Skip to main content
SpringerLink
Log in

A Case Study in the Application of STPA-sec and CHASSIS for Socio-Technical Cyber Security Risk Management in Health Care from Developing Nations

  • Conference paper
  • First Online:
Intelligent Sustainable Systems

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 578))

  • 631 Accesses

Abstract

Healthcare organizations continue to face an increasing range of cyber threats. In developing nations, considered capabilities of healthcare systems including fragmented governance, limited resources and experience; it is important to identify methods that can be beneficial in the socio-technical analysis of breaches given that at the moment the level of detail and the socio-technical focus varies between incidents—some reports do not mention socio-technical issues at all—and without consistent methods we cannot be sure whether this was due to the fact socio-technical factors were not important or whether they were not just considered by the analyst. We address these problems by evaluating the application of two promising approaches STPA-sec (System Theoretic Process Analysis) for cyber security and a focused method for use case and misuse case scenarios, CHASSIS (Combined Harm Analysis for Safety and Security of Information System). STPA-sec has been able to capture ranges of socio-technical risks threatening cyber security of picture archiving and communication system (PACS) in this hospital by making rapid integration in a resource-constraint area. However, our results show that given a variety of socio-technical risks in this area—interaction of fragmented components, organizational vulnerabilities, it can be hard for only a high-level and abstract methodology; hence, it is needed to identify other forms of breaches to the analyzed system; for that reason, CHASSIS is used to support STPA-sec analysis; this provides to the local analyst another point of consideration in handling different socio-technical risks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)

    Article  Google Scholar 

  2. Jalali, M.S., Kaiser, J.P.: Cybersecurity in hospitals: a systematic, organizational perspective. J. Med. Internet Res. 20(5), e10059 (2018)

    Article  Google Scholar 

  3. Luna, R., et al.: Cyber threats to health information systems: a systematic review. Technol. Health Care 24(1), 1–9 (2016)

    Google Scholar 

  4. Thomas IV, J.P.: Extending and Automating a Systems Theoretic Hazard Analysis for Requirements Generation and Analysis. Doctoral dissertation, Massachusetts Institute of Technology (2013)

    Google Scholar 

  5. Raspotnig, C., Karpati, P., Katta, V.: A combined process for elicitation and analysis of safety and security requirements. In: Enterprise, Business-Process and Information Systems Modeling. Springer, Berlin, Heidelberg, pp. 347–361 (2012)

    Google Scholar 

  6. Ministry of Defense (United Kingdom): HAZOP Studies on Systems Containing Programmable Electronics Part 2 General Application Guidance (2000)

    Google Scholar 

  7. Schmittner, C., et al.: A case study of fmvea and chassis as safety and security co-analysis method for automotive cyber-physical systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security (2015)

    Google Scholar 

  8. Leveson, N., Thomas, J.O.H.N.: STPA Handbook. Nancy Leveson and John Thomas 3 (2018)

    Google Scholar 

  9. Johnson, N.L.: Assuring Safety and Security. Diss. University of York (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing Science, University of Glasgow, Glasgow, UK

    Joseph Kaberuka & Christopher Johnson

Authors
  1. Joseph Kaberuka
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Johnson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joseph Kaberuka .

Editor information

Editors and Affiliations

  1. School of Mathematics, Computer Science and Engineering, Liverpool Hope University, Liverpool, UK

    Atulya K. Nagar

  2. Namibia University of Science and Technology, Windhoek, Namibia

    Dharm Singh Jat

  3. Department of Computer Science and Engineering, Sri Aurobindo Institute of Technology, Indore, Madhya Pradesh, India

    Durgesh Kumar Mishra

  4. Global Knowledge Research Foundation, Ahmedabad, India

    Amit Joshi

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kaberuka, J., Johnson, C. (2023). A Case Study in the Application of STPA-sec and CHASSIS for Socio-Technical Cyber Security Risk Management in Health Care from Developing Nations. In: Nagar, A.K., Singh Jat, D., Mishra, D.K., Joshi, A. (eds) Intelligent Sustainable Systems. Lecture Notes in Networks and Systems, vol 578. Springer, Singapore. https://doi.org/10.1007/978-981-19-7660-5_33

Download citation

Publish with us

Policies and ethics

Search

Navigation