Threat Modeling - Recommendations for a Health Care Facility
DOI:
https://doi.org/10.61360/BoniGHSS252017920303Keywords:
computational systems in healthcare, information exchange, personally identifiable information (PII), digital healthcare, privacy and security threats, health insurance portability and accountability act (HIPAA), threat modeling methodologies (TMMs), integration of multiple methodologies, comprehensive protective shield, system vulnerabilities, adaptable counter-strategies, threats quantification, threat assimilation, threat identifications, safeguarding PIIAbstract
Seamless information exchange is crucial in healthcare due to the integration of computational systems. The increased use of Personally Identifiable Information (PII) in digital healthcare raises privacy and security concerns. Threat Modeling Methodologies (TMMs) have emerged to address these challenges by locating and resolving cyber security threats. Early implementation of TMMs equips organizations to combat breaches and understand potential attackers. Integrating techniques, these methodologies strengthen systems and create a comprehensive shield against cyber invasions. However, there is no universal fix for system flaws, necessitating continual adaptation of counter-strategies. Applying threat modeling enables consistent identification, quantification, and assimilation of threats. Determining the most effective approach during product development based on objectives remains challenging. The goal is to scale the chosen strategy effectively, adhere to reporting requirements, and gain valuable insights for enhanced security. This fortifies organizations to navigate the evolving cyber landscape, safeguard PII, and maintain trust.
References
Abernathy, R., & Hayes, D. R. (2022). Cissp cert guide (4th ed.). Pearson IT Certification.
Alcaraz, C., & Lopez, J. (2022). Digital twin: A comprehensive survey of security threats. IEEE Communications Surveys & Tutorials, 24(3), 1475–1503. https://doi.org/10.1109/comst.2022.3171465
Aloul, F. A. (2012). The need for effective information security awareness. Journal of Advances in Information Technology, 3(3). https://doi.org/10.4304/jait.3.3.176-183
Alshehri, S., Mishra, S., & Raj, R. (2013). Insider threat mitigation and access control in healthcare systems. RIT Scholar Works, (1401). https://doi.org/http://scholarworks.rit.edu/article/1401
Amini, A., Jamil, N., Ahmad, A., & Z`aba, M. (2015). Threat modeling approaches for securing cloud computin. Journal of Applied Sciences, 15(7), 953–967. https://doi.org/10.3923/jas.2015.953.967
Arumugam, D. N. (2018). A survey of network-based detection and defense mechanisms countering the ip spoofing problems. International Journal of Trend in Scientific Research and Development, Volume-2(Issue-5), 704–710. https://doi.org/10.31142/ijtsrd15921
Bhardwaj, A. (2020). Ddos attack mitigation architecture. LAP LAMBERT Academic Publishing.
Blokdyk, G. (2018a). Application security requirements and threat management standard requirements (28th ed.). Emereo.
Blokdyk, G. (2018b). Computer security incident management: A practical guide. CreateSpace Independent Publishing Platform.
Blokdyk, G. (2018c). Tls transport layer security standard requirements (18th ed.). Emereo.
Butcher, C., & Hussain, W. (2022). Digital healthcare: The future. Future Healthcare Journal, 9(2), 113–117. https://doi.org/10.7861/fhj.2022-0046
De, S. (2020). Security threat analysis and prevention towards attack strategies. In (Ed.), Cyber defense mechanisms (pp. 1–22). CRC Press. https://doi.org/10.1201/9780367816438-1
Dumka, A., Ashok, A., Verma, P., Bhardwaj, A., & Kaur, N. (2022). Security in wireless sensor networks – background. In (Ed.), Security issues for wireless sensor networks (pp. 15–39). CRC Press. https://doi.org/10.1201/9781003257608-2
Elmasry, W. (2019). Intrusion detection using deep learning (1st ed.). LAP LAMBERT Academic Publishing.
