International Conference on Information and Communication Technology and Its Applications (ICTA 2016) Federal University of Technology, Minna, Nigeria November 28 – 30, 2016 Threat Modeling of Electronic Health Systems and Mitigating Countermeasures John K. Alhassan1, Emmanuel Abba1, O. M. Olaniyi2, and Victor O. Waziri1 1 Department of Cyber Security Science, Federal University of Technology, Minna, Nigeria 2 Department of Computer Engineering, Federal University of Technology, Minna, Nigeria jkalhassan@futminna.edu.ng Abstract—Electronic health systems (EHS) serve as clinical information [2]. Sharing of patient healthcare information management systems for health records of information is happening more rapidly and the process is patients which are various data generated from interactions getting reliable with advancement in technology. These has between patients and medical personnel. The security of led e-health care to become critical for achieving better electronic health system is vital due to the growing acceptance operation of adequate health care services with lower of their use. There is a need to assure users that the data operation costs and efficient service delivery [3]. generated and stored on the EHS are protected from However, such sharing of healthcare information requires adversaries. In the case where the data is already to be done securely in a manner that guarantees privacy as compromised, it is imperative to locate the source of the threat required by law. It is obvious that health management as quickly as possible and implement appropriate countermeasures against such vulnerabilities starting from the systems process and store very delicate data about a patient’s highest vulnerable point to lower vulnerabilities. In this study, health status and should have an appropriate privacy a threat security model for the EHS was proposed from framework because the revelation of health records may identified threats which were then discussed. Based on these result in stern social effect on patients. Exposing patient’s threats, possible counter measures for authentication and confidential health data outside the e-health system, authorization control were highlighted. The threat model was accidentally or deliberately, must be prevented by healthcare developed through a procedure that guarantees the integrity, professionals or information technology service providers availability and confidentiality of health records. The who will face stern legal punishments for violating privacy procedure involves using the STRIDE threat modelling tool to laws [4]. identify potential threats which were then ranked with respect The threats faced by EHS may lead to the disclosure of to the amount of risk they pose to the system based on scores private health data and violation of privacy laws. These calculated using DREAD; a threat-risk rating model. The threats may be classified as authentication, accounting and result is a collection of identified and rated threat in order of authorization threats as generally known to other decreasing risk to an EHS. Careful consideration of the management information systems such as banking and resulting threat rating model by information system security manufacturing. Securing this areas of E-Health involves professional will lead to the development of secure systems and information security and privacy as well as physical safety provide a guide to the order in which vulnerabilities should be [5]. patched in compromised existing systems. Continuous monitoring of e-health systems provides a Keywords-threat modeling; electronic health system; steady stream of data that can be used to identify and correct countermeasures; attacks; authentication; authorization security deficiencies as the system is developed, tested and used to get ahead of the problem posed to e-health, this can be done to determine threat and attacker behavior in order to I. INTRODUCTION anticipate when and how it may happen and preparation of e-Health systems (EHS) were introduced to facilitate adequate counter measures as may be required to prevent health care delivery and health records management as a such occurrences. This is done in a process referred to as result of inadequate facilities to cater for the teeming threat modelling [6]; a systematic process of identifying and population of people in need of qualitative health care rating threats [7]. The key to establishing an effective threat services. e-Health systems have improved workflow for model for any information system is prior determination of healthcare providers and increase patients access to health where the vulnerabilities exist and more security should be care by providing a user friendly and reliable means by implemented to ensure the system is secure [8]. These which patients can interact with heath care service providers vulnerable parts of the system are variables that change as [1] new factors that may pose threats evolve and get detected. The application of information technology in the The procedure for threat modeling [9] optimizes network provision and management of health administration is security by recognizing targets and vulnerable points in the constantly advancing as the quality of patient care in recent system and then implementing a plan for countermeasures to times rely upon timely collection and processing of patients mitigate the results of exploiting these threats to the system. 