Skip to main content
SpringerLink
Log in

A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems

  • Conference paper
  • First Online:
Computer Security (CyberICPS 2019, SECPRE 2019, SPOSE 2019, ADIoT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11980))

Abstract

Security constraints that enforce security requirements characterize healthcare systems. These constraints have a substantial impact on the resiliency of the final system. Security requirements modelling approaches allow the prevention of cyber incidents; however, the focus to date has been on prevention rather than resiliency. Resiliency extends into the detection, mitigation and recovery after security violations. In this paper, we propose an enhanced at a conceptual level that attempts to align cybersecurity with resiliency. It does so by extending the Secure Tropos cybersecurity modelling language to include resiliency. The proposed conceptual model examines resiliency from three viewpoints, namely the security requirements, the healthcare context and its implementational capability. We present an overview of our conceptual model of a cyber resiliency language and discuss a case study to attest the healthcare context in our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. ISO/IEC/IEEE 15288:2015. https://www.iso.org/standard/63711.html. Accessed 12 July 2019

  2. Li, T., Horkoff, J., Mylopoulos, J.: Integrating security patterns with security requirements analysis using contextual goal models. In: Frank, U., Loucopoulos, P., Pastor, Ó., Petrounias, I. (eds.) PoEM 2014. LNBIP, vol. 197, pp. 208–223. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45501-2_15

    Chapter  Google Scholar 

  3. Antón, A.I., Earp, J.B.: Strategies for developing policies and requirements for secure and private electronic commerce. In: Ghosh, A.K. (ed.) E-Commerce Security and Privacy. Advances in Information Security, vol. 2, pp. 67–86. Springer, Boston (2001). https://doi.org/10.1007/978-1-4615-1467-1_5

    Chapter  Google Scholar 

  4. Argyropoulos, N., Mouratidis, H., Fish, A.: Advances in Conceptual Modeling. Springer, Cham (2015). https://doi.org/10.1007/978-3-642-33999-8

    Book  Google Scholar 

  5. Arney, D., Pajic, M., Goldman, J.M., Lee, I., Mangharam, R., Sokolsky, O.: Toward patient safety in closed-loop medical device systems. In: Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems - ICCPS 2010, pp. 139–148. ACM Press, Stockholm (2010)

    Google Scholar 

  6. Athinaiou, M., Mouratidis, H., Fotis, T., Pavlidis, M., Panaousis, E.: Towards the definition of a security incident response modelling language. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 198–212. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_14

    Chapter  Google Scholar 

  7. Boddy, A., Hurst, W., Mackay, M., Rhalibi, A.E.: A study into data analysis and visualisation to increase the cyber-resilience of healthcare infrastructures. In: Proceedings of the 1st International Conference on Internet of Things and Machine Learning - IML 1917, pp. 1–7. ACM Press, Liverpool (2017)

    Google Scholar 

  8. Den Braber, F., Hogganvik, I., Lund, M.S., Stlen, K., Vraalsen, F.: Model-based security analysis in seven steps a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)

    Article  Google Scholar 

  9. Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)

    Article  Google Scholar 

  10. Chapurlat, V., et al.: Towards a model-based method for resilient critical infrastructure engineering how to model critical infrastructures and evaluate ist resilience? How to model critical infrastructures and evaluate its Resilience? In: 2018 13th Annual Conference on System of Systems Engineering (SoSE), pp. 561–567. IEEE, Paris (2018)

    Google Scholar 

  11. Chen, Q., Lambright, J.: Towards realizing a self-protecting healthcare information system. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), pp. 687–690. IEEE, Atlanta (2016)

    Google Scholar 

  12. Chernyshev, M., Zeadally, S., Baig, Z.: Healthcare data breaches: implications for digital forensic readiness. J. Med. Syst. 43(1), 7 (2019)

    Article  Google Scholar 

  13. Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. Technical report NIST SP 800-61r2, National Institute of Standards and Technology (2012)

    Google Scholar 

  14. Cooper, T., Collmann, J., Neidermeier, H.: Organizational repertoires and rites in health information security. Camb. Q. Healthc. Ethics 17(4), 441–452 (2008)