European Union Agency for Cybersecurity. (2016). Smart hospitals: Security and resilience for smart health service and infrastructures. https://doi.org/https://data.europa.eu/doi/10.2824/28801
Fichman, R. G., Dos Santos, B. L., & Zheng, Z. (2014). Digital innovation as a fundamental and powerful concept in the information systems curriculum. MIS Quarterly, 38(2), 329–343. https://doi.org/10.25300/misq/2014/38.2.01
Fu, J.-S., Liu, Y., Chao, H.-C., Bhargava, B. K., & Zhang, Z.-J. (2018). Secure data storage and searching for industrial iot by integrating fog computing and cloud computing. IEEE Transactions on Industrial Informatics, 14(10), 4519–4528. https://doi.org/10.1109/tii.2018.2793350
Furukawa, M. F., Raghu, T. S., & Shao, B. M. (2010). Electronic medical records, nurse staffing, and nurse-sensitive patient outcomes: Evidence from california hospitals, 1998-2007. Health Services Research, 45(4), 941–962. https://doi.org/10.1111/j.1475-6773.2010.01110.x
Garbis, J., & Chapman, J. W. (2021). Intrusion detection and prevention systems. In (Ed.), Zero trust security (pp. 117–126). Apress. https://doi.org/10.1007/978-1-4842-6702-8_8
Gariépy-Saper, K., & Decarie, N. (2021). Privacy of electronic health records: A review of the literature. Journal of the Canadian Health Libraries Association / Journal de l'Association des bibliothèques de la santé du Canada, 42(1). https://doi.org/10.29173/jchla29496
Georgakopoulos, D., & Jayaraman, P. (2016). Internet of things: From internet scale sensing to smart services. Computing, 98(10), 1041–1058. https://doi.org/10.1007/s00607-016-0510-0
Gligor, V. D. (2017). Defending against evolving ddos attacks: A case study using link flooding incidents (transcript of discussion). In (Ed.), Security protocols xxiv (pp. 58–66). Springer International Publishing. https://doi.org/10.1007/978-3-319-62033-6_8
Golubova, A., & Shumilina, V. (2022). Information security and data protection in modern society. Science & World, 0(2), 6–10. https://doi.org/10.26526/2307-9401-2022-2-6-10
Goniewicz, M. (Ed.). (2022). Disasters preparedness and emergency response: Prevention, surveillance and mitigation planning (M. Goniewicz, Ed.). MDPI. https://doi.org/10.3390/books978-3-0365-6056-4
Health Sector Cyber Security Co-ordination Center & Department of Health and Human Services. (2020). Threat Modeling for Mobile Health Systems (Leadership for IT Security and Privacy Across HHS Report : 202004301030) [Report]. https://www.hhs.gov/sites/default/files/threat-modeling-mobile-health-systems.pdf
Held, G. (2020). Protecting a network from spoofing and denial of service attacks. In Network design (pp. 659–666). Auerbach Publications. https://doi.org/10.1201/9781420093759-58
Jøsang, A., Ismail, R., & Boyd, C. (2007). A survey of trust and reputation systems for online service provision. Decision Support Systems, 43(2), 618–644. https://doi.org/10.1016/j.dss.2005.05.019
Jumani, A., Siddique, W., & Laghari, A. (2023). Cloud and machine learning based solutions for healthcare and prevention. In (Ed.), Image based computing for food and health analytics: Requirements, challenges, solutions and practices (pp. 163–192). Springer International Publishing. https://doi.org/10.1007/978-3-031-22959-6_10
Jusob, F., George, C., & Mapp, G. (2021). A new privacy framework for the management of chronic diseases via mhealth in a post-covid-19 world. Journal of Public Health, 30(1), 37–47. https://doi.org/10.1007/s10389-021-01608-9
Kovalev, M. (2020). Tracing network packets in the linux kernel using ebpf. Proceedings of the Institute for System Programming of the RAS, 32(3), 71–77. https://doi.org/10.15514/ispras-2020-32(3)-6
