
    • IFU and label
    • Post-Market Surveillance
    • Quality control
    • Risk Management
  • Licenses and accreditations
  • External documentation
  • Procedures
  • Records
  • TF_Legit.Health_Plus
  • Design History File (DHF)
  • Version 1.0.0.0
  • Requirements
  • ignore-this
  • SWR-002- The REST API enforces HTTPS for all communications to ensure data security

SWR-002- The REST API enforces HTTPS for all communications to ensure data security

Internal IDSWR_002
TitleThe REST API enforces HTTPS for all communications to ensure data security
CategorySECURITY REGULATORY
ImportanceCRITICAL
SystemREST API
Editor(s)Alejandro Carmena Magro, JD-017
SupervisorAlfonso Medela , JD-005
ApprovalPENDING
Created at19 Jun 2024

Description​

Since it is essential to guarantee data security, all communications between servers and clients must be conducted via HTTPS (Hypertext Transfer Protocol Secure). This encrypts data in transit, safeguarding it against eavesdropping, man-in-the-middle (MITM) attacks, and tampering by malicious entities attempting to intercept sensitive information.

Implementing HTTPS involves configuring the API server to accept only secure connections, redirecting any HTTP requests to HTTPS, and obtaining and managing SSL/TLS certificates. These tasks can often be automated with the help of open-source tools.

Activities generated​

  • Implement SSL/TLS encryption for the API.
  • Automatically obtain and install SSL certificates.

Implements user needs​

  • Protects sensitive user information during transmission, ensuring data confidentiality.

Regulatory requirements​

  • 2.1: The device shall be compliant with MDR 2017/745, Annex I, point 17.2, 17.4, 18.8, 23.4(ab).
  • 2.2: The device shall be compliant with data privacy regulation (Regulation (EU) 2016/679 (General Data Protection Regulation)).

Causes failure modes​

  • Data interception if HTTPS is not enforced.
  • Unauthorized access to data due to unencrypted communication.
  • Potential regulatory non-compliance.

Tested by software tests​

  • PLAN_005: Enforcing HTTPS protocol for API communications
  • PLAN_006: Valid SSL/TLS certificates

Implements risk control measures​

  • User credentials are securely transmitted over the Internet with encryption.
  • Prevent unauthorized access to patient or care provider data.

Acceptance criteria​

  • All API endpoints must redirect HTTP requests to HTTPS.
  • SSL/TLS certificates must be valid and correctly installed on the API host.
  • Successful completion of penetration tests with no vulnerabilities.

Constraints​

  • Must use industry-standard SSL/TLS protocols.
  • SSL certificates must be renewed before expiration.

Dependencies​

  • Availability of free SSL certificates.

Performance considerations​

  • Minimal impact on response times due to encryption overhead.

Additional notes​

No additional information is required.

Revision history​

VersionDateAuthorDescription
Previous
SWR-001- Users of the REST API can log in and receive an access token
Next
SWR-003- The REST API implements rate limiting to prevent abuse
  • Description
  • Activities generated
  • Implements user needs
  • Regulatory requirements
  • Causes failure modes
  • Tested by software tests
  • Implements risk control measures
  • Acceptance criteria
  • Constraints
  • Dependencies
  • Performance considerations
  • Additional notes
  • Revision history
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)