    Article  Google Scholar 

  15. Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed requirements acquisition. Sci. Comput. Program. 20(1–2), 3–50 (1993)

    Article  Google Scholar 

  16. DeVoe, C., Rahman, S.S.M.: Incident response plan for a small to medium sized hospital. Int. J. Netw. Secur. Appl. 5(2), 1–20 (2013)

    Google Scholar 

  17. Genes, N., Chary, M., Chason, K.W.: Case study. An academic medical centers response to widespread computer failure. Am. J. Disaster Med. 8(2), 145–150 (2013)

    Article  Google Scholar 

  18. Ghafur, S., Grass, E., Jennings, N.A., Darzi, A.: The challenges of cybersecurity in health care: the UK National Health Service as a case study. Lancet Digit. Health 1(1), e10–e12 (2019)

    Article  Google Scholar 

  19. Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_8

    Chapter  Google Scholar 

  20. Giorgini, P., Mylopoulos, J., Sebastiani, R.: Goal-oriented requirements analysis and reasoning in the Tropos methodology. Eng. Appl. Artif. Intell. 18(2), 159–171 (2005)

    Article  Google Scholar 

  21. He, Y., Johnson, C.: Challenges of information security incident learning: an industrial case study in a Chinese healthcare organization. Inf. Health Soc. Care 42(4), 393–408 (2017)

    Article  Google Scholar 

  22. Lee, I., et al.: Challenges and research directions in medical cyberphysical systems. Proc. IEEE 100(1), 75–90 (2012)

    Article  Google Scholar 

  23. Jalali, M.S., Russell, B., Razak, S., Gordon, W.J.: EARS to cyber incidents in health care. J. Am. Med. Inf. Assoc. 26(1), 81–90 (2019)

    Article  Google Scholar 

  24. Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32

    Chapter  MATH  Google Scholar 

  25. van Lamsweerde, A.: Goal-oriented requirements engineering: a guided tour. In: Proceedings Fifth IEEE International Symposium on the Requirements Engineering, pp. 249–262. IEEE Computer Society, Toronto (2000)

    Google Scholar 

  26. van Lamsweerde, A., Letier, E.: From object orientation to goal orientation: a paradigm shift for requirements engineering. In: Wirsing, M., Knapp, A., Balsamo, S. (eds.) RISSEF 2002. LNCS, vol. 2941, pp. 325–340. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24626-8_23

    Chapter  Google Scholar 

  27. Lin, L., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Introducing abuse frames for analyzing security requirements. J. Lightwave Technol. 371–372 (2003). IEEE Comput. Soc, Monterey Bay, CA, USA

    Google Scholar 

  28. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33

    Chapter  MATH  Google Scholar 

  29. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceedings 15th Annual Computer Security Applications Conference (ACSAC 1999), pp. 55–64. IEEE Computer Society, Phoenix (1999)

    Google Scholar 

  30. McGlade, D., Scott-Hayward, S.: ML-based cyber incident detection for Electronic Medical Record (EMR) systems. Smart Health 12, 3–23 (2019)

    Article  Google Scholar 

  31. Mead, N.R., Stehney, T.: Security quality requirements engineering (SQUARE) methodology. ACM SIGSOFT Softw. Eng. Notes 30(4), 1 (2005)

    Article  Google Scholar 

  32. Meland, P.H., Paja, E., Gjre, E.A., Paul, S., Dalpiaz, F., Giorgini, P.: Threat analysis in goal-oriented security requirements modelling. In: Computer Systems and Software Engineering: Concepts, Methodologies, Tools, and Applications, pp. 2025–2042. IGI Global (2018)

    Google Scholar 

  33. Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the secure tropos approach. In: Karagiannis, D., Mayr, H., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, pp. 357–380. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39417-6_16

    Chapter  Google Scholar 

  34. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)