82 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) In the case of an e-health system, a threat is any action or parameters were considered to build the Bayesian model. event that may lead to malfunction of the system and They proposed that a target to a defended asset is clearly services it provides or to patient health record data disclosure related to both the intent parameters and capability. The or incidental such as the failure of a patient’s medical device, authors stated that the range of a target's weapon systems, the and that can compromise the confidentiality, integrity and gap between the target and the assets being defended are availability of the system. interrelated, since a target is more threatening to a defended While formulating the security requirements for an EHS, asset if the defended asset is within the range of its weapon the threats are analyzed based on how critical they are and systems, than if it is outside it. The threat evaluation system likelihood that they may occur, and a resolution to either they implemented can be applied to an air defense scenario mitigate the threat or accept the associated risk is made and can enable in radar, aircraft, etc. The authors however because definitions of the functionalities and requirements focused only on outsider threats and threats posed by for EHS are constantly evolving as knowledge and weapons and payed no attention to threats that may arise as a experience with these tools increase [4]. Modelling threats result of insider action such as sabotage or spies and and security requirements provide the foundations upon espionage. which security controls for the EHS is designed and [12] presented a research on an automated system for implemented [10]. Identifying threats helps develop realistic managing patient information and its administration with a and meaningful security requirements which will be used to view to eliminate the problem of inappropriate data come up with the threat model. This is particularly essential archiving, inaccurate reports, time wastage in storing, because if the security requirements are faulty, the definition processing and retrieving information encountered by the of security for that EHS is faulty, the threat model is faulty traditional hospital system in order to improve the overall and thus the EHS cannot be secure. After the threats are efficiency of the organization. The method used to Identified, they are rated according to the degree of risk that implement the system was system requirement analysis, they pose to the system. The vulnerabilities that are likely to system design and development using appropriate cause a much larger damage are rated as high and those that programming language. However, no threat model was used are low risk are rated as such. to plan security implementations for the system and they The requirement definition for the development of Secure failed to address threats that may affect the system developed EHS follows from the premise that system should be or indicate in any way that it was a concern that needs to be convenient, usable and most importantly trustworthy, and addressed. secure patient private information. Proper identification and In [13] the authors proposed a quantitative methodology rating of threats on these requirements define the to rank the threats in a cloud environment using Microsoft's functionality and service the system will provide and thus STRIDE-DREAD model to assess existing threats in cloud appropriate selection of countermeasures that reduce the environment and measure the consequence of these threats. ability of attackers to misuse the system. In that respect, The threats they identified were ranked based on the nature threat modeling looks at the system from the perspective of of its severity and also giving a high priority to clients' an adversary to help designers anticipate various attack goals requirements on the perspective of security. They stated that and determine answers to questions about what the system is their methodology would serve as a tool for guiding security designed to protect, and from whom. Rating the threats experts and software developers to continue with securing ensures that for already existing systems, when the need process especially for a private or a hybrid cloud. After arises to patch vulnerabilities in the system, security ranking the threats, the authors provided a link to a well- professionals will know where to start from. This study known security pattern classification. They however failed to builds on the identification of threats done using STRIDE provide any over-weighting for client's requirement, as these threat model (Spoofing, Tampering, Repudiation, requirements would have been an implemented security Information disclosure, Denial of service, and Elevation of protocol in the system. privilege) to identify potential threats which were then rated A STRIDE-based Security Architecture for Software- based on the security risk posed using a