Skip to main content
SpringerLink
Log in

MEDICALHARM: A threat modeling designed for modern medical devices and a comprehensive study on effectiveness, user satisfaction, and security perspectives

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Modern medical devices (MMDs) are a rapidly growing field of medical technology, and recent advances have allowed them to monitor and manage patients’ health remotely. As these devices become more connected in order to enhance the delivery of patient care, the concerns surrounding security, privacy, and safety are also increasing. To effectively address these concerns, “shift-left security”—which involves addressing security risks as early as possible—is becoming increasingly important. To facilitate it, threat modeling must be implemented as the first step. While various threat modeling methodologies exist, MMDs need a tailored one that can take into account the safety of patients and the complexity of a typical MMD, which contains multiple sensors and actuators. Therefore, we present a new threat modeling methodology—MEDICALHARM—tailored to identifying threats in MMD systems. MEDICALHARM delivers a holistic approach by combining threat and risk analysis under the same scheme. It specifically articulates safety threats along with security and privacy threats. Furthermore, it offers an algorithmic scheme to enable non-security experts (engineers and developers) to easily participate in the threat modeling process. To illustrate its benefits, we performed a threat modeling exercise using MEDICALHARM on a Deep Brain Stimulation device and provided an exhaustive threats document. Then, we conducted a survey among cybersecurity experts in the MMD domain to assess the MEDICALHARM. The survey results reveal positive feedback from participants, especially regarding the integration of cybersecurity, privacy, and safety, its novel trust level categorization, and the documentation strategy. The insights obtained from the questionnaire underscore MEDICALHARM’s potential as a structured, inclusive threat model methodology. Then, we compared the results of this exercise with another well-known threat model scheme (STRIDE) to demonstrate MEDICALHARM’s distinctive features.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23

Similar content being viewed by others

Data availibility

The data that support the findings of this study are not openly available due to reasons of sensitivity and are available from the corresponding author upon reasonable request. Data are located in a controlled access database at Marquette University.

Notes

  1. MEDICALHARM stands for Modification Breach, Exposure of Sensitive or Personal Data, Denial of Service, Impact of Threat, Component Threat, Access Breach, Likelihood of Threat, Harm to Patient, Assumptions and Constraints, Relevant In-depth Threat, Monitoring and Logging.

  2. MEDCARM stands for Modification Breach, Exposure of Sensitive or Personal Data, Denial of Service, Component Threat, Access Breach, Relevant In-depth Threat, Monitoring and Logging.

  3. H stands for Harm to Patient.

  4. LI stands for Likelihood of Threat, and Impact of Threat.

  5. LINDDUN stands for Likeability, Identifiability, Non-repudiation, Detectability, Information Conflict of interest, Content Unawareness, and Policy or Consent Noncompliance.

  6. MEDCARM is an acronym that represents the cybersecurity and privacy part of MEDICALHARM mnemonics and stands for Modification Breach, Exposure of Sensitive or Personal Data, Denial of Service, Component Threat, Access Breach, Relevant In-depth Threat, Monitoring and Logging.

  7. H is an acronym that represents the safety part of MEDICALHARM mnemonics and stands for Harm to Patient.

  8. LI is an acronym that represents the risk assessment part of MEDICALHARM mnemonics and stands for Likelihood of Threat, and Impact of Threat.

References

  1. Joung, Y.-H.: Development of implantable medical devices: from an engineering perspective. Int. Neurourol. J. 17(3), 98 (2013)

    Article  Google Scholar 

  2. AlTawy, R., Youssef, A.M.: Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4, 959–979 (2016)

    Article  Google Scholar 

  3. Kwarteng, E., Cebe, M.: A survey on security issues in modern implantable devices: solutions and future issues. Smart Health 100295 (2022)

  4. Deloitte: 2022 Global Health Care Outlook. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Life-Sciences-Health-Care/gx-health-care-outlook-Final.pdf. Accessed 16 Aug 2022

  5. Vakhter, V., Soysal, B., Schaumont, P., Guler, U.: Security for emerging miniaturized wireless biomedical devices: threat modeling with application to case studies. arXiv preprint arXiv:2105.05937 (2021)

  6. Moe, M.E.G.: Uncovering vulnerabilities in pacemakers. https://www.mnemonic.io/resources/blog/uncovering-vulnerabilities-in-pacemakers/. Accessed 23 Oct 2022