    Article  Google Scholar 

  35. Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, K.-K.R.: Analysis and triage of advanced hacking groups targeting western countries critical national infrastructure: APT28, RED October, and Regin. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds.) Critical Infrastructure Security and Resilience. ASTSA, pp. 221–244. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-00024-0_12

    Chapter  Google Scholar 

  36. Pavlidis, M., Islam, S., Mouratidis, H.: A CASE tool to support automated modelling and analysis of security requirements, based on secure tropos. In: Nurcan, S. (ed.) CAiSE Forum 2011. LNBIP, vol. 107, pp. 95–109. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29749-6_7

    Chapter  Google Scholar 

  37. Pavlidis, M., Islam, S., Mouratidis, H., Kearney, P.: Modeling trust relationships for developing trustworthy information systems. Int. J. Inf. Syst. Model. Des. 5(1), 25–48 (2014)

    Article  Google Scholar 

  38. Pavlidis, M., Mouratidis, H., Panaousis, E., Argyropoulos, N.: Selecting security mechanisms in secure tropos. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) TrustBus 2017. LNCS, vol. 10442, pp. 99–114. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64483-7_7

    Chapter  Google Scholar 

  39. Ransford, B., Clark, S.S., Kune, D.F., Fu, K., Burleson, W.P.: Design Challenges for Secure Implantable Medical Devices. In: Burleson, W., Carrara, S. (eds.) Security and Privacy for Implantable Medical Devices, pp. 157–173. Springer, New York (2014). https://doi.org/10.1007/978-1-4614-1674-6_7

    Chapter  Google Scholar 

  40. Ross, R., Graubart, R., Bodeau, D., McQuaid, R.: Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. Technical report, NIST (2018)

    Google Scholar 

  41. Schumacher, M.: Toward a security core ontology. In: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, pp. 87–96. no. 2754, LNCS, Springer, New York (2003). https://doi.org/10.1007/b11930

    Book  Google Scholar 

  42. Sindre, G., Firesmith, D.G., Opdahl, A.L.: A reuse-based approach to determining security requirements. Requirements Eng. 10, 34–44 (2004)

    Article  Google Scholar 

  43. Sittig, D., Singh, H.: A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Appl. Clin. Inf. 07(02), 624–632 (2016)

    Article  Google Scholar 

  44. Wiant, T.L.: Information security policy’s impact on reporting security incidents. Comput. Secur. 24(6), 448–459 (2005)

    Article  Google Scholar 

  45. Williams, P.A.H.: Is cyber resilience in medical practice security achievable? In: Proceedings of the 1st International Cyber Resilience Conference, pp. 105–111. Edith Cowan University, Perth (2010)

    Google Scholar 

  46. Yu, E.S.K.: Modeling strategic relationships for process reengineering, Ph.D. thesis, University of Toronto, Canada (1995)

    Google Scholar 

  47. Jiang, Z., Pajic, M., Mangharam, R.: Cyberphysical modeling of implantable cardiac medical devices. Proc. IEEE 100(1), 122–137 (2012)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Brighton, Brighton, BN2 4GJ, UK

    Myrsini Athinaiou, Haralambos Mouratidis, Theo Fotis & Michalis Pavlidis

Authors
  1. Myrsini Athinaiou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haralambos Mouratidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Theo Fotis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michalis Pavlidis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Myrsini Athinaiou .

Editor information

Editors and Affiliations

  1. Open University of Cyprus, Latsia, Cyprus

    Sokratis Katsikas

  2. IMT Atlantique, Brest, France

    Frédéric Cuppens

  3. IMT Atlantique, Brest, France

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  8. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

  9. Technical University of Berlin, Berlin, Germany

    Frank Pallas

  10. Alexander von Humboldt Institute for Internet and Society, Berlin, Germany

    Jörg Pohle

  11. Ruhr University Bochum, Bochum, Germany

    Angela Sasse

  12. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  13. University of Plymouth, Plymouth, UK

    Steven Furnell

  14. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Athinaiou, M., Mouratidis, H., Fotis, T., Pavlidis, M. (2020). A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42048-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42047-5

  • Online ISBN: 978-3-030-42048-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation