Conference PaperPDF Available

Threat Modeling for Mobile Health Systems

Authors:
  • Westphalia University of Applied Sciences, Gelsenkirchen
  • XignSys GmbH

Abstract and Figures

Mobile Health (mHealth) is on the rise and it is likely to reduce costs and improve the quality of healthcare. It tightly intersects with the Internet of Things (IoT) and comes with special challenges in terms of interoperability and security. This paper focuses on security challenges and offers a mitigation solution especially with a focus on authentication and encryption for resource constrained devices. It identifies assets in a prototyped mHealth ecosystem and classifies threats with the STRIDE methodology. Furthermore the paper identifies associated risk levels using DREAD and outlines possible mitigation strategies to provide a reasonable trustworthy environment.
Content may be subject to copyright.
Threat Modeling for Mobile Health Systems
Matteo Cagnazzo1and Markus Hertlein3and Thorsten Holz2and Norbert Pohlmann1
Abstract Mobile Health (mHealth) is on the rise and it is
likely to reduce costs and improve the quality of healthcare.
It tightly intersects with the Internet of Things (IoT) and
comes with special challenges in terms of interoperability
and security. This paper focuses on security challenges and
offers a mitigation solution especially with a focus on au-
thentication and encryption for resource constrained devices.
It identifies assets in a prototyped mHealth ecosystem and
classifies threats with the STRIDE methodology. Furthermore
the paper identifies associated risk levels using DREAD and
outlines possible mitigation strategies to provide a reasonable
trustworthy environment.
I. INTRODUCTION
Advances in mobile health (mHealth), respectively IoT-
Health, are likely to reduce costs and improve the quality of
healthcare. Especially with the paradigm shift from inpatient
care towards ambulant and home care, mobile and ubiquitous
technologies are an inevitable step. The shift is due to
increasing cost pressure, ageing society and shortage of
skilled professionals[24]. Mobile health applications can in-
crease access to healthcare, encourage self-management and
maintain treatment. Internet of Things (IoT) devices are used
within healthcare systems and form mHealth environments.
Wearables with various sensors, for example gyroscopic-,
heart rate- or bioimpedance sensors are often deployed in
the Body Area Network (BAN) of the patient. These devices
come with a lot of challenges in terms of interoperability and
security which need to be considered and treated seriously
[23]. ENISA identifies ”asset and configuration management
as a relevant technical measure” to prevent attacks [7]. Fur-
thermore, this paper addresses a key recommendation from
[7] because it conducts risk and vulnerability assessment
for a mHealth architecture which is deployed in a clinical
context. This paper discusses most recent related work in
chapter II. Afterwards it introduces current developments
and background knowledge for mHealth in chapter III-A and
threat modeling in chapter III-B. After this we model the
threats and define assets in chapter IV. We use a STRIDE-
based approach to model threats[22]. To assess the associated
risks for specific threats we use the DREAD model [25]. At
the end of the paper possible mitigation strategies are dis-
cussed in chapter V and conclusions are drawn in chapter VI.
*This work is partly funded by the Federal Ministry of Education and
Research in Germany (Grant.Nr: 16SV7775)
1M. Cagnazzo and N. Pohlmann are with the Institute for Internet-
Security, Westphalian University of Applied Sciences, 45876 Gelsenkirchen,
Germany {lastname}at internet-sicherheit.net
2T. Holz is with the Horst Gortz Institute for IT-Security (HGI), Ruhr-
University Bochum, Germany thorsten.holz at rub.de
3M. Hertlein is with XignSys GmbH, Gelsenkirchen, Germany
hertlein at xignsys.de
II. RELATED WORK
Several papers on future research direction indicate
that privacy and security are key issues to the successful
deployment of mHealth[16][3]. [16] defines one research
challenge as: ”clarify threats and develop security and
privacy protections for smartphone apps that handle medical
and health data”. This paper aims to give an overview
of threats and mitigation strategies for current and future
mHealth applications. Current work on threat modeling
in healthcare is focusing on telehealth and is not paying
attention to mHealth specific threats, especially if data
is stored in a cloud environment[1]. Works like [19] are
defining and mitigating threats for smart home systems
and consider parenthetically how mHealth systems and
threats interact with it. [5],[21] and others try to solve the
authentication, usability and confidentiality problem within
the IoT in general. They do not use standardized approaches
to identify threats and mitigate them as well. Stationary care
telehealth service terminals, as described in [8] and [20] are
likely reduce mobile application scenarios for doctors and
medical personnel. This stationary approach is something a
mHealth ecosystem is aiming to overcome in the future, to
empower mobility to doctors and other caregivers.
Common legacy protocols used in medical environments
often lack security and privacy aspects. [11] shows that
the often used ”HL7” protocol has no security or privacy
mechanisms specified especially in version two, which is
the most deployed solution in production systems.
Figure 1 shows a prototypical mHealth system. It is
derived from an architecture which is used in the MITAS-
SIST project. The project is funded by the German Federal
Ministry of Education and Research. Figure 2 shows a more
detailed view of the components, which data has to pass
in the architecture. The wearable on which the sensors are
deployed will produce huge amounts of data. Analyzing big
amounts of data quickly becomes impracticable for humans,
therefore an artificial intelligence(AI) is trained during the re-
search project. Current research shows, that the used models
can be exploited by an attacker as well, therefore we include
the artificial intelligence into our threat model[9][17].
III. BACKGROUND
This section will give a brief definition and introduction
of mHealth as well as an architectural overview of an
mHealth system. Furthermore threat modeling and the used
methodology is introduced.
A. mHealth
mHealth is the combination of computing and internet
technologies, with information and communication systems.
