论文信息 - A Threat Tree for Health Information Security and Privacy

A Threat Tree for Health Information Security and Privacy

This paper begins a process of organizing knowledge of health information security threats into a comprehensive catalog. We begin by describing our risk management perspective of health information security, and then use this perspective to motivate the development of a health information threat tree. We describe examples of three threats, breaking each down into its key risk-related data attributes: threat source and action, the health information asset and its vulnerability, and potential controls. The construction of such a threat catalog is argued to be useful for risk assessment and to inform public health care policy. As no threat catalog is ever complete, guidance for extending the health information security threat tree is given.

Jeffrey P. Landry | Tom Johnsten | Matt Campbell | J. Harold Pardue | Priya Patidar

[1] Ganthan Narayana Samy,et al. Security threats categories in healthcare information systems , 2010, Health Informatics J..

[2] Brent Salter,et al. The Enemy at the Gate: Habsburgs, Ottomans, and the Battle for Europe , 2008 .

[3] Bradley Malin,et al. Beyond safe harbor: automatic discovery of health information de-identification policy alternatives , 2010, IHI.

[4] Jeffrey P. Landry,et al. A Risk Assessment Model for Voting Systems using Threat Trees and Monte Carlo Simulation , 2009, 2009 First International Workshop on Requirements Engineering for e-Voting Systems.

[5] E WhitmanMichael. Enemy at the gate , 2003 .

[6] David Kotz,et al. A threat taxonomy for mHealth privacy , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[7] L. Jean Camp,et al. Threat analysis of online health information system , 2010, PETRA '10.

[8] M. Eric Johnson,et al. Data Hemorrhages in the Health-Care Sector , 2009, Financial Cryptography.

[9] G. Stoneburner,et al. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[10] Latanya Sweeney,et al. k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[11] M. Eric Johnson,et al. Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..