  7. FDA: Medtronic recalls remote controllers used with paradigm and 508 MiniMed insulin pumps for potential cybersecurity risks. https://www.fda.gov/medical-devices/medical-device-recalls/medtronic-recalls-remote-controllers-used-paradigm-and-508-minimed-insulin-pumps-potential. Accessed 23 Oct 2022

  8. FDA: Cybersecurity news. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity. Accessed 23 Oct 2022

  9. Manikandan, R., Sathyadevan, S.: Medical implant communication systems (MICS) threat modelling. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), pp. 518–523 (2021)

  10. Halperin, D., et al.: Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 129–142 (2008)

  11. Sayegh, E.: Not an afterthought: security by design. https://www.forbes.com/sites/emilsayegh/2023/05/16/not-an-afterthought-security-by-design/?sh=120e2e831271. Accessed 7 Nov 2023

  12. CheckPoint: What is shift left security? https://www.checkpoint.com/cyber-hub/cloud-security/what-is-shift-left-security/. Accessed 24 Oct 2022

  13. Center, G.C.A.: DevOps tech: shifting left on security. https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security. Accessed 24 Oct 2022

  14. Camara, C., Pens-Lopez, P., Tapiador, J.E.: Security and privacy issues in implantable medical devices: a comprehensive survey. J. Biomed. Inform. Rev. 55, 272–289 (2015). https://doi.org/10.1016/j.jbi.2015.04.007. (in English)

    Article  Google Scholar 

  15. NIST: SP 800-30 Rev 1. Guide for Conducting Risk Assessments. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. Accessed 23 Aug 2022

  16. Bochniewicz, E., Chase, M., Coley, S.C., Wallace, K., Weir, M., Zuk, M.: Playbook for Threat Modeling Medical Devices. MITRE and the Medical Device Innovation Consortium (MDIC) (2021)

  17. FDA: Content of premarket submissions for management of cybersecurity in medical devices." https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-management-cybersecurity-medical-devices. Accessed 16 Aug 2022

  18. Forbes: How do we close the skills gap in the cybersecurity industry? https://www.forbes.com/sites/forbesbusinesscouncil/2023/02/28/how-do-we-close-the-skills-gap-in-the-cybersecurity-industry/?sh=490e5438e178. Accessed 23 June 2023

  19. CISA: Medical devices hard-coded passwords. https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01. Accessed 23 June 2023

  20. Shostack, A.: Experiences threat modeling at Microsoft. MODSEC@ MoDELS 2008, 35 (2008)

  21. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16(1), 3–32 (2011)

    Article  Google Scholar 

  22. Hussain, S., Kamal, A., Ahmad, S., Rasool, G., Iqbal, S.: Threat modelling methodologies: a survey. Sci. Int. (Lahore) 26(4), 1607–1609 (2014)

    Google Scholar 

  23. Siddiqi, M.A., Seepers, R.M., Hamad, M., Prevelakis, V., Strydis, C.: Attack-tree-based threat modeling of medical implants. In: PROOFS@ CHES, pp. 32–49 (2018)

  24. Shostack, A.: Threat Modeling Designing for Security. John Wiley & Sons, Inc, London (2014)

    Google Scholar 

  25. LeBlanc, D.: DREADFUL. In: DREADFUL, (ed.) https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/dreadful: Microsoft, p. Microsoft Documentation (2007)

  26. Peeters, J.: Agile security requirements engineering. In: Symposium on Requirements Engineering for Information Security, vol. 12 (2005)

  27. Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)

    Google Scholar 

  28. Mitre.: MITRE ATT &CK® Matrix. https://attack.mitre.org/. Accessed 3 Aug 2022

  29. Van Palm, G., Legay, A.: Threat modeling with attack-defense trees

  30. Sodiya, A.S., Onashoga, S.A., Oladunjoye, B.A.: Threat modeling using fuzzy logic paradigm. Inf. Sci. Int. J. Emerg. Transdiscipl. 4(1), 53–61 (2007)

    Google Scholar 

  31. den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stolen, K., Aagedal, J.O.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the Unified Process: IGI Global, pp. 332–357 (2003)

  32. Conklin, L.: Threat modeling process. https://owasp.org/www-community/Threat_Modeling_Process#determine-and-rank-threats. Accessed 23 Jan 2023

  33. Crotty, J., Daniel, E.: Cyber threat: its origins and consequence and the use of qualitative and quantitative methods in cyber risk assessment. Appl. Comput. Inform. Ahead-of-print (2022)

  34. FIRST: Common vulnerability scoring system version 4.0: specification document. https://www.first.org/cvss/v4.0/specification-document. Accessed 14 June 2023

