Abstract
Healthcare organizations continue to face an increasing range of cyber threats. In developing nations, considered capabilities of healthcare systems including fragmented governance, limited resources and experience; it is important to identify methods that can be beneficial in the socio-technical analysis of breaches given that at the moment the level of detail and the socio-technical focus varies between incidents—some reports do not mention socio-technical issues at all—and without consistent methods we cannot be sure whether this was due to the fact socio-technical factors were not important or whether they were not just considered by the analyst. We address these problems by evaluating the application of two promising approaches STPA-sec (System Theoretic Process Analysis) for cyber security and a focused method for use case and misuse case scenarios, CHASSIS (Combined Harm Analysis for Safety and Security of Information System). STPA-sec has been able to capture ranges of socio-technical risks threatening cyber security of picture archiving and communication system (PACS) in this hospital by making rapid integration in a resource-constraint area. However, our results show that given a variety of socio-technical risks in this area—interaction of fragmented components, organizational vulnerabilities, it can be hard for only a high-level and abstract methodology; hence, it is needed to identify other forms of breaches to the analyzed system; for that reason, CHASSIS is used to support STPA-sec analysis; this provides to the local analyst another point of consideration in handling different socio-technical risks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)
Jalali, M.S., Kaiser, J.P.: Cybersecurity in hospitals: a systematic, organizational perspective. J. Med. Internet Res. 20(5), e10059 (2018)
Luna, R., et al.: Cyber threats to health information systems: a systematic review. Technol. Health Care 24(1), 1–9 (2016)
Thomas IV, J.P.: Extending and Automating a Systems Theoretic Hazard Analysis for Requirements Generation and Analysis. Doctoral dissertation, Massachusetts Institute of Technology (2013)
Raspotnig, C., Karpati, P., Katta, V.: A combined process for elicitation and analysis of safety and security requirements. In: Enterprise, Business-Process and Information Systems Modeling. Springer, Berlin, Heidelberg, pp. 347–361 (2012)
Ministry of Defense (United Kingdom): HAZOP Studies on Systems Containing Programmable Electronics Part 2 General Application Guidance (2000)
Schmittner, C., et al.: A case study of fmvea and chassis as safety and security co-analysis method for automotive cyber-physical systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security (2015)
Leveson, N., Thomas, J.O.H.N.: STPA Handbook. Nancy Leveson and John Thomas 3 (2018)
Johnson, N.L.: Assuring Safety and Security. Diss. University of York (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kaberuka, J., Johnson, C. (2023). A Case Study in the Application of STPA-sec and CHASSIS for Socio-Technical Cyber Security Risk Management in Health Care from Developing Nations. In: Nagar, A.K., Singh Jat, D., Mishra, D.K., Joshi, A. (eds) Intelligent Sustainable Systems. Lecture Notes in Networks and Systems, vol 578. Springer, Singapore. https://doi.org/10.1007/978-981-19-7660-5_33
Download citation
DOI: https://doi.org/10.1007/978-981-19-7660-5_33
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-7659-9
Online ISBN: 978-981-19-7660-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)