Information technology is critical in coordinating patient records, smart devices, operations, and critical infrastructure in healthcare organizations, and their constantly changing digital environment, including suppliers, doctors, insurance providers, and regulatory agencies. This dependence on interdependent systems makes this sector vulnerable to various information technology risks. Such threats include common cybersecurity risks such as data breaches and malware attacks, unique problems occurring in healthcare settings such as unauthorized access to patient records, disruptions in services provided at medical facilities, and potential harm caused to patients due to the compromise of medical devices. The threat taxonomies, such as the Open Threat Taxonomy, NIST, or ENISA, are foundational frameworks for grasping and categorizing IT threats. However, these taxonomies were not specifically designed to deal with the complexities of the healthcare industry. The problem arises from the gap between these taxonomies’ general nature and the industry-specific threats and vulnerabilities that affect healthcare organizations. As a result, many healthcare institutions fail to holistically address and eliminate the unique risks related to confidentiality, integrity, and availability of patients’ data as well as critical systems used in healthcare. This paper aims to narrow this gap by carefully assessing these taxonomies to determine the frame-work best suited for addressing the threat environment in the healthcare sector.
References
[1]
Olaniyi, O., Alhassan, J., Abba, E. and Waziri, V. (2016) Threat Modeling of Electronic Health Systems and Mitigating Countermeasures.
[2]
Yeng, P.K., Stephen, D. and Yang, B. (2020) Comparative Analysis of Threat Modeling Methods for Cloud Computing towards Healthcare Security Practice. International Journal of Advanced Computer Science and Applications, 11, 772-784. https://doi.org/10.14569/IJACSA.2020.0111194
[3]
Maze, T. (2023) How to Use Dread Analysis with Fair.
[4]
Wells, B. (2022) Threat Modeling in Healthcare.
[5]
Alhassan, J.K., Abba, E., Olaniyi, O.M. and Waziri, O.V. (2016) Threat Modeling of Electronic Health Systems and Mitigating Countermeasures.
[6]
Verizon (2023) 2023 Data Breach Investigations Report. https://www.verizon.com/business/resources/T31c/reports/2023-data-breach-investigations-report-dbir.pdf
[7]
HIPAA Journal. Healthcare Data Breach Statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/
[8]
U.S. Department of Health & Human Services, Office for Civil Rights. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
[9]
Wagner, T.D., Palomar, E., Mahbub, K., Abdallah, A.E., et al. (2018) A Novel Trust Taxonomy for Shared Cyber Threat Intelligence. Security and Communication Networks, 2018, Article ID: 9634507. https://doi.org/10.1155/2018/9634507
[10]
ENISA Publishes a Tool for the Mapping of Dependencies to International Standards. https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-a-tool-for-the-mapping-of-dependencies-to-international-standards
[11]
Launius, S. (2020) Evaluation of Comprehensive Taxonomies for Information Technology Threats.
[12]
Logix Consulting (2019) Managed It Support Services Seattle. https://logixconsulting.com/2019/12/18/what-is-the-dread-cybersecurity-model/
[13]
National Institute of Standards and Technology (2021) White Paper. https://www.nist.gov/system/files/documents/2021/10/29/34-ENISA MCS resp NIST IoT White Paper - 17.10.2021fin.pdf
[14]
Open Threat Taxonomy v1.1a. https://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf
[15]
INTECH Automation Intelligence (2022) Iso 27001, isa/iec 62443, and nist csf: Selecting the Right Standard/Framework for Your OT Cybersecurity Program.
[16]
Zhang, L., Taal, A., Cushing, R., de Laat, C. and Grosso, P. (2022) A Risk-Level Assessment System Based on the Stride/Dread Model for Digital Data Marketplaces. International Journal of Information Security, 21, 509-525.
[17]
EC-Council (2023) Dread Threat Modeling: An Introduction to Qualitative Risk Analysis.
[18]
Thevarmannil, M. (2024) 10 Types of Threat Modeling Methodology to Use in 2024.