Le, N. T., & Hoang, D. B. (2017). Capability maturity model and metrics framework for cyber cloud security. Scalable Computing: Practice and Experience, 18(4). https://doi.org/10.12694/scpe.v18i4.1329
Lee, S. M., & Lee, D. (2020). Healthcare wearable devices: An analysis of key factors for continuous use intention. Service Business, 14(4), 503–531. https://doi.org/10.1007/s11628-020-00428-3
Liu, C., Tan, C.-K., Fang, Y.-S., & Lok, T.-S. (2012). The security risk assessment methodology. Procedia Engineering, 43, 600–609. https://doi.org/10.1016/j.proeng.2012.08.106
Luttmer, E. P., & Samwick, A. A. (2018). The welfare cost of perceived policy uncertainty: Evidence from social security. American Economic Review, 108(2), 275–307. https://doi.org/10.1257/aer.20151703
Malamas, V., Chantzis, F., Dasaklis, T. K., Stergiopoulos, G., Kotzanikolaou, P., & Douligeris, C. (2021). Risk assessment methodologies for the internet of medical things: A survey and comparative appraisal. IEEE Access, 9, 40049–40075. https://doi.org/10.1109/access.2021.3064682
Martin, T. (2022). Software attacks and threat modeling. In (Ed.), Designing secure iot devices with the arm platform security architecture and cortex-m33 (pp. 223–257). Elsevier. https://doi.org/10.1016/b978-0-12-821469-5.00004-1
McGregor, S. E. (2021). Information security essentials (3rd ed.). Columbia University Press.
Mead, N. R., & Stehney, T. (2005). Security quality requirements engineering (square) methodology. ACM SIGSOFT Software Engineering Notes, 30(4), 1–7. https://doi.org/10.1145/1082983.1083214
Menezes, A. J., van Oorschot, P. C., & Vanstone, S. A. (2019). Overview of cryptography. In (Ed.), Handbook of applied cryptography (pp. 1–48). CRC Press. https://doi.org/10.1201/9780429466335-1
Ngai, E., Moon, K. K., Riggins, F. J., & Yi, C. Y. (2008). Rfid research: An academic literature review (1995–2005) and future research directions. International Journal of Production Economics, 112(2), 510–520. https://doi.org/10.1016/j.ijpe.2007.05.004
Office for Civil Rights. (2009, November 19). Summary of the hipaa security rule (Last Reviewed October 19, 2022). HHS.gov. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Patil, S. (2018). Data protection through purpose & role based access control in rdbms (1st ed.). LAP LAMBERT Academic Publishing.
Ransome, J. F., Anmol, & Merkow, M. S. (2022). The security development lifecycle. In (Ed.), Practical core software security (pp. 15–46). Auerbach Publications. https://doi.org/10.1201/9781003319078-2
Risk measures with applications in finance and economics. (2019). Mdpi AG.
Rode, O. O. (2022). Email spam protection technology based on dmarc. Modern Information Security, 3(51). https://doi.org/10.31673/2409-7292.2022.033238
Schmeelk, S. (2019). Where is the Risk? Analysis of Government Reported Patient Medical Data Breaches. IEEE/WIC/ACM International Conference on Web Intelligence. https://doi.org/10.1145/3358695.3361754
Seh, A., Zarour, M., Alenezi, M., Sarkar, A., Agrawal, A., Kumar, R., & Ahmad Khan, R. (2020). Healthcare data breaches: Insights and implications. Healthcare, 8(2), 133. https://doi.org/10.3390/healthcare8020133
Shevchenko, N. (2018). Threat Modeling: 12 Available Methods. Carnegie Mellon University's Software Engineering Institute. https://doi.org/http://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
Shevchenko, N., Frye, B. R., & Woody, C. (2018). Threat modeling: evaluation and recommendations. Software Engineering Institute, REV 03. https://doi.org/https://apps.dtic.mil/sti/pdfs/AD1083907.pdf
Siegel, C. A. (2020). Internet security architecture. In (Ed.), new directions in internet management (pp. 565–576). Auerbach Publications. https://doi.org/10.1201/9780203997543-58
Sokolnikov, A. U. (2017). Graphene for defense and security (1st ed.). Taylor & Francis.