In addition with sensors it can form a wearable body area
network (BAN) with the patients smartphone[15]. Patients as
well as health- and careproviders can benefit from mHealth
solutions. mHealth applications that run on information sys-
tems like smartphones are used by patients and doctors to
access data within the health platform as shown in figure 1.
Doctors, caretakers and patients access the platform via
an application which can either be deployed to a mobile
or stationary device. The patient environment consists of
devices and applications in personal patient environment,
like wearables and smartphones. These are needed to collect
measurements of sensor data, support self reporting as well
as feedback or intervention from the caretaker. Most sensors
that are deployed are also modules in the IoT, therefore
mHealth and IoT components intersect each other. The
patients send data via mobile or WLAN networks to the
health service cloud. The data is stored in an electronic
or personal health record systems(EHR/PHR) which is inte-
grated in the hospital cloud service. The most used protocol
is HL7[11]. The data can be crawled by monitoring services
or an artificial intelligence, which support the doctor in his
decision making, offer more granular insights for patient and
doctor, as well as providing suggestions how the patient can
improve his health. Other health and care providers could get
access to the data as well. This yields privacy concerns which
are out of scope of our paper, therefore we neglect third party
scenarios. Patients benefit from mHealth applications around
the world, since the deployment of mHealth applications
can be done in a cost effective way. Especially developing
countries can benefit from the widespread deployment of
mHealth solutions[10]. ”Respectively, 50 % and 70 % of the
interventions were effective in promoting physical activity
and healthy diets” says[18].
Fig. 1. mHealth Prototype Architecture
B. Threat Modeling
Threat modeling is an important aspect of the security
development lifecycle, which is a process aiming to build
better and more secure software[13]. It is a technique, which
aims to find assets, analyze potential threats and mitigate
them. This provides defenders with important insights:
The most likely attack vectors
Assets an attacker is attracted to.
Attack vectors that otherwise would have gone unno-
ticed
The threats which are found during the threat modeling
phase will be associated with a security risk to rank them
and prioritize certain assets. An asset is defined by ENISA
as ”anything that has value to the organization, its business
operations and their continuity, including information
resources that support the organization’s mission”.
TABLE I
CONNECTION BETWEEN STRIDE AN D MHE ALTH E NV IR ON ME NT
Threat Categories mHealth Security Perspective
Spoofing: attacker poses as an
authorized user or entity
Attacker using user
authentication information to
access sensitive medical data
Tampering: Modifying data
maliciously
Attacker modifying data in transit
(e.g. from BAN to LAN) or at rest
Repudiation: Filtering malicious
actions if proof is missing
Authorized user performs
illegal operations and system
cannot trace it, other parties
cannot prove this
Information disclosure:
Exposing information
to any unauthorized entity
Leaking raw
data or medical records
Denial of Service: Denying
service to valid users
Attacker jamming BAN
or DoS’ing
hospital environment
Elevation of Privilege:
User gains privilege rights and
manipulates the system
Attacker gains access to security
systems as a trusted entity
The threat modeling technique used in this paper
is STRIDE by Microsoft which is an abbreviation for
Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service and Elevation of Privilege [22]. There
are more threat modeling frameworks, for example PASTA
or OCTAVE [2][25]. To rank threats we use the DREAD
model, which is described in the next section.
Table I defines each threat category and relates it to a
specific mHealth attack scenario. After the STRIDE threats
are addressed, a metric for the risk of an actual attack
needs to be calculated. We will use the DREAD model to
evaluate the likelihood of an attack by exploiting a particular
threat[14]. The DREAD model consists of Damage potential,
Reproducibility, Exploitability, Affected Users and Discov-
erability. The DREAD risk can be calculated as follows:
RiskD= (DAM AGE +REP RO DU C IB ILI T Y
+EX P LOI T ABI LIT Y +AF F EC T EDU S ERS
+DI SC OV E RABI LIT Y )
(1)
Values from 1 (low) to 3 (high) are assigned to each
addend of equation 1. The sum is calculated and the result
can fall in the range of 5-15. Afterwards one can rank threats
with overall ratings of 12-15 as high risk, 8-11 as medium
risk, and 5-7 as low risk.
IV. STRIDE THREATS
The process of threat modeling according to STRIDE can
be broken down into three blocks:
Identifying assets
Listing potential threats
Mitigating threats
To define threats and get a more detailed overview of
our architecture, a graphical representation of the data
flows and critical points are illustrated with Microsofts
Threat Modeling Tool 2017 in figure 2. Data is acquired
Fig. 2. Data Flow and critical points
from one or more sensors on a wearable and pushed to a
central sensor controller. The data is collected and persisted.
After a configurable time-interval the data is pushed to the
application over a Bluetooth LE connection. The application
can send configuration data to the sensor controller and
acknowledges received and stored sensor data. Configuration
data could be, for example the sampling rate of a specific
sensor. The patient authenticates himself and gets access
to the application. Sensor data is transmitted from the
device to the service platform over a https connection. This
data gets acknowledged, after it is stored successfully. If
medical personnel wants to check on a patients condition it
authenticates itself on its application and sees selected vital
data of the patient. If the medical supervisor wants to send
interventions to the patients, these are sent to the patient
over the cloud infrastructure and gets an acknowledgement
after the patient read the intervention. From the flow of data
over the respective components a threat model is generated.