  35. FIRST: Common vulnerability scoring system v3.1 specification document. https://www.first.org/cvss/v3.1/specification-document. Accessed 16 June 2023

  36. FIRST: Common vulnerability scoring system (CVSS-SIG)—CVSS v4.0 calculator—public preview. https://www.first.org/cvss/calculator/4.0. Accessed 16 June 2023

  37. FIRST: Common vulnerability scoring system version 3.1 calculator. https://www.first.org/cvss/calculator/3.1. Accessed 16 June 2023

  38. Kwarteng, E., Cebe, M.: "MEDICALHARM—a threat modeling designed for modern medical devices. In: 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter UK (2023)

  39. Nishihara, S., Shinmen, N., Ebihara, T., Mizutani, K., Wakatsuki, N.: Design of secure near-field communication for smartphones using sound and vibration. In: 2017 IEEE 6th Global Conference on Consumer Electronics (GCCE), pp. 1–4 (2017)

  40. Singh, S.U., et al.: Advanced wearable biosensors for the detection of body fluids and exhaled breath by graphene. Microchim. Acta 189(6), 236 (2022)

    Article  MathSciNet  Google Scholar 

  41. Microsoft: What are the Microsoft SDL practices? https://www.microsoft.com/en-us/securityengineering/sdl/practices. Accessed 24 Oct 2022

  42. Xiong, W., Lagerström, R.: Threat modeling—a systematic literature review. Comput. Secur. 84, 53–69 (2019)

    Article  Google Scholar 

  43. Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secur. Privacy 9(4), 41–47 (2011)

    Article  Google Scholar 

  44. Frydman, M., Ruiz, G., Heymann, E., César, E., Miller, B.P.: Automating risk analysis of software design models. Sci. World J. 2014 (2014)

  45. Dahbul, R.N., Lim, C., Purnama, J.: Enhancing honeypot deception capability through network service fingerprinting. J. Phys. Conf. Ser. 801(1), 012057 (2017)

    Article  Google Scholar 

  46. Baquero, A.O., Kornecki, A.J., Zalewski, J.: Threat modeling for aviation computer security. Crosstalk 28(6), 21–27 (2015)

    Google Scholar 

  47. Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: A threat model-based approach to security testing. Softw. Pract. Exp. 43(2), 241–258 (2013)

    Article  Google Scholar 

  48. Shevchenko, N., Chick, T.A., O’Riordan, P., Scanlon, T.P., Woody, C.: Threat modeling: a summary of available methods (2018)

  49. Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf. Secur. Res. 1(1), 80 (2011)

    Google Scholar 

  50. Kim, D.-W., Choi, J.-Y., Han, K.-H.: Medical device safety management using cybersecurity risk analysis. IEEE Access, 8

  51. Ngamboé, M., Berthier, P., Ammari, N., Dyrda, K., Fernandez, J.M.: Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED). Int. J. Inf. Secur. 20, 621–645 (2021)

    Article  Google Scholar 

  52. Kopell, B.H., Greenberg, B., Rezai, A.R.: Deep brain stimulation for psychiatric disorders. J. Clin. Neurophysiol. 21(1), 51–67 (2004)

  53. UcedaVélez, T.: Threat modeling w/pasta: risk centric threat modeling case studies (2017)

  54. Ingalsbe, J.A., Kunimatsu, L., Baeten, T., Mead, N.R.: Threat modeling: diving into the deep end. IEEE Softw. 25(1), 28–34 (2008)

    Article  Google Scholar 

  55. H-ISAC: About health information sharing and analysis center. https://h-isac.org/about-h-isac/. Accessed 5 July 2023

  56. LinkedIn: Welcome to your Professional community. https://www.linkedin.com/. Accessed 5 July 2023

  57. Qualtrics: Build technology that closes experience gaps. https://www.qualtrics.com/about/. Accessed 5 July 2023

  58. Advisories, O.S.: OpenStack security advisories calibration. https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration. Accessed 19 June 2023

  59. MSDN, M.: Do you use DREAD as it is? http://social.msdn.microsoft.com/Forums/en-US/c601e0ca-5f38-4a07-8a46-40e4adcbc293/do-you-use-dread-as-it-is?forum=sdlprocess. Accessed 19 June 2023

  60. Wikipedia: DREAD (risk assessment model). https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)#cite_note-2. Accessed 19 June 2023

Download references

Acknowledgements

We are deeply grateful to Dr. Zimmer Michael for his invaluable input into the survey development. His insights and expertise were instrumental in creating the questionnaire for this study. We would also like to thank Dr. Jamila Kwarteng for supporting our data analysis. We thank our participants for being generous with their time and feedback to help us evaluate and improve MEDICALHARM. This research was internally funded and did not receive any specific grant from other funding agencies.

