Abstract
Digital health data is created, stored and processed in healthcare IT infrastructures. These infrastructures are the target of large-scale cyber-attacks and are found to be vulnerable, primarily for two main reasons: the heterogeneity of infrastructure and the numerous stakeholders (medical staff, managers, patients, regulators etc.). Furthermore, the stakeholders have different attitudes, skills, awareness and data handling practices that offer many opportunities for malicious activities. Healthcare in general is characterised by a multitude of regulations and adherence to them is essential to the functioning of the system. Compliance management is usually described in terms of risks and involves activities such as risk identification, assessment and treatment. Our paper conceptualises the notion of a “compliance threat” and discusses the security of cross-border health data exchange. The paper presents the architecture of the System Security Modeller and illustrates the security risk assessment of the “break glass” scenario which requires health data communication in an emergency situation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Muller, S., Supatgiat, C.: A quantitative optimization model for dynamic risk-based compliance management. IBM J. Res. Dev. 51(3.4), 295–307 (2007)
ISO 31000. https://www.iso.org/iso-31000-risk-management.html
Refsdal, A., Solhaug, B., Stølen, K.: Security risk analysis of system changes exemplified within the oil and gas domain. Int. J. Softw. Tools Technol. Transfer 17(3), 251–266 (2015)
Solhaug, B., Seehusen, F.: Model-driven risk analysis of evolving critical infrastructures. J. Ambient Intell. Humaniz. Comput. 5(2), 187–204 (2014)
Mahler, T.: Tool-supported legal risk management: a roadmap. Eur. J. Legal Stud. 2, 146 (2008)
Bellamy, R.K., et al.: Seeing is believing: designing visualizations for managing risk and compliance. IBM Syst. J. 46(2), 205–218 (2007)
Surridge, M., et al.: Trust modelling in 5G mobile networks. In: SecSoN 2018: Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges. ACM SIGCOMM 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges, 24 August 18, pp. 14–19. ACM, New York (2018). https://doi.org/10.1145/3229616.3229621
Ghanavati, S., Amyot, D., Peyton, L.: Comparative analysis between document-based and model-based compliance management approaches. In: 2008 Requirements Engineering and Law, pp. 35–39. IEEE, September 2008
Breaux, T.D., Vail, M.W., Anton, A.I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE International Requirements Engineering Conference, RE 2006, pp. 49–58. IEEE, September 2006
ISO 19600:2014 - Compliance management systems – Guidelines. https://www.iso.org/standard/62342.html
Bleker, S., Hortensius, D.: ISO 19600: The development of a global standard on compliance management. Bus. Compl. 2, 1–12 (2014)
RSA. https://www.rsa.com/en-us/products/integrated-risk-management/archer-platform
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Indianapolis (2014)
Threat Modeling Tool. Microsoft. https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
Threat Modeler. http://threatmodeler.com
OWASP. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Meland, P.H., Spampinato, D.G., Hagen, E., Baadshaug, E.T., Krister, K.M., Velle, K.S.: SeaMonster: providing tool support for security modeling. Norsk informasjonssikkerhetskonferanse, NISK (2008)
securiCAD. https://www.foreseeti.com/
ISO/IEC. ISO 27005: Information technology – Security techniques – Information security risk management (2011)
ISO/IEC: ISO 31010: Risk management – Risk assessment techniques (2009)
World Tourist Organization. http://www2.unwto.org/
Larrucea, X., Santamaria, I., Colomo-Palacios, R.: Assessing source code vulnerabilities in a cloud-based system for health systems: OpenNCP. IET Softw. 13(3), 195–202 (2019)
Acknowledgement
The work presented in this paper was funded by the European Union’s H2020 research and innovation programme under grant agreement No. 727301 (SHiELD).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Surridge, M. et al. (2019). Modelling Compliance Threats and Security Analysis of Cross Border Health Data Exchange. In: Attiogbé, C., Ferrarotti, F., Maabout, S. (eds) New Trends in Model and Data Engineering. MEDI 2019. Communications in Computer and Information Science, vol 1085. Springer, Cham. https://doi.org/10.1007/978-3-030-32213-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-32213-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32212-0
Online ISBN: 978-3-030-32213-7
eBook Packages: Computer ScienceComputer Science (R0)