TABLE II
ASS ET S AN D IMPAC T
Asset Impact
Network components
connecting the user
to the service
No Availability
Loss of information
Network components
connecting the sensor
to the Application
No Availability
Loss of information
Identity management
for access control
and authentication
User specific
information cannot be
stored or retrieved
Database and
Storage Components
Loss of Availability
Loss of Data Integrity
Loss of feedback
Eavesdropping
on Communication Confidentiality Violation
Table II shows identified assets and the impact, which
a failure of the respective asset would have. Loss of
Availability is the most common impact the alteration of an
asset could have. Since the mHealth solution should provide
close to realtime feedback or intervention to the patient,
a loss of availability could be harmful for patient safety
not just for security reasons. Depending on the health or
monitoring scenario in which the solution is used, close to
realtime can range from a few seconds (cardiac monitoring)
to 15 minutes (depression monitoring).
Other important impacts are confidentiality violation and
loss of information. Since the data is considered medical
it is highly personal and must be protected carefully. The
mHealth platform should be trustworthy, therefore it should
provide and maintain confidentiality wherever possible.
Table III shows threats towards patient or personnel
authentication. It focuses on the loss and misuse of
credentials, as well as spoofing of sensors. Generally
threats are more severe, if an admin or health personnel is
compromised because this would alter the whole integrity
of the platform whilst an attack against a single user
would only put that specific user at risk. If an attacker or
user gains unauthorized access to the platform the threats
are elevation of privilege, data tampering and disclosure.
Table IV shows this in the STRIDE column. A user could
try to elevate his privileges and gain admin access to the
service component or the PHR. This elevation could lead to
disclosure of private data from other users. The associated
risks by an authorization threat are at least medium but most
of the times high, because gaining administrator or system
privileges, even if they are only local, can cause damage
to patients as well as healthcare providers. Furthermore
spoofed sensors or smartphones can be used to flood the
architecture with requests, forcing a denial of service
TABLE III
AUTHENTICATION THREATS
Description STRIDE DREAD
Patient identity
sharing or loss SMedium
Personnel identity
sharing or loss SHigh
Identity spoofing S Low
Patient and Personnel
Identity Theft EMedium
Sysadmin Identity Theft S High
Sensor Spoofing S,D Medium
Smartphone Spoofing S,D Medium
EHR/PHR Spoofing S High
because the service or smartphone cannot respond.
Privacy is of huge importance for patients, especially if
TABLE IV
AUTHORIZATION AND ACCES S THR EATS
Description STRIDE DREAD
Unauthorized Access
to system data EHigh
Unauthorized Access
beyond authorized privileges EMedium
Tampering to
modify access control TMedium
Impersonation of
a Patient E,D Medium
Impersonation of
Personnel E,D High
Unauthorized access
to admin functionality E,T High
they suffer from a mental disease. A disclosure of their
illness can either be beneficial or hinder the healing process
but for most patients it is a dilemma whether they should
disclose or conceal it[4].
Nonetheless individuals suffering from any illness should
choose for themselves, if they want to disclose their illness,
therefore patient data disclosure by an adversary should be
prevented at all costs. Lost or stolen devices, especially lost
wearables only pose a low risk to private data disclosure,
because an attacker cannot read sensitive data from it. Only
the last few sensor measurements are stored on the wearable,
therefore the information gain is minor. If the smartphone
is lost or stolen the information leakage is bigger, but no
information from a PHR is exposed.
TABLE V
PRI VACY THR EATS
Description STRIDE DREAD
Patient Data Disclosure I High
Administration Data Disclosure I High
Lost Smartphone I Medium
Lost Wearable I Low
Stolen Smartphone I Medium
Stolen Sensor I Low
Weak access control
smartphone I Medium
Weak access control
wearable I Low
The last threat category are threats that target artificial
intelligences. Table VI shows that these threats are at least
of medium importance since an altering of the AI would
alter the integrity of the whole platform. Someone could
try to change the training data which would mean that
every decision the AI does is made from false assumptions,
therefore this is the main threat and has a high risk, for now.
A non targeted adversarial attack has the goal of forcing
the classifier to return an incorrect result. If for example
heart rate is monitored an attacker could try to make the
classifier return the result cardiac disease, even though the
patient is healthy. A targeted attack would try to yield a
whole class of the AI and make it return this class regardless
of the input. A targeted attack could be that every patient
where the data looks like a cardiac arrhythmia will be
diagnosed with an infarction. Both attacks imply, that an
attacker has successfully gained access to the smartphone or
is an active adversary in the same network, because he needs
to manipulate the data sent to the mHealth service.
TABLE VI
ADVE RS ARY TH RE ATS
Description STRIDE DREAD
Potential altering
of training data THigh
Non-targeted adversarial attack T Medium
Targeted adversarial attack T Medium
V. POSSIBLE MITIGATION STRATEGIES
The assets can be grouped by the different kinds of the
underlying technologies and processes. This leads to different
mitigation strategies for each scenario. Even though security
and privacy are the main factors in the healthcare environ-
ment to focus on, the interoperability between systems and
devices is gaining more and more importance, since sensors
and smart devices are spreading faster. Therefore, this paper
presents a holistic approach as the mitigation strategy cov-
ering all parts of the mHealth system. A distributed system
like the presented prototypical mHealth system (Fig. 1) can
be harmed by two independent classes of attacks.
The first class is physical attacks, for example the
physical destruction of a sensor or the disturbing of the
interconnection of the sensors, smart devices and cloud
services. That kind of attacks cannot be prevented with
IT-Security mechanisms.
The second threat class is virtual attacks, like data
manipulation. We are only focusing on attacks of the second
class. In reverse that means, that Denial of Services through
connection jamming or physical destruction is not part of
this research. A Denial of Service could also be achieved
if an attacker is able to conquer a connection, for example
through connection hijacking. That kind of DoS is part
of the second class of attacks and can be prevented by
using proper authentication and IT-Security mechanisms on
different network layers.