DREAD (Damage Defined Networking was presented in [14]. The study potential, Reproducibility, Exploitability, affected users, and revealed a wide range of SDN-specific threats, for which no Discoverability) risk rating model. countermeasure has been prescribed yet. Some of the threats The remaining section of the paper is organized into five discovered are inherently tied to principles of SDN design sections: Section II presents the review of related works; the which include controllers becoming potential central attack methodology for modelling e-health system is presented in targets; the authors suggested key factors and constraints of a section III; results are discussed in IV, Section V proposed secure SDN architecture. possible countermeasures to identified threats in while By applying the STRIDE threat model, they came up Section VI concludes the paper and open our next direction with a generic SDN concepts as a basis for the design of a in future research endeavor. secure SDN architecture. [4] presented the development and qualitative evaluation of a functional and secure tele-clinical diagnostic system for II. REVIEW OF RELATED WORKS effective delivery of medical services to patient in a The application of information technology for providing geographically dispersed academic environment. Their health care and medical data privacy has a number of related results showed that the combination of concepts of Software engineering, Telemedicine, and Information Security in this works in literature. study can help healthcare professionals improve trust, [11] modeled threat evaluation for dynamic targets efficiency, enhanced work productivity and improved using Bayesian network approach. A range of various 83 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) operational speed of medical health delivery significantly by A. Identifying Assets ensuring the safety of patient data and service reliability in An asset is any valuable component of a system that may tele-consultation. However, the password based be owned by the system and holds an interest for attackers. authentication used for user authentication is not sufficient Attackers here refer to persons or processes that constitute a enough to guarantee access control of the system. The delay threat to the asset from within or outside the system or experienced during tele-consultation can be exploited by environment where it is being used. Recognizing assets is the eavesdroppers whose exploit will be detected too late as a most important step in threat modeling. This is because result. assets are primary targets of threat. For an EHS, the assets Data Security and Threat Modeling for Smart City include the system itself, the various hardware and software Infrastructure was investigated by [15]. Their approach components that allow it to function and the various actors involves taking hundreds of features from the architecture of that interact with the system. Figure one shows the actors systems and network topology, operating systems, database (assets) that interact with the EHS. Assets are not limited to schemas, security policies, encryption techniques, business just the actors, the server, computer systems, mobile devices, operations, and corporate data into consideration by looking network, cabling, power source, and power outlets are all at smart city architecture, firewalls and malware protection assets of the EHS and should be accorded the same level of programs. The vulnerability assessment stage is a repeated consideration when identifying assets in this phase. process with many threat analysis life cycles. The algorithm was used to compute threat factor and normalizes it based on the initial data collected. A lower threat factor means the smart city systems would be hacked at lower risk. Their approach also used defense in depth and strategies for threat mitigations, and provides recommendations. Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model was studied by [16]. They proposed a novel fuzzy approach using DREAD model for computing the level of risk that assures a more efficient evaluation of imprecise concepts. Thus providing the ability to include subjectivity and uncertainty in the course of ranking risk. They presented a case study emphasize and compare the proposed approach with the existing method one using Matlab. [17] used a STRIDE threat model to identify all possible threats to telehealth systems. System assets, threat agents, adverse actions, threats and their effects alongside their various countermeasures. These threats were examined and a list of possible mitigation techniques were presented as countermeasures for insider threats. A threat model using Figure 1. Various actors interraction with EHS Database in single site Microsoft threat modeling tool 2014 was established to scenario. enhance the system security in terms of protecting healthcare information from security threats which include patient data disclosure and/or unauthorized access or modification by Figure 1 shows various actors who interact with the EHS attackers. In rating the threats discovered in the to generate different types of data that is peculiar to their investigations, the authors did not use any