THREATS TO HEALTHCARE DATA: A THREAT TREE FOR RISK ASSESSMENT

The American Recovery and Reinvestment Act of 2009 authorizes the payment of incentives to hospitals, clinics, and practices that adopt meaningful use of electronic health records by the year 2015. The promise of making health data readily available for manipulation any place, any time, and in multiple formats is reduced medical and medication errors, lower healthcare costs, and improved healthcare outcomes. However, control over availability is no small challenge. This paper represents a preliminary effort at cataloging threats to electronic healthcare data associated with unauthorized access, data loss, and data corruption as a threat tree. The purpose of the threat tree presented here is to facilitate risk assessments and inform health care policy and legislation. The paper concludes with a brief discussion of ways to vet and extend the proposed threat tree.

[1]  A. Localio,et al.  Role of computerized physician order entry systems in facilitating medication errors. , 2005, JAMA.

[2]  Marco Vieira,et al.  Online detection of malicious data access using DBMS auditing , 2008, SAC '08.

[3]  Hsinchun Chen,et al.  A Cyber-archaeology Approach to Social Movement Research: Framework and Case Study , 2010, J. Comput. Mediat. Commun..

[4]  W. Hersh,et al.  Health care information technology: progress and barriers. , 2004, JAMA.

[5]  J. Keese,et al.  Pro-active approach to malware for healthcare information and imaging systems , 2005 .

[6]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[7]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[8]  T. Kohno,et al.  Improving the security and privacy of implantable medical devices. , 2010, The New England journal of medicine.

[9]  Carl A. Gunter,et al.  A medical database case study for reflective database access control , 2009, SPIMACS '09.

[10]  Jeffrey P. Landry,et al.  A Risk Assessment Model for Voting Systems using Threat Trees and Monte Carlo Simulation , 2009, 2009 First International Workshop on Requirements Engineering for e-Voting Systems.

[11]  Sushil Jajodia,et al.  Access control for smarter healthcare using policy spaces , 2010, Comput. Secur..

[12]  Steven Hernandez Cissp Official (ISC)2 Guide to the CISSP CBK , 2012 .

[13]  P. Kilbridge Computer crash--lessons from a system failure. , 2003, The New England journal of medicine.

[14]  Y. Han,et al.  Unexpected Increased Mortality After Implementation of a Commercially Sold Computerized Physician Order Entry System , 2005, Pediatrics.

[15]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[16]  Marc Berg,et al.  Viewpoint Paper: Some Unintended Consequences of Information Technology in Health Care: The Nature of Patient Care Information System-related Errors , 2003, J. Am. Medical Informatics Assoc..

[17]  David Kotz,et al.  A threat taxonomy for mHealth privacy , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[18]  W J Curran,et al.  Privacy, confidentiality and other legal considerations in the establishment of a centralized health-data system. , 1969, The New England journal of medicine.

[19]  S. Henshaw,et al.  Providing controversial health care: abortion services since 1973. , 1993, Women's health issues : official publication of the Jacobs Institute of Women's Health.

[20]  Ganthan Narayana Samy,et al.  Security threats categories in healthcare information systems , 2010, Health Informatics J..

[21]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[22]  Iraklis Varlamis,et al.  Security and trust in virtual healthcare communities , 2009, PETRA '09.

[23]  L. Jean Camp,et al.  Threat analysis of online health information system , 2010, PETRA '10.

[24]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.