The hypothesis is, that each threat of the classes can
be conquered with a modern approach of well-known
authentication and encryption techniques. That means
that threats towards authorization and access can be
prevented with a reliable authentication process and that
threats towards privacy can be prevented by using proper
encryption techniques. Even these processes must be built
on a reliable authentication. The reason why encryption
without authentication is not enough to gain a high level
of privacy, is because of the communication between
several entities. Old fashioned networks are usually directly
wired. In these kinds of networks there was only a 1:1
communication between entities. Every entity only received
the data, that was determined for them. Today we have a n:n
communication network where most data are accessed by
more than one entity, but with different rights for different
reasons. Device authentication is of importance since no
adversary should be able to put on the wearable and start
transmitting data to the mHealth platform. The Wearable
should mutually authenticate against the smartphone and the
smartphone mutually against the service platform to ensure
correctness of the entities.
In this research we are mainly using XignQR [12].
XignQR is a fully cryptographical based authentication and
identity management system, which can manage identities
for persons as well as for machines. The concept of
XignQR matches the requirements of mutual authentication
between every entity perfectly and the encryption of
communication and data based on previous authentication
process. Every entity is equipped with a public key pair
and a corresponding certificate. For sensors with less
computing power a symmetric secret is used. If a sensor
uses a symmetric key for authentication and encryption,
the smartphones acts as gatekeeper. That means, that the
cloud infrastructure will only process data from the sensor
if the data is signed by the smartphone and the data can
be decrypted with a combination of the secret key of the
wearable itself and a generated one-time-secret derived from
the information of the smartphones public keypair.
In that way data integrity, authenticity and trust can be
achieved. Not less important is the liability of the data that
is sent to the wearable, e. g. for configuration purpose.
Since a sensor may not have enough computing power to
perform asymmetric cryptography a chain of trust must be
built through the smartphone. To ensure trust, the wearable
has to be paired with the smartphone application in a first
step. In the pairing process two symmetric keys are derived.
One is stored in the smartphone and the other is transmitted
to the mHealth cloud environment. That one that is stored in
the smartphone is used to calculate a one-time-secret for the
authentication of the communication between smartphone
and wearable. The other secret sent to the mHealth cloud
environment is used for the encryption and integrity check
of the data, that is sent from cloud to sensor and vice versa.
With that way of mutual authentication and encryption,
based on symmetric and asymmetric cryptography all the key
aspects of IT-Security authenticity, integrity, trust, liability
can be achieved. The missing part is availability. Even here
we are using a system that prevents Denial of Service attacks
using the mechanism of mutual authentication. The cloud
architecture is protected by a system that filters different
kinds of DoS attacks on each of the ISO/OSI layers. Filters
are using deep packet inspection to recognize malicious
traffic. With that technique DoS can be prevented in the
backbone of an infrastructure without entering the appli-
cation layer. For example, one filter makes a rule based
decision. The first message of the communication between
entities must initiate the mutual authentication process. If
the first message is another type of message as the initiation
message, then the traffic is not routed to the infrastructure.
On the application layer a machine learning based system
is used, which protects the cloud infrastructure, even if
an attacker uses its own smart device for the attack. The
proper roll-out and management of digital certificates also
prevents scaling of an attack that is used by an internal
attacker, after a successful authentication. With the concept
of mutual authentication we can ensure 1:1 communication
on the application layer between smart device and cloud
infrastructure.
VI. CONCLUSIONS AND FUTURE RESEARCH
This research paper provides a comprehensive, high-level
overview of threats and its mitigations in a classical informa-
tion security context within a mHealth environment. Certain
threats that were identified, have the possibility to harm
patients and cause physical or mental damage. These threats
must be prioritized, analyzed and mitigated with extreme
caution in real world settings. Since the ecosystem for
mHealth is very heterogeneous this work can function as an
orientation during the development of a mHealth application
but specific threat analysis has to be performed depending
on the medical use case. This work should give a high level
overview of threats and mitigations that can be used to deploy
an at least reasonable secure mHealth ecosystem. Since threat
modeling is an iterative process, this work is just a starting
point while architectures and technologies used in mHealth
still continue to develop.
A remaining research challenge in the mHealth ecosystem
is, how replacement devices, or devices which have a high
fluctuation, are handled. If a device is going offline due
to maintenance or repair reasons, how can it’s temporary
replacement be integrated in a simple and efficient, yet
secure and trusted way. Especially trustworthy authentication
becomes a challenge because it is an unknown device, which
comes from a vendor and is not integrated in our system.
Temporary access needs to be granted and revoked in an
easy way, while the high standards for security and privacy
must still apply.
Future research has to focus on the exploration, exploitation
and mitigation of those vulnerabilities and the correlation
between security threats and patient safety. Legacy protocols
and standards like DICOM or HL7 need to be evaluated
from a security perspective as well. This could be done if
the Common Vulnerability Scoring System is expanded by
possible patient harms. Another important research direction
is how to perform soft- and firmware updates on past, current
and future devices and architectures so they are resilient to
modern and future threats. Another important research step
would be to test adversarial input in systems that implement
an AI to analyze and diagnose radiologic recordings or other
medical exchange formats.
REFERENCES
[1] Abomhara, Mohamed, Martin Gerdes, and Geir M. Kien. ”A stride-
based threat model for telehealth systems.” Norsk informasjonssikker-
hetskonferanse (NISK) 8.1 (2015): 82-96.
[2] Alberts, Christopher J., et al. ”Operationally critical threat, asset, and
vulnerability evaluation (OCTAVE) framework, Version 1.0.” (1999).
[3] Arora, Shifali, Jennifer Yttri, and Wendy Nilsen. ”Privacy and secu-
rity in mobile health (mHealth) research.” Alcohol research: current
reviews 36.1 (2014): 143.