Topol, E. J. (2019). High-performance medicine: The convergence of human and artificial intelligence. Nature Medicine, 25(1), 44–56. https://doi.org/10.1038/s41591-018-0300-7
Umeugo, W. (2023). Secure software development lifecycle: A case for adoption in software smes. International Journal of Advanced Research in Computer Science, 14(01), 5–12. https://doi.org/10.26483/ijarcs.v14i1.6949
Viswanathan, G., & J, P. (2021). A hybrid threat model for system-centric and attack-centric for effective security design in sdlc. Web Intelligence, 19(1-2), 1–11. https://doi.org/10.3233/web-210452
Wang, Y., Kung, L., & Byrd, T. (2018). Big data analytics: Understanding its capabilities and potential benefits for healthcare organizations. Technological Forecasting and Social Change, 126, 3–13. https://doi.org/10.1016/j.techfore.2015.12.019
Wasserman, L., & Wasserman, Y. (2022). Hospital cybersecurity risks and gaps: Review (for the non-cyber professional). Frontiers in Digital Health, 4. https://doi.org/10.3389/fdgth.2022.862221
What is digital forensics, and what should you know about it? (2020). In O'Hanley, R., & Tiller, J. S. (Eds.), Digital forensics explained (pp. 24–35). Auerbach Publications. https://doi.org/10.1201/b13689-6
Willett, K. D. (2022). Systems thinking and security. In (Ed.), Handbook of security science (pp. 553–572). Springer International Publishing. https://doi.org/10.1007/978-3-319-91875-4_94
Wu, I.-L., Li, J.-Y., & Fu, C.-Y. (2011). The adoption of mobile healthcare by hospital's professionals: An integrative perspective. Decision Support Systems, 51(3), 587–596. https://doi.org/10.1016/j.dss.2011.03.003
Zhang, X., Liu, C., Nepal, S., Pandey, S., & Chen, J. (2013). A privacy leakage upper bound constraint-based approach for cost-effective privacy preserving of intermediate data sets in cloud. IEEE Transactions on Parallel and Distributed Systems, 24(6), 1192–1202. https://doi.org/10.1109/tpds.2012.238
Zhao, Y., Cui, M., Zheng, L., Zhang, R., Meng, L., Gao, D., & Zhang, Y. (2019). Research on electronic medical record access control based on blockchain. International Journal of Distributed Sensor Networks, 15(11), 155014771988933. https://doi.org/10.1177/1550147719889330
Naik, N., Jenkins, P., Grace, P., Naik, D., Prajapat, S., Song, J. (2024). A Comparative Analysis of Threat Modelling Methods: STRIDE, DREAD, VAST, PASTA, OCTAVE, and LINDDUN. The International Conference on Computing, Communication, Cybersecurity and AI, July 3–4, 2024, London, UK. C3AI 2024. Lecture Notes in Networks and Systems, vol 884. Springer, Cham. https://doi.org/10.1007/978-3-031-74443-3_16.
Abuabed, Zaina., Alsadeh, Ahmad., Taweel, Adel. STRIDE threat model-based framework for assessing the vulnerabilities of modern vehicles (2023). Computers & Security, Volume 133. https://doi.org/10.1016/j.cose.2023.103391
Published
Issue
Section
License
Copyright (c) 2025 Rakesh Ramakrishnan, Balasubramanian Panneerselvan, Prabhagaran Rakkiappan, Manikanta Rudrashetty
This work is licensed under a Creative Commons Attribution 4.0 International License.