systematic departments in a healthcare facility and a patient which are computations or methodology in rating the threats as high, store in the database. The nurses on the front desk may create medium or low risk to the systems. This can be achieved a patient profile for a patient on his first visit to the health using a DREAD risk-assessment model for computer care facility with his biodata and a unit identification is security threats which provides a mnemonic for risk rating generated for the patient, a doctor records his diagnosis of security threats using five categories to obtain a hybrid threat the patient in the database along with recommendations as model whose threats are properly rated. regards test to be conducted on the patient at the lab. The lab technician accesses the data and conducts the test and records findings into the database. The doctor accesses this III. METHODOLOGY FOR MODELING THREAT IN data and makes prescriptions and recommendations to admit ELECTRONIC HEALTH SYSTEMS the patient or not. The pharmacist fills the prescription and The modeling of threats in computer systems software the patient leaves the health care facility. If the system is has been widely used and involves a number of techniques. accessible by the patient over the internet, he/she may login The essential process involved has been described in [6] and to book appointments for another visit. discussed in [3]. To model threats for the eHealth system, three essential steps are followed as described below: B. Identifying Access points  Identify Assets of the EHS Access points are the various interfaces threat posing  Identify Access points attackers may use to interface with the system to obtain  Identify threats unauthorized privileges to assets. Hardware ports, login  Rate the identified threats screens and user interfaces, open sockets, RPC interfaces and 84 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) configuration files are examples of access points on systems. indefinitely suspension or interruption of services of Trust boundaries determination is related to access points in a host connected to an enterprise network or the the system. Upon recognizing an access points, it is essential Internet. to define trust boundaries for the access point in the system.  Elevation of privilege – Elevation of privileges A trust boundary refers to a boundary over which different occurs if a user finds a way to gain access beyond levels of trust exist. Trust levels stipulate the amount of trust that which there are legitimately unauthorized to necessary to access a given part of the system. For instance, access and begin to use resources and services a network may form a trust boundary, as anyone may gain reserved for higher privilege users. access to the internet through the network, but not everyone on the internet should have access to the enterprise network. D. Rating Identified Threats Connected to trust boundaries are trust levels. Trust levels A simple High, Medium, or Low scale may be used to stipulate the amount of trust required to access a portion of rate threats. A threat rated as High, means that threat poses a the system. significant amount of risk to the application and needs to be resolved by implementing appropriate counter measures as soon as possible. If a threat is identified as Medium, it also C. Identifying Threats to the EHS need to be addressed, but with less urgency as will be Threats may result from the activities of legitimate users required for a High-risk threat. Low risk threats may be of a system (insiders) who are authenticated and authorized ignored depending on how much cost and effort it may to use the services provided by the system or unauthorized require to address the threat. users (outsiders). Threats are often born out of weaknesses The problem posed by a simplistic rating system as in design, implementation or configuration and is now a described above is that risk assessment team members or course for concern to all who use information management security experts usually will not agree on ratings. To resolve systems for their various operations. All the information this, a systematic way of determining what the impact of a gathered from detection of access points will help to detect security threat really entails is required. Microsoft’s DREAD potential threats from the access points. The goal of an model is used to calculate risk. By using the DREAD model, adversary, their capabilities and what the risk they pose are you arrive at the risk rating for a given threat by asking the all referred to as threats. Threats are identified by a following questions: systematic review of assets and access point to create a  Damage Potential – How extensive is the damage premise as regards breaches of the CIA of the information potential if a vulnerability is exploited? system which in this case is the EHS. This is done using the  Reproducibility – How easy is it to repeat the attack? STRIDE model created by Microsoft for considering threats  Exploitability – How easy is it to launch an attack? to system security and provides a mnemonic for security  Affected Users – As a rough percentage, how many threats classification in six different