Funding

The authors did not receive support from any organization for the submitted work. The authors declare they have no financial interests.

Author information

Authors and Affiliations

  1. Marquette University, 1250 W Wisconsin Ave, Milwaukee, WI, 53233, USA

    Emmanuel Kwarteng & Mumin Cebe

Authors
  1. Emmanuel Kwarteng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mumin Cebe
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

All authors contributed to the study’s conception and design. Material preparation, data collection, and analysis were performed by Emmanuel Kwarteng. The first draft of the manuscript was by Emmanuel Kwarteng and all authors commented, reviewed, and updated the manuscript. All authors jointly planned, reviewed, and approved the manuscript.

Corresponding author

Correspondence to Emmanuel Kwarteng.

Ethics declarations

Conflict of interest

The authors have no competing interests to declare that are relevant to the content of this article.

Ethical approval

The study was approved by the Marquette University Institutional Review Board (IRB). All respondents who participated in the evaluation of the methodology and responded to the survey were at least 18 years old. Potential participants were provided with written information on the first page and gave their consent to participate in the evaluation and the survey by clicking on the next button before proceeding.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

1.1 Pre-assessment questionnaire questions

Q1 How would you describe your familiarity with threat modeling?

  • \(\circ \) Very familiar

  • \(\circ \) Somewhat familiar

  • \(\circ \) Not very familiar

  • \(\circ \) Not at all familiar

  • \(\circ \) Not Applicable

Skip To: End of Survey If Q2 = Not Applicable

Skip To: End of Survey If Q2 = Not at all familiar

Q2 How often do you participate in threat modeling?

  • \(\circ \) Always: I always threat model every time I develop or make changes to a system or application

  • \(\circ \) Frequently: I threat model on a regular basis, such as during software development or as part of an incident response plan

  • \(\circ \) Occasionally: I threat model on an occasional basis, such as before making a significant change to a system or application

  • \(\circ \) Rarely: I have threat modeled a few times, but it’s not a regular practice

  • \(\circ \) Never: I have never threat modeled before

Skip To: End of Survey If Q3 = Never: I have never threat modeled before

1.2 MEDICALHARM evaluation questionnaire questions

Q1. At first glance, how easy was it to understand or memorize the MEDICALHARM acronyms?

  • \(\circ \) Extremely easy

  • \(\circ \) Somewhat easy

  • \(\circ \) Neither easy nor difficult

  • \(\circ \) Somewhat difficult

  • \(\circ \) Extremely difficult

Q2. At first glance, what do you think of the idea of combining security threats and associated risk evaluation under the same umbrella?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q3. How do you evaluate the idea of categorizing components into different trust zones in assisting with threat identification as a first impression?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q4. How effective do you think the MEDICALHARM model’s unique Threat Documentation is in providing clear and comprehensive insights into various threats and their corresponding risk assessment?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q5. Have you noticed the acronyms PT (Privacy Threat), CIT (Code Injection Threat), and others in our documentation? These represent subcategories under general threat categories. In our approach, we believe that sub-categorizing the sources of major threats is essential for a comprehensive understanding. For instance, an Access Breach could occur due to a Side Channel Threat or a Code Injection Threat.

Do you agree that this additional categorization will help to identify sources of some threats, such as Side-Channel or Privacy Threats, that could otherwise be overlooked?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q6. Do you think offering a detailed flow chart will help to identify threats while filling out the MEDICALHARM Threat Documentation?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q7. Do you think having a step-by-step algorithmic scheme will help experts to create a comprehensive threat analysis?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q8. Do you like having Mitigations and Controls in Threat Document?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q9. Our threat model requires a reevaluation of associated risks considering the existing mitigation and controls. We believe that this reevaluation step will lead to a better assessment of risks. Do you agree with this statement?

  • \(\circ \) I strongly like it. It seems like a valuable approach

  • \(\circ \) I somewhat like it. I see potential

  • \(\circ \) I’m neutral. I neither like nor dislike the idea at this point.