[4] Bril-Barniv, Shani, et al. ”A Qualitative Study Examining Experiences
and Dilemmas in Concealment and Disclosure of People Living With
Serious Mental Illness.” Qualitative Health Research 27.4 (2017): 573-
583.
[5] Cagnazzo, Matteo, Markus Hertlein, and Norbert Pohlmann. ”An
Usable Application for Authentication, Communication and Access
Management in the Internet of Things.” International Conference
on Information and Software Technologies. Springer International
Publishing, 2016.
[6] European Union Agency for Network and Informa-
tion Security (ENISA), Glossary, accessed: 08/17
https://www.enisa.europa.eu/topics/threat-risk-management/risk-
management/current-risk/risk-management-inventory/glossary
[7] ENISA ”Cyber security and resilience for Smart Hospitals”, European
Union Agency for Network and Information Security, 2016.
[8] Gerdes, Martin, and Rune Fensli. ”End-to-end security and privacy
protection for co-operative access to health and care data in a tele-
health trial system for remote supervision of COPD-Patients.” SHI
2015, Proceedings from The 13th Scandinavien Conference on Health
Informatics, June 15-17, 2015, Troms, Norway. No. 115. Linkping
University Electronic Press, 2015.
[9] Goodfellow, Ian J., Jonathon Shlens, and Christian Szegedy.
”Explaining and harnessing adversarial examples.” arXiv preprint
arXiv:1412.6572 (2014).
[10] Goel, Sonu, et al. ”Bridging the human resource gap in primary health
care delivery systems of developing countries with mhealth: narrative
literature review.” JMIR mHealth and uHealth 1.2 (2013).
[11] Hasselhorst, Dallas ”HL7 Data Interfaces in Medical Environments:
Understanding the Fundamental Flaw in Healthcare”, SANS Reading
Room, 2017.
[12] Hertlein, Markus, Manaras, Pascal, and Pohlmann, Norbert: Bring
Your Own Device For Authentication (BYOD4A) The XignSystem.
In Proceedings of the ISSE 2015 Securing Electronic Business
Processes Highlights of the Information Security Solutions Europe
2015 Conference, Eds.: N. Pohlmann, H. Reimer, W. Schneider;
Springer Vieweg Verlag, Wiesbaden 2015
[13] Howard, Michael, and Steve Lipner. ”The security development life-
cycle.” Vol. 8. Redmond: Microsoft Press, 2006.
[14] Howard, M. and LeBlanc, D. Writing Secure Code, Second Edition,
Microsoft Press , December 2002.
[15] Istepanian, Robert SH, and Bryan Woodward. M-health: Fundamentals
and Applications. John Wiley & Sons, 2016.
[16] Kotz, David, et al. ”Privacy and security in mobile health: a research
agenda.” Computer 49.6 (2016): 22-30.
[17] Kurakin, Alexey, Ian Goodfellow, and Samy Bengio. ”Adversarial
examples in the physical world.” arXiv preprint arXiv:1607.02533
(2016).
[18] Mller, Andre Matthias, et al. ”The effectiveness of e-& mHealth inter-
ventions to promote physical activity and healthy diets in developing
countries: A systematic review.” International Journal of Behavioral
Nutrition and Physical Activity 13.1 (2016): 109.
[19] Olawumi, Olayemi, et al. ”Security Issues in Smart Home and Mo-
bile Health System: Threat Analysis, Possible Countermeasures and
Lessons Learned.” International Journal on Information Technologies
and Security 9.1 (2017): 31-52.
[20] Ondiege, Brian, Malcolm Clarke, and Glenford Mapp. ”Exploring a
New Security Framework for Remote Patient Monitoring Devices.”
Computers 6.1 (2017): 11.
[21] Sicari, Sabrina, et al. ”A security-and quality-aware system archi-
tecture for Internet of Things.” Information Systems Frontiers 18.4
(2016): 665-677.
[22] Shostack, Adam. Threat modeling: Designing for security. John Wiley
& Sons, 2014.
[23] Tarouco, Liane Margarida Rockenbach, et al. ”Internet of Things
in healthcare: Interoperatibility and security issues.” Communications
(ICC), 2012 IEEE International Conference on. IEEE, 2012.
[24] Teixeira, R., Frey, W., Griffin, R. (2015): States of Change: The Demo-
graphic Evolution of the American Electorate, 1974-2060; American
Enterprise Institute, Brookings Institution and Center for American
Progress.
[25] Uceda Velez, Tony, and Marco M. Morana. Risk Centric Threat
Modeling: Process for Attack Simulation and Threat Analysis. John
Wiley & Sons, 2015.
... The application of M-Health in facilitating evidence-based medicine has promised to improve health care quality at a substantial rate. Some factors are relevant in understanding how M-Health might help or hinder a physician's decisions [16]. These factors comprise of: the problem or primary need and the area targeted under which M-Health is being considered (early identification of the disease, improved efficiency which overall helps the clinicians to make accurate diagnosis or treatment which is protocol-based or curb dangerous adverse events that might have some impact on the patient) [17]. ...
... Unfortunately, as highlighted by Paredes et al., [25] [25] [24] [24] [23] [22] M-Health tends to limit the patients' understanding of the actual risks and benefits associated with mobile technology on privacy matters [22]. Since technological changes take much time to be implemented, scholarly researchers in M-Health will require developing systems that allow the research participants or patients to have complete control of data or information collected from them via mobile devices [16]. Specifically, building M-Health systems that allow the patients to have some control over their individual data. ...
... • STRIDE: The STRIDE architecture is used by Consumer Health Wearables (CHW), a subcategory of IoMT devices, to indicate system areas that need to be further secured [35]. In another study [36], the STRIDE methodology is used to investigate and classify an adversary model across mobile healthcare systems, including IoMT. It identifies a wide range of threats, including spoofing, tampering, repudiation, information leak, denial of service, and privilege elevation [32]. ...