categories described users are potentially affected by the attack? below;  Discoverability – How effortless is it to find the  Spoofing – Spoofing is a situation where a person or vulnerability? program masquerades successfully as an unsuspecting individual to gain an unauthorized access to otherwise information by falsifying data to DREAD is an acronym formed from the first letter of get illegitimate advantage. each class enumerated above. The risks are still rated as High medium and low risks but over the DREAD scheme with  Tampering – Tampering involves changing data for corresponding values of 3, 2, 1 respectively and zero (0) if the purpose of mounting an attack. This may be done the threat possesses no risk at all. Table 1 shows the threat by an insider or an outsider. The insider who has rating scheme. access to certain privileged information may change After threats are identified using the STRIDE model, them for malicious reasons or in order to gain access there are rated using DREAD risk assessment model which to information which they do not have clearance to is a categorizing scheme to qualify, analyze and prioritize the view officially. quantity of risk presented by assessed threat. The DREAD  Repudiation – If a system user, legitimate or algorithm, shown below, is used to compute a risk value, otherwise, is capable of denying the claim that they which is an average of all five categories. have carried out a certain transaction detected in the system, the system is said to be lacking the non- Risk_DREAD = (DAMAGE + REPRODUCIBILITY repudiation characteristic of a secured system. + EXPLOITABILITY + AFFECTED USERS + Without any adequate logging of activities on DISCOVERABILITY) / 5 systems and auditing, it is difficult to prove that a repudiation attacks has occurred. In Figure 2, a threat model for an EHS is illustrated. It  Information disclosure – Information disclosure shows the database as a central asset that all the users attacks occur when confidential information is interact with by using the various interfaces available to leaked to a user who does not have authorization to them via a browser based. Using the DREAD model, we access such information. ranked the threats in terms of the damage potential,  Denial of service This attack occurs when there is reproducibility of the attack, how easy it is for malicious an attempt to make a machine, a system or resource individuals to exploit, affected users and how discoverable offered by a network unavailable to those who are the loop hole in the system is. The threats in the model above intended to use it This could be a temporarily or 85 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) are discussed in the order of increasing potential for tampering. The ability of a system user to perform an action, discoverability, exploitation and reproducibility. The threat malicious or otherwise and successfully deny their with the easiest discoverability is that inherent in the involvement in such action which may include but not patients’ usage of the system. A Doctors login access details limited to information disclosure to unauthorized personnel may be spoofed by eavesdroppers or by simple social or tampering with patient’s medical records is referred to as engineering practices such as shoulder surfing, Pretexting, repudiation. The same scenario will apply to all the actors Phishing etc. When this happens, access may fall into an interacting with the EHS. However, in order of increasing unauthorized person who can then view privileged or private discoverability, the last being the hardest to discover but information of the all patients and with the right technical most threatening, it proceeds from the Nurses station to the knowledge, the cracker may even prevent other users from Doctors access level, the pharmacists access level, the lab login into the system. This access may also be disclosed by technician and the database where all data created and used the doctors themselves to friends or family members. This by all the actors are store and retrieve for decision making threat is the most discoverable, exploited and repeated purposes. Here, (the Database) the inherent threat is denial of several usages of the exploit if counter measures are not service (DoS) where the attacker attempts to exhaust the implemented. The next point of threat is from nurse’s resources available to the network, application or service so interaction with the EHS. The threats posed are that of that real users cannot gain access and tampering for repudiation, information disclosure, privilege elevation and malicious exploits. Figure 2. Threat model for an EHS TABLE I. DREAD THREAT RATING SCHEME [9] 86 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) Figure 3. Countermeasures to identified threats in the model The counter measures required to mitigate the threats in patient's communication device intends to send or receive the model in Figure 2 are highlighted in Figure 4. The data from the EHS, both devices must carry out mutual countermeasures are classified into two groups. The first authentication to ensure trust between the receiving and group of countermeasures is best suited to the actors that use sending