ISECURION delivers mandatory ABDM Milestone 1 (M1) WASA testing - including functional testing, API security assessment, VAPT, and NHA compliance audit - for HIPs, HIUs, health locker providers, EHR vendors, hospitals, and all digital health application developers seeking ABDM certification. Conducted by CERT-In empanelled auditors with specialized digital health security expertise. Pan-India coverage.
Tell us about your digital health application and get a customized WASA testing quote. We respond within 24 hours.
The Ayushman Bharat Digital Mission (ABDM), led by the National Health Authority (NHA), is India's nationwide initiative to build an integrated digital health infrastructure. At its core is the ABHA (Ayushman Bharat Health Account) system - enabling citizens to link and share health records securely across hospitals, labs, pharmacies, and insurers.
Any digital health application that integrates with ABDM - whether as a Health Information Provider (HIP), Health Information User (HIU), or Health Locker - must pass ABDM Milestone 1 (M1) WASA (Web Application Security Assessment) before going live on the ABDM production environment. This is not optional: NHA mandates WASA testing by a CERT-In empanelled auditor as a precondition for ABDM M1 certification.
ISECURION's ABDM M1 WASA testing combines deep functional testing of ABDM APIs and user flows with comprehensive security testing - covering OWASP Top 10, API security, authentication controls, data encryption, and patient consent flows. We deliver an NHA submission-ready audit report and support you through the entire certification journey.
No digital health application can go live on the ABDM production environment without successfully passing M1 WASA testing - it is a hard NHA gate
Health records contain the most sensitive personal data. ABDM WASA testing ensures patient data is protected against unauthorized access, breaches, and API vulnerabilities
ABDM's consent architecture must be correctly and securely implemented - WASA testing verifies that consent flows cannot be bypassed or manipulated
ABDM relies on a rich API ecosystem - WASA testing validates that every API endpoint is secure, authenticated, and free from injection and logic flaws
ABDM M1 certification signals to hospitals, insurers, and patients that your platform meets NHA's security standards for digital health data
Every organization building on the ABDM ecosystem must complete M1 WASA testing before accessing the NHA production environment
Hospitals, clinics, diagnostic labs, and pharmacies that generate and share patient health records over the ABDM network
Insurance companies, doctors, and healthcare platforms that request and consume patient health records via ABDM consent
Personal Health Record (PHR) applications that store and manage patient health records linked to ABHA IDs
Electronic Health Record and Electronic Medical Record software vendors integrating their systems with ABDM
Online consultation platforms that generate prescriptions and health records and push them to ABDM
Digital pharmacies and health insurance platforms that access or contribute patient health data through the ABDM ecosystem
ABDM certification is milestone-based. M1 WASA is the foundational security gate - ISECURION guides you through it and beyond
The mandatory security and functional audit of your ABDM-integrated application. Covers ABHA registration/linking flows, consent management, health data API security, OWASP Top 10 vulnerabilities, authentication, encryption, and NHA compliance controls. A passing WASA report from a CERT-In empanelled auditor is required to receive M1 certification and access ABDM production.
Post-M1, NHA evaluates the volume and quality of ABDM transactions processed - health records linked, consents processed, data exchanges completed. ISECURION can support your M2 preparation through security-validated API implementation.
Full integration at scale with demonstrable patient and provider impact on the ABDM ecosystem. Security controls established at M1 are foundational to M3 success.
End-to-end security and functional testing aligned with NHA's ABDM M1 requirements
Functional and security testing of ABHA ID creation, verification, linking, and management flows - ensuring correct ABDM API implementation and protection against identity manipulation attacks
Thorough functional verification and security testing of the patient consent grant, revoke, and expiry flows - including bypass attempts, consent artefact forgery, and unauthorized data access scenarios
End-to-end functional testing of health data fetch and push APIs - FHIR resource validation, data completeness, error handling, and API security including authentication, authorization, and injection testing
Comprehensive OWASP Top 10 assessment of the application - injection flaws, broken authentication, sensitive data exposure, XML/FHIR entity attacks, broken access control, security misconfiguration, XSS, insecure deserialization, and more
Test OAuth 2.0/OpenID Connect implementation, ABDM gateway token handling, session expiry, token refresh flows, and protection against token hijacking and replay attacks
Validate TLS configuration, health data encryption at rest and in transit, FHIR payload encryption, and key management practices meeting NHA and MeitY data protection requirements
Deep API security testing including rate limiting, IDOR (Insecure Direct Object Reference), mass assignment, parameter tampering, and ABDM-specific business logic abuse scenarios
Security testing of ABDM-integrated mobile applications (Android/iOS) - local data storage, deep link handling, certificate pinning, reverse engineering resistance, and ABHA SDK implementation review
Review security policies, data handling procedures, and technical controls against NHA's ABDM compliance requirements - preparing the complete documentation package for NHA submission
WASA is not only about security - NHA requires functional correctness of every ABDM API flow. ISECURION validates both dimensions thoroughly.