Article
Full-text available
The integration of medical equipment into the Internet of Things (IoT) led to the introduction of Internet of Medical Things (IoMT). Variation of IoT devices have been equipped in medical facilities. These devices provided convenience to healthcare provider since they can continuously monitor their patients in real-time, while allowing them to have greater physical flexibility and mobility. However, users of healthcare services (such as patients and medical staff) often are less concerned about security issues associated with IoT. These alleviate existing problems and jeopardize the lives of their patients by making them susceptible to attacks. Furthermore, IoMT applications have direct access to healthcare services because it handles sensitive patient information. Therefore, it is extremely important to preserve and establish the security and privacy of IoMT. This further justifies the need to investigate and address the related issues. Despite existing literature on security and privacy mechanisms, the domain still requires more attention. Therefore, this paper aims to discuss the security and privacy principles, as well as challenges associated with IoMT. Besides, a comprehensive analysis of privacy and security solutions for IoMT is also presented. In addition, we introduced a novel taxonomy of IoMT security and privacy based on cyber security principles such as “govern,” “protect,” and “detect”. In conclusion, this paper provides a discussion on existing challenges and future direction for researchers.
... There are several approaches to finding threats to the security of the software development pipeline, one of which is STRIDE. STRIDE has been used to develop threat models in various contexts [1,12,45,49,51,57,59,65,86,87,88,115], being a well-tested, established approach. ...
Preprint
Full-text available
In recent years, there has been a growing concern with software integrity, that is, the assurance that software has not been tampered with on the path between developers and users. This path is represented by a software development pipeline and plays a pivotal role in software supply chain security. While there have been efforts to improve the security of development pipelines, there is a lack of a comprehensive view of the threats affecting them. We develop a systematic threat model for a generic software development pipeline using the STRIDE framework and identify possible mitigations for each threat. The pipeline adopted as a reference comprises five stages (integration, continuous integration, infrastructure-as-code, deployment, and release), and we review vulnerabilities and attacks in all stages reported in the literature. We present a case study applying this threat model to a specific pipeline, showing that the adaptation is straightforward and produces a list of relevant threats.
... Originally defined by Loren Kohnfelder and Praerit Garg [47,48], STRIDE is the most mature one. It has been applied to many vertical domains, including cyber-physical systems and healthcare applications [49][50][51][52][53]. STRIDE uses a set of six threats based on its acronym, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service, and Elevation of privilege; Table 5 shows their definitions. ...
Article
Full-text available
The application of emerging technologies, such as Artificial Intelligence (AI), entails risks that need to be addressed to ensure secure and trustworthy socio-technical infrastructures. Machine Learning (ML), the most developed subfield of AI, allows for improved decision-making processes. However, ML models exhibit specific vulnerabilities that conventional IT systems are not subject to. As systems incorporating ML components become increasingly pervasive, the need to provide security practitioners with threat modeling tailored to the specific AI-ML pipeline is of paramount importance. Currently, there exist no well-established approach accounting for the entire ML life-cycle in the identification and analysis of threats targeting ML techniques. In this paper, we propose an asset-centered methodology—STRIDE-AI—for assessing the security of AI-ML-based systems. We discuss how to apply the FMEA process to identify how assets generated and used at different stages of the ML life-cycle may fail. By adapting Microsoft’s STRIDE approach to the AI-ML domain, we map potential ML failure modes to threats and security properties these threats may endanger. The proposed methodology can assist ML practitioners in choosing the most effective security controls to protect ML assets. We illustrate STRIDE-AI with the help of a real-world use case selected from the TOREADOR H2020 project.
... As shown in Figure 1, when a malicious user gains access to the database in a centralized system, data manipulation is possible, and system problems are inevitable [36]. However, in a decentralized system using a blockchain, if data are manipulated by a malicious user, it is easily discernable through data verification with other participants, and the undamaged data can be restored [37]. ...
Article
Full-text available
This study aims to introduce a novel blockchain-applied personal health records (PHR) application and validate its user experience. The system transmits the part corresponding to the patient’s personal information off-chain and prevents data forgery and falsification by storing encrypted data on-chain. Patients may easily trace the opt-in and opt-out history of their consent data and dynamically store the consent system for data exchange on the blockchain. A mixed-method study using a questionnaire, in-depth interviews, and usability evaluation were conducted for 30 participants. The system usability score was 74.0, indicating the high usability of the application. Those who were familiar with blockchain showed confidence in the application, but those unfamiliar wanted their data to be safe using another way. Most of the participants were interested in exchanging and using their medical data and considered security important but those unfamiliar wanted their data to be safe using another way. We found that participants were concerned about data security and considered a blockchain-based PHR as a novel way to store and exchange their medical information securely. Blockchain is not a visible technology. However, a blockchain-applied PHR must be able to win user trust through visualizations, certificates, and system descriptions.
... Thus, create an opportunity for designers to improve product security. M. Cagnazzo et al. represented a similar threat modeling in the context of the Mobile Health (mHealth) System [9]. But it was with a focus on encryption and authentication for resource-constrained devices. ...
Conference Paper
Full-text available
The concept of traditional farming is changing rapidly with the introduction of smart technologies like the Internet of Things (IoT). Under the concept of smart agriculture, precision agriculture is gaining popularity to enable Decision Support System (DSS)-based farming management that utilizes widespread IoT sensors and wireless connectivity to enable automated detection and optimization of resources. Undoubtedly the success of the system would be impacted on crop productivity, where failure would impact severely. Like many other cyber-physical systems, one of the growing challenges to avoid system adversity is to ensure the system's security, privacy, and trust. But what are the vulnerabilities, threats, and security issues we should consider while deploying precision agriculture? This paper has conducted a holistic threat modeling on component levels of precision agriculture's standard infrastructure using popular threat intelligence tools STRIDE to identify common security issues. Our modeling identifies a noticing of fifty-eight potential security threats to consider. This presentation systematically presented them and advised general mitigation suggestions to support cyber security in precision agriculture.