  • \(\circ \) I somewhat dislike it. I have concerns or reservations

  • \(\circ \) I strongly dislike it

Q10. Indicate whether you agree or disagree with these statements about the strengths and weaknesses of MEDICALHARM threat modeling methodology you evaluated

 

Agree

Neutral

Disagree

Structured approach to identify threats

\(\circ \)

\(\circ \)

\(\circ \)

Identify new and previously undiscovered threats during the design

\(\circ \)

\(\circ \)

\(\circ \)

Evaluate the effectiveness of existing security controls

\(\circ \)

\(\circ \)

\(\circ \)

Identify in-depth and third-party component threats or areas where additional protection may be needed

\(\circ \)

\(\circ \)

\(\circ \)

Resource-intensive to implement

\(\circ \)

\(\circ \)

\(\circ \)

Does not identify relevant threats

\(\circ \)

\(\circ \)

\(\circ \)

Does not consider and document the constraints of the system

\(\circ \)

\(\circ \)

\(\circ \)

Does not consider and document assumptions

\(\circ \)

\(\circ \)

\(\circ \)

Requires specialized skills and knowledge to perform effectively

\(\circ \)

\(\circ \)

\(\circ \)

Q11. Indicate whether you agree or disagree with these statements about MEDICALHARM threat modeling methodology you evaluated

 

Agree

Neutral

Disagree

The terminology used in the threat model is difficult to understand for non-security experts

\(\circ \)

\(\circ \)

\(\circ \)

The methodology is time-consuming

\(\circ \)

\(\circ \)

\(\circ \)

The used threat model causes the listing of the same threats due to overlapping threat categories

\(\circ \)

\(\circ \)

\(\circ \)

The used threat model mostly identifies only generic and high-level threat

\(\circ \)

\(\circ \)

\(\circ \)

There is a higher cross-correlational threat such that the elevation of privilege threat assumes that the system has already been spoofed

\(\circ \)

\(\circ \)

\(\circ \)

The used threat model does not provide a mechanism to assess risks and prioritize identified threats

\(\circ \)

\(\circ \)

\(\circ \)

The methodology does not consider architectural security decisions

\(\circ \)

\(\circ \)

\(\circ \)

Higher rate of False Positive

\(\circ \)

\(\circ \)

\(\circ \)

Higher rate of False Negative

\(\circ \)

\(\circ \)

\(\circ \)

Generates overwhelmingly high number of threats which becomes a challenge to review

\(\circ \)

\(\circ \)

\(\circ \)

While using the threat model, it is hard to document the identified threats and corresponding countermeasures for a better overall view

\(\circ \)

\(\circ \)

\(\circ \)

Q12. In what ways did MEDICALHARM threat modeling methodology help you understand the overall security posture of your system or product?

  • \(\Box \) Identifying vulnerabilities: My methodology helps me identify vulnerabilities in my system or product that could be exploited by attackers.

  • \(\Box \) Prioritizing risks: My methodology helps me prioritize the risks to my system or product based on their likelihood and impact.

  • \(\Box \) Identifying attack vectors: My methodology helps me identify the ways in which attackers could potentially gain access to or exploit my system or product.

  • \(\Box \) Evaluating controls: My methodology helps me evaluate the effectiveness of existing security controls in my system or product.

  • \(\Box \) Understanding the system: My methodology helps me understand the architecture and design of my system or product, which allows me to identify potential weaknesses.

  • \(\Box \) Documenting threats and controls: My methodology helps me document all identified threats and controls.

  • \(\Box \) Other (please specify below)

Q13. Overall, how satisfied or dissatisfied are you with MEDICALHARM threat modeling methodology?

  • \(\circ \) Extremely satisfied

  • \(\circ \) Somewhat satisfied

  • \(\circ \) Neither satisfied nor dissatisfied

  • \(\circ \) Somewhat dissatisfied

  • \(\circ \) Extremely dissatisfied

Q14. What changes, if any, would you like to see improved to MEDICALHARM threat modeling methodology?

NOTE: Please do not enter any proprietary or personal information.

Q15 Did you participate in our previous Threat Modeling Pre-assessment survey?

  • \(\circ \) Yes

  • \(\circ \) No

1.3 STRIDE threat tables

See Tables 15 and 16.

Table 15 STRIDE-per-interaction
Full size table
Table 16 STRIDE per Element
Full size table

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kwarteng, E., Cebe, M. MEDICALHARM: A threat modeling designed for modern medical devices and a comprehensive study on effectiveness, user satisfaction, and security perspectives. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00826-y

Download citation

  • Published:

  • DOI: https://doi.org/10.1007/s10207-024-00826-y

Keywords

Search

Navigation