Threat Modeling healthcare delivery software and application: An introduction

The goal of any threat model process is to be able to determine as many threats that could exploit identified vulnerabilities of the organization’s information system. A software-focused threat model process seeks to identify and address the threats that would attack the company’s information system by exploiting the weaknesses or “vulnerabilities in the software components that are used by the application, the operative systems software that the application uses and the vulnerabilities of the underlying network and data infrastructure in which these applications operate” (Morana, M., M. & Ucedavelez, p.6, 2015). Threat modeling is a structured systematic approach that is either software-focused, attacker-focused, or asset-focused to understand how different threats could be realized by threat agents   It simulates how a successful compromise could take place. A threat agent is “an intruder accessing the network via port on the firewall, a process assessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information” (Harris, S., pp.1108, 26, 2013).

In the healthcare delivery sector, as a result of the criticality of e-PHI (electronic-protected patient health information) software vulnerabilities provide exploitable weaknesses (attack surface) for threat agents to launch attack to achieve specific goals, like stealing important personal or confidential patient information. This can be achieved by the attacker injecting malicious SQL codes in the healthcare delivery system application web pages after doing a vulnerability scan. The goal is to gain unauthorized access into the database storing e-PHI. It is, therefore, imperative to begin to address security risk issues during the SDLC of the software or application design and production. A good way of handling this is a structured, software-focused threat modeling approach. Fig. 1.1 is the DFD (Data Flow Diagram) that decomposes the threat modeling process steps involved in security design in the software development life cycle.

Step 1 – Decompose the application

Step 2 - Determine and rank threats

Step 3 – Identify vulnerabilities

Step 4 – Determine controls or countermeasures and mitigation,

       Fig. 1.1 Threat Model Process DFD

Software-focused threat model process that uses trust boundaries (“any place where various principals come together or where entities with different privileges interact” – Shostack, A, p.50, 2014) identifies appropriate, effective and timely countermeasures to deploy to mitigate attack on the healthcare delivery information system.  Why software-centric modeling approach? This provides a better security on assets, and strong defense against the attacker as security considerations are appropriately included in the software design or system being built. A good explicit threat model would document models of UML diagrams, APIs, and architecture. 

References

Morana, M., M. & Ucedavelez, T. Application Threat Modeling: Process for Attack

Simulation and Threat Analysis. Wiley-Blackwell. (2015-28-5).

Harris, S. CISSP All-in-one Exam Guide. 6^th ed. McGraw Hill Education. (2013).

New York.

Shostack, A. Threat Modeling: Designing for Security. John Wiley & Sons, Inc. (2014).

Indianapolis.