... Thus, create an opportunity for designers to improve product security. M. Cagnazzo et al. represented a similar threat modeling in the context of the Mobile Health (mHealth) System [9]. But it was with a focus on encryption and authentication for resource-constrained devices. ...
Preprint
Full-text available
The concept of traditional farming is changing rapidly with the introduction of smart technologies like the Internet of Things (IoT). Under the concept of smart agriculture, precision agriculture is gaining popularity to enable Decision Support System (DSS)-based farming management that utilizes widespread IoT sensors and wireless connectivity to enable automated detection and optimization of resources. Undoubtedly the success of the system would be impacted on crop productivity, where failure would impact severely. Like many other cyber-physical systems, one of the growing challenges to avoid system adversity is to ensure the system's security, privacy, and trust. But what are the vulnerabilities, threats, and security issues we should consider while deploying precision agriculture? This paper has conducted a holistic threat modeling on component levels of precision agriculture's standard infrastructure using popular threat intelligence tools STRIDE to identify common security issues. Our modeling identifies a noticing of fifty-eight potential security threats to consider. This presentation systematically presented them and advised general mitigation suggestions to support cyber security in precision agriculture.
Article
Full-text available
High security for physical items such as intelligent machinery and residential appliances is provided via the Internet of Things (IoT). The physical objects are given a distinct online address known as the Internet Protocol to communicate with the network’s external foreign entities through the Internet (IP). IoT devices are in danger of security issues due to the surge in hacker attacks during Internet data exchange. If such strong attacks are to create a reliable security system, attack detection is essential. Attacks and abnormalities such as user-to-root (U2R), denial-of-service, and data-type probing could have an impact on an IoT system. This article examines various performance-based AI models to predict attacks and problems with IoT devices with accuracy. Particle Swarm Optimization (PSO), genetic algorithms, and ant colony optimization were used to demonstrate the effectiveness of the suggested technique concerning four different parameters. The results of the proposed method employing PSO outperformed those of the existing systems by roughly 73 percent.
Research
Full-text available
A Threat Model for securing IoT commerce.
Article
Full-text available
Security is an important issue in Smart Home Environments. Most especially in situations where smart homes can store and release sensitive data to third parties, which makes data collected within smart environments vulnerable to severe security and privacy abuses. Therefore, identification of these security issues is crucial to taking the appropriate steps towards mitigating them and enhancing the security of the collected data within these homes. This paper focuses its attention on the analysis of the possible security issues in smart home environments, identification of different attacks and vulnerabilities with possible recommendations, and countermeasures to mitigate these threats. Moreover, we applied threat modelling process to our Smart Environment for Assisted Living (SEAL) system identifying the assets and threats to the system and examining how our system can be designed in a more secure way that will guarantee a maximum protection of data transmitted across the system.
Article
Full-text available
Security has been an issue of contention in healthcare. The lack of familiarity and poor implementation of security in healthcare leave the patients’ data vulnerable to attackers. The main issue is assessing how we can provide security in an RPM infrastructure. The findings in literature show there is little empirical evidence on proper implementation of security. Therefore, there is an urgent need in addressing cybersecurity issues in medical devices. Through the review of relevant literature in remote patient monitoring and use of a Microsoft threat modelling tool, we identify and explore current vulnerabilities and threats in IEEE 11073 standard devices to propose a new security framework for remote patient monitoring devices. Additionally, current RPM devices have a limitation on the number of people who can share a single device, therefore, we propose the use of NFC for identification in Remote Patient Monitoring (RPM) devices for multi-user environments where we have multiple people sharing a single device to reduce errors associated with incorrect user identification. We finally show how several techniques have been used to build the proposed framework.
Article
Full-text available
Background: Promoting physical activity and healthy eating is important to combat the unprecedented rise in NCDs in many developing countries. Using modern information-and communication technologies to deliver physical activity and diet interventions is particularly promising considering the increased proliferation of such technologies in many developing countries. The objective of this systematic review is to investigate the effectiveness of e-& mHealth interventions to promote physical activity and healthy diets in developing countries. Methods: Major databases and grey literature sources were searched to retrieve studies that quantitatively examined the effectiveness of e-& mHealth interventions on physical activity and diet outcomes in developing countries. Additional studies were retrieved through citation alerts and scientific social media allowing study inclusion until August 2016. The CONSORT checklist was used to assess the risk of bias of the included studies. Results: A total of 15 studies conducted in 13 developing countries in Europe, Africa, Latin-and South America and Asia were included in the review. The majority of studies enrolled adults who were healthy or at risk of diabetes or hypertension. The average intervention length was 6.4 months, and text messages and the Internet were the most frequently used intervention delivery channels. Risk of bias across the studies was moderate (55.7 % of the criteria fulfilled). Eleven studies reported significant positive effects of an e-& mHealth intervention on physical activity and/or diet behaviour. Respectively, 50 % and 70 % of the interventions were effective in promoting physical activity and healthy diets. Conclusions: The majority of studies demonstrated that e-& mHealth interventions were effective in promoting physical activity and healthy diets in developing countries. Future interventions should use more rigorous study designs, investigate the cost-effectiveness and reach of interventions, and focus on emerging technologies, such as smart phone apps and wearable activity trackers. Trial registration: The review protocol can be retrieved from the PROSPERO database (Registration ID: CRD42015029240).