devices as well as the data being transmitted. the database asset while the other set of countermeasure To assign risk rating values to the threats as shown on apply to the database itself. Table 2 each category of rating in the DREAD risk model was used to evaluate each threat on Figure 2. The threats IV. RESULTS AND DISCUSSIONS generated are accompanied with description for which a DREAD value is computed on the premise discussed from Figure 2 is the threats identified in an EHS using the the cause and effect of the threat. The process was iterated STRIDE threats modelling tool. for a couple of the threats to obtain ratings which were used All possible threats associated with user authentication to compute the risk value. and authorization using login credentials that may allow Risk_DREAD may now be calculated from Table 2 as: illegitimate users gain unauthorized access to the system are Risk_DREAD = (43+43+41+48+42) / 5 = 217/5 = 43.4 defined. The major sources of such threats include losing, sharing or theft of user identity, login credentials, and authentication of patient medical or communication devices. V. COUNTERMEASURES TO IDENTIFIED THREATS IN THE Sharing of sensitive user access credentials may result in MODEL misuse, altering of sensitive patient data, or private information divulgence, among others. A. User Authentication – RFID or BIOMETRICS Potential damage posed by this threats are computed User authentication plays a vital role in many using the DREAD risk rating scheme in Table 1 and applications that require user interaction with data and subsequently categorized as low (0 – 6), medium (7 – 11) or services. Several remote user authentication schemes and high (12 – 15), according to the impact the threat possesses their enhancements was proposed by [4] to improve the to the EHS as calculated in Table 2. For example, if a security flaws in other schemes. The security of the patient's login credentials fall into the hand of an attacker due traditional identity-based remote user authentication schemes to theft or sharing; the impact would be low, because the is based on the passwords. Simple passwords however, are vulnerability is only present for a single patient; but if on the easy to break by simple dictionary search attacks. To resolve hand a health care professional say an administrator of the such problem, biometric-based user authentication schemes system with a high trust boundary fall into the hand of a are better alternatives since such authentications are more malicious user, the impact will be very high, because the secure and reliable than traditional password-based impact of such a vulnerability may affect more than one authentication schemes. The advantages of using biometric patient, possibly all the patients records on the server may be keys (for example palm-prints, faces, fingerprints, irises, compromised or configurations altered by the assailant. hand geometry, etc.) are: Since authentication of communicating device is very  Biometric keys cannot be lost essential, when a patient's communication device wants to  Biometric keys cannot be forgotten. exchange information with the patient's medical device, the  Biometric keys are exceptionally hard to forge. two devices must authenticate each other, and ensure that  Biometric keys are difficult to copy or share. they are what/who they claim to be. Similarly, when the 87 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) TABLE II. TABLE SHOWING EHS THREATS RATED WITH DREAD legal party to replay the fake messages for further Threat D R E A D Total Rating deceptions. Personnel identity  Withstand man-in-the-middle attacks where attacker 3 2 2 3 3 13 High spoofing intercept the messages during transmissions and can Loss or stolen of change or delete or modify the contents of the personnel messages delivered to the intended recipients. 3 1 3 3 3 13 High communication device Denial of service A couple of remote user authentication schemes that use 3 2 2 3 3 13 High smart cards have been proposed in the literatures [3] [6]. A to patients Unauthorized self-certified user authentication scheme for next generation 3 2 2 3 2 12 High access wireless network, which relies on the public-key Personnel Identity 3 2 2 3 2 12 High cryptosystem was proposed as an efficient biometric-based misuse remote user authentication scheme using smart card in [13]. Data tampering by If the flaws highlighted in [7] are resolved, it will serve as a 3 2 2 3 2 12 High Personnel means for a secure user authentication system with RFID Weak access control 3 2 2 3 2 12 High enabled smart cards for any system and not just on an EHS. Denial of service 3 2 1 3 3 12 High B. User Authorisation and Seperation of Duties to personnel Illegitimate access This can be achieved through programming logic to to administrative 3 2 2 3 2 12 High ensure that each user group only access the parts of the interfaces systems that they are authorized to access and use the Unauthorized disclosure 3 3 3 2 1 12 High functions that are specific to that user group without any Spoofing of EHS access to tasks and functions that are for other user groups. 