| ABDM Functional Flow | What We Test | Security Checks | Included |
|---|---|---|---|
| ABHA Registration | New ABHA creation via Aadhaar / mobile OTP, address auto-population, ABHA number generation | OTP bypass, enumeration, Aadhaar data leakage, rate limiting | ✔ |
| ABHA Linking (HIP) | Linking patient records at HIP to ABHA ID, care context discovery, demographic matching | Unauthorized linking, patient record spoofing, IDOR on care contexts | ✔ |
| Consent Request (HIU) | Consent request creation by HIU, notification delivery, consent artefact generation | Consent forgery, unauthorized consent, artefact replay attacks | ✔ |
| Consent Grant / Revoke (Patient) | Patient grants or revokes consent via PHR app, consent expiry, purpose enforcement | Consent bypass, purpose scope violation, expired consent abuse | ✔ |
| Health Record Fetch (HIU) | HIU requests health records post-consent, FHIR bundle delivery, data accuracy validation | Access without valid consent, FHIR injection, data integrity tampering | ✔ |
| Health Record Push (HIP) | HIP pushes structured health records (FHIR), document type validation, timestamp accuracy | Malformed FHIR payloads, unauthorized push, XML entity attacks | ✔ |
| Subscription & Notification | Event subscription flows, webhook delivery, notification acknowledgement | SSRF via webhook URLs, replay of notifications, notification spoofing | ✔ |
| ABDM Gateway Authentication | Client credential flow, access token usage, gateway session management | Token leakage, token replay, insecure storage of client secrets | ✔ |
| Deep Link / App-to-App Flows | ABHA app deeplink handling, intent redirection, cross-app data passing | Deep link hijacking, intent interception, data leakage via IPC | ✔ |
| Error Handling & Edge Cases | Invalid inputs, partial consent, network failure recovery, API timeout handling | Verbose error disclosure, stack trace exposure, fallback logic abuse | ✔ |
All functional test cases are designed to match NHA's ABDM M1 certification checklist. Evidence from functional testing is packaged into the WASA audit report for NHA submission.
A structured end-to-end process from sandbox onboarding to NHA-ready WASA report
Understand your application architecture, ABDM integration type (HIP/HIU/Health Locker), tech stack, and target sandbox environment. Define the testing scope, API inventory, and user flow map. Confirm ABDM sandbox credentials and test data availability.
Review your ABDM integration code, API implementation against NHA specifications, FHIR resource structure, and consent flow architecture. Identify design-level gaps before active testing begins - saving remediation time.
Execute comprehensive functional test cases covering every ABDM flow: ABHA creation, demographic linking, consent request/grant/revoke, health record fetch/push, subscription, and error handling. Validate against NHA's functional requirements checklist.
Conduct OWASP Top 10 web application testing, ABDM-specific API security tests (IDOR, auth bypass, consent manipulation, FHIR injection), and infrastructure-level checks. Mobile application security testing conducted in parallel where applicable.
Report all functional gaps and security vulnerabilities with clear evidence, risk ratings, and step-by-step remediation guidance. Our team supports your developers in closing critical and high issues before the final NHA audit report is issued.
Re-test all remediated findings to confirm fixes are effective and have not introduced new issues. Issue a formal closure letter for remediated vulnerabilities - required for the NHA WASA submission.
Deliver the complete ABDM M1 WASA audit report, functional test evidence, security findings summary, closure letter, and NHA submission documentation pack - signed by a CERT-In empanelled auditor. Ready for direct submission to NHA for M1 certification.
Everything your digital health application needs for NHA submission and ABDM M1 certification
Comprehensive ABDM M1 WASA audit report covering all functional test results, security findings, and compliance status - formatted for NHA submission, signed by CERT-In empanelled auditor
Complete evidence of all ABDM functional flows tested - screenshots, API request/response logs, and test case pass/fail status mapped to NHA's M1 checklist
Detailed VAPT report covering all identified vulnerabilities - OWASP Top 10, API security gaps, and ABDM-specific issues - with CVSS risk ratings and remediation guidance
Developer-friendly remediation recommendations with code-level guidance where applicable - helping your team fix issues fast and efficiently
Formal re-test confirmation letter for all remediated findings - a required component of the NHA WASA submission package
Complete documentation bundle formatted for NHA ABDM M1 certification submission - audit report, evidence, closure letter, and auditor certificate in one submission-ready package
India's digital health companies trust ISECURION for ABDM WASA testing - from Bangalore's health-tech startups to Mumbai's insurance platforms and Delhi's hospital networks
Extend your security and compliance posture beyond ABDM WASA with these related ISECURION services
Common questions from digital health companies across Bangalore, Mumbai, Delhi, and pan-India about ABDM M1 WASA requirements
Partner with ISECURION - CERT-In empanelled, ISO 27001:2022 certified - for ABDM M1 WASA testing that is thorough, NHA submission-ready, and delivered on time.
Serving digital health companies, hospitals, EHR vendors & health-tech startups in Bangalore, Mumbai, Delhi, Hyderabad, Chennai, Kolkata and across India.