Conference Paper
Full-text available
The following paper introduces a secure and efficient application concept that is capable of authenticating and accessing smart objects. The concept is based on two already developed applications. It describes the used technologies and discusses the outcome and potential downfalls of the idea.
Article
Full-text available
Most existing machine learning classifiers are highly vulnerable to adversarial examples. An adversarial example is a sample of input data which has been modified very slightly in a way that is intended to cause a machine learning classifier to misclassify it. In many cases, these modifications can be so subtle that a human observer does not even notice the modification at all, yet the classifier still makes a mistake. Adversarial examples pose security concerns because they could be used to perform an attack on machine learning systems, even if the adversary has no access to the underlying model. Up to now, all previous work have assumed a threat model in which the adversary can feed data directly into the machine learning classifier. This is not always the case for systems operating in the physical world, for example those which are using signals from cameras and other sensors as an input. This paper shows that even in such physical world scenarios, machine learning systems are vulnerable to adversarial examples. We demonstrate this by feeding adversarial images obtained from cell-phone camera to an ImageNet Inception classifier and measuring the classification accuracy of the system. We find that a large fraction of adversarial examples are classified incorrectly even when perceived through the camera.
Chapter
Full-text available
The paper proposes an innovative authentication-system called Xign that is very easy to use, easily integrated in existing infrastructure, while offering strong multifactor-authentication for different domains of application, like web applications and physical access control. A QR code is all that is needed to provide an entry point of authentication to the user. The system comprises a smartphone application (Xign App), a server-component (Xign Authentication Manager) and a smartcard-applet (Xign SC). A NFC token contains a special smartcard-applet and a keypair which is protected through a user-selected PIN. To use this token for authentication, it must be paired with the users smartphone. To achieve that, the smartphone is also equipped with corresponding certificates. The Xign-system is backed by a Public Key Infrastructure (PKI). As trust-anchor the PKI depends on the attributes of the new German identity card or similar identity verification systems, which are used to generate a derived identity, that is subsequently stored into token. As a consequence the Xign-System also takes steps to ensure anonymity of the user, while preventing tracing over multiple authentications.
Book
This book introduces the Process for Attack Simulation & Threat Analysis (PASTA) threat modeling methodology. It provides an introduction to various types of application threat modeling and introduces a risk-centric methodology aimed at applying security countermeasures that are commensurate to the possible impact that could be sustained from defined threat models, vulnerabilities, weaknesses, and attack patterns. This book describes how to apply application threat modeling as an advanced preventive form of security. The authors discuss the methodologies, tools, and case studies of successful application threat modeling techniques. Chapter 1 provides an overview of threat modeling, while Chapter 2 describes the objectives and benefits of threat modeling. Chapter 3 focuses on existing threat modeling approaches, and Chapter 4 discusses integrating threat modeling within the different types of Software Development Lifecycles (SDLCs). Threat modeling and risk management is the focus of Chapter 5. Chapter 6 and Chapter 7 examine Process for Attack Simulation and Threat Analysis (PASTA). Finally, Chapter 8 shows how to use the PASTA risk-centric threat modeling process to analyze the risks of specific threat agents targeting web applications. This chapter focuses specifically on the web application assets that include customer's confidential data and business critical functionality that the web application provides. Provides a detailed walkthrough of the PASTA methodology alongside software development activities, normally conducted via a standard SDLC process Offers precise steps to take when combating threats to businesses Examines real-life data breach incidents and lessons for risk management Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis is a resource for software developers, architects, technical risk managers, and seasoned security professionals.
Book
Addresses recent advances from both the clinical and technological perspectives to provide a comprehensive presentation of m-Health. This book introduces the concept of m-Health, first coined by Robert S. H. Istepanian in 2003. The evolution of m-Health since then-how it was transformed from an academic concept to a global healthcare technology phenomenon-is discussed. Afterwards the authors describe in detail the basics of the three enabling scientific technological elements of m-Health (sensors, computing, and communications), and how each of these key ingredients has evolved and matured over the last decade. The book concludes with detailed discussion of the future of m-Health and presents future directions to potentially shape and transform healthcare services in the coming decades. In addition, this book: Discusses the rapid evolution of m-Health in parallel with the maturing process of its enabling technologies, from bio-wearable sensors to the wireless and mobile communication technologies from IOT to 5G systems and beyond. Includes clinical examples and current studies, particularly in acute and chronic disease management, to illustrate some of the relevant medical aspects and clinical applications of m-Health. Describes current m-Health ecosystems and business models. Covers successful applications and deployment examples of m-Health in various global health settings, particularly in developing countries. © 2017 by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved.
Article
People with mental illnesses face the dilemma of whether to disclose or conceal their diagnosis, but this dilemma was scarcely researched. To gain in-depth understanding of this dilemma, we interviewed 29 individuals with mental illnesses: 16 with major depression/bipolar disorders and 13 with schizophrenia. Using a phenomenological design, we analyzed individuals’ experiences, decision-making processes, and views of gains and costs regarding concealment and disclosure of mental illness. We found that participants employed both positive and negative disclosure/concealment practices. Positive practices included enhancing personal recovery, community integration, and/or supporting others. Negative practices occurred in forced, uncontrolled situations. We also identified various influencing factors, including familial norms of sharing, accumulated experiences with disclosure, and ascribed meaning to diagnosis. Based on these findings, we deepen the understanding about decision-making processes and the consequences of disclosing or concealing mental illness. We discuss how these finding can help consumers explore potential benefits and disadvantages of mental illness disclosure/concealment occurrences.
Article
Mobile health technology has great potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health. However, mHealth also raises significant privacy and security challenges.