3 2 1 3 2 11 Medium Separation of duties is a classic security method to manage source server Loss or stolen of conflict of interest, the appearance of conflict of interest, and patient’s fraud as shown in Figure 4. It restricts as much as possible 2 1 3 1 3 10 Medium communication the amount of power held by any one individual by ensuring device that each user group only performs read and write operations Personnel information 0 3 2 3 2 10 Medium on data that pertains to it. It puts a barrier in place to prevent repudiation fraud that may be perpetrated by adversaries. Fraud is more Elevation using likely to occurs when there is a collusion in the functions 2 2 2 2 2 10 Medium impersonation performed by a user group with the functions of a different Log files 3 2 1 2 2 10 High user group. tampering Insufficient 0 3 1 3 2 9 Medium auditing Patient Identity 1 3 2 1 1 8 Medium misuse Data tampering by 0 3 3 1 1 8 Medium patients Patient information 0 3 2 1 2 8 Medium repudiation sharing or Loss of 1 0 2 1 1 5 Low patient identity Patient identity 1 1 1 1 1 5 Low spoofing  Biometric keys cannot be easily guessed as compared to low-entropy passwords.  Biometrics of someone’s not easy to break than Figure 4. Seperation of Duties others. If biometric authentication is implemented on the EHS, VI. CONCLUSION the following attacks will be prevented. This paper proposes a threat model for an Electronic  Withstand masquerade attacks where an adversary health systems (EHS) that captures the possible attacks that may try to masquerade as a legitimate user to may be carried out against an EHS. The STRIDE threat communicate with a valid system or masquerade as a model was used to identify potential threats which were then valid system in order to communicate with legal ranked based on the security risk posed using a DREAD users. threat-risk ranking model. Possible countermeasures to  Withstand replay attacks that occur when an attacker authentication and authorization control threats on the tries to hold up the messages between two system were discussed. Our future research work will focus communicating parties and then impersonate other on Design and development of scalable security controls and 88 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) countermeasures to the various threats identified in this [9] Microsoft. (2003, 8/11). Chapter 3 - Threat Modeling. Available: paper. We will also explore the digital forensic techniques https://msdn.microsoft.com/en-us/library/ff648644.aspx that could be used at different parts of the system when a [10] S. Myagmar, A. J. Lee, and W. Yurcik, "Threat modeling as a basis for security requirements," in Symposium on requirements successful attack is carried out and policies that need to be engineering for information security (SREIS), 2005, pp. 1-8. put in place to ensure that the occurrences of attack are [11] S. Kumar and B. K. Tripathi, "Modelling of Threat Evaluation for minimized. Dynamic Targets Using Bayesian Network Approach," Procedia Technology, vol. 24, pp. 1268-1275, // 2016. REFERENCES [12] O. A. Adebisi, D. A. Oladosu, O. A. Busari, and Y. V. Oyewola, [1] O. Stella and M. E. Herselman, "E-health in Rural Areas: Case of "Design and Implementation of Hospital Management System," Developing Countries," International Journal of Social, Behavioral, International Journal of Engineering and Innovative Technology Educational, Economic, Business and Industrial Engineering, vol. (IJEIT), vol. 5, 2015. Vol:2, No:4, 2008, p. 7, 2008. [13] P. Anand, J. Ryoo, H. Kim, and E. Kim, "Threat Assessment in the [2] D. J. Brailer, "Economic Perspectives on Health Information Cloud Environment: A Quantitative Approach for Security Pattern Technology," Business Economics, vol. 40, p. 8, 2005. Selection," in Proceedings of the 10th International Conference on [3] S. Alshehri, S. Mishra, and R. Raj, "Insider threat mitigation and Ubiquitous Information Management and Communication, 2016, p. 5. access control in healthcare systems," 2013. [14] F. Ruffy, W. Hommel, and F. von Eye, "A STRIDE-based Security [4] O. M. Olaniyi, T. A. Folorunso, A. Omotosho, and A. Israel, Architecture for Software-Defined Networking," ICN 2016, p. 107, "Securing Digitized Campus Clinical Healthcare Delivery System," 2016. presented at the 1st International Conference on Applied Information [15] P. Wang, A. Ali, and W. Kelly, "Data security and threat modeling Technology, 2015. for smart city infrastructure," in Cyber Security of Smart Cities, [5] V. Garg and J. Brewer, "Telemedicine security: a systematic review," Industrial Control System and Communications (SSIC), 2015 Journal of diabetes science and technology, vol. 5, pp. 768-777, International Conference on, 2015, pp. 1-6. 2011. [16] A. Singhal and H. Banati, "Fuzzy Logic Approach for Threat [6] F. Swiderski and W. Snyder. Threat Modeling [Online]. Prioritization in Agile Security Framework using DREAD Model," arXiv preprint arXiv:1312.6836, 2013. [7] M. Hardy, "Beyond Continuous Monitoring: Threat Modeling for Real-time Response," SANS Institute, 2012. [17] M. Abomhara, M. Gerdes, and G. M. Køien, "A STRIDE-Based Threat Model for Telehealth Systems," Norsk [8] S. S. Techtarget, "Definition of Threat Modeling," ed, 2016. informasjonssikkerhetskonferanse (NISK), vol. 8, pp. 82-96, 2015. 89