Threat Modeling in Healthcare
This post reviews three threat models, STRIDE, PASTA, and VAST, that can be used to mitigate damage caused by attacks, both external and internal, to healthcare information systems (HIS). It further discusses the critical importance of maintaining the integrity and confidentiality of patient health information (PHI). Consideration of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is given. Additionally, acuity labeling of particular risks is shown using STRIDE and DREAD.
Threat Modeling in Healthcare
Threat modeling is a healthcare entity process used to mitigate risk to healthcare information systems (HIS). It creates a proactive threat response plan, helps identify threat vectors, and guides these entities in developing detection processes and mitigation techniques. It prioritizes entity-specific risks to serve as guidelines during the selection and implementation of security processes. Further, it provides focus on threats and their potential risks at both senior-level management and operations (Gonzalez, 2020)
Unique to healthcare entities, including covered healthcare providers, health plans, clearinghouses, and business associates that transmit personal health information (PHI), is the statutory governance of the Health Insurance Portability and Accountability Act of 1996. Since its inception creating standards to prevent disclosure of PHI, HIPAA has become a complex amalgam of amendments to the original Act specifying significant penalties to covered providers that allow the release of PHI. These penalties provide incentives to implement the most stringent security methods.
Literature shows many threat modeling methods, some of which are better suited to hospital HIS and other healthcare entities. Twelve methods are considered. Of these twelve models, STRIDE, PASTA, and VAST are considered for implementation. If needed, as an adjunct, the DREAD model is also summarized and may be incorporated as an additional framework to assess risk if not performed. These methods create HIS system abstraction, profile the attacker mindset, and proactively consider a catalog of risks ranked by potential damage.
Summarization of Three Threat Models
STRIDE
STRIDE, adopted by Microsoft in 2002, is currently the most mature threat model. While Microsoft has discontinued maintenance of this model, it has incorporated STRIDE as part of the Microsoft Security Development Lifecycle along with their still-available Threat Modeling Tool. An acronym, STRIDE, considers Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege and is described as a three-phase process. The less-technical STRIDE model evaluates the existing system asset topology details by building data flow diagrams in phase one. STRIDE identifies potential threats based on its acronym during the second phase. Phase three of STRIDE considers mitigation of threats.
This list further describes the STRIDE acronym components:
• Spoofing — users attempt to imitate someone or something else
• Tampering — the threat of code, network, or data modification
• Repudiation — disavowing an action that may be either true or false
• Information Disclosure — data are disclosed via breach or intentional action to someone not authorized to view or possess the information
• Denial of Service — the threat that could deny legitimate Access to HIS by overloading system components
• Privilege Escalation — the threat of attackers acquiring additional privileges to gain unauthorized access to data
PASTA
The Process for Attack Simulation and Threat Analysis (PASTA) is a dynamic risk-centric approach that correlates organizational risk with technical requirements (Gonzalez, 2020). Considered a strategic thread modeling method, PASTA involves key decision-makers. Input from the hospital’s various departments is considered from the perspective of the attacker’s mindset. Utilizing various tools for design and input elicitation yields an asset-centric scoring of threat risks utilizing a seven-stage process:
1. Define Objectives — overall objectives of the hospital are defined.
2. Define Technical Scope — technical assets and HIS components compiled.
3. Application Decomposition — application use cases and ingress/egress points are considered usually by using Data Flow Diagrams to show trust boundaries and visualize functions.
4. Threat Analysis — known threat intelligence is considered and analyzed using correlation and other analytical methods.
5. Vulnerability Detection and Weakness Analysis — existing vulnerabilities are mapped, scored, and tracked.
6. Attack Modeling — attack trees, as described in Shevchenko (2018), are used to diagram attack surfaces and consider vulnerability and exploit analysis.
7. Risk and Impact Analysis — the impact of threats and identification of countermeasures.
VAST
The Visual, Agile, and Simple Threat (VAST) Modeling method is recognized for scalability and usability. Based on the Agile project management framework, its use is primarily for integrating threat recognition and mitigation into Agile development and infrastructure teams’ projects. An attacker mindset is considered using VAST. Supplemented by process flow diagrams, application and operational threat models are developed (Chapple et al., 2018; Shevchenko et al., 2018).
DREAD
Though not a threat model, per se, DREAD is an adjunctive tool used with threat models lacking the capability to enumerate a threat’s risk level. DREAD is another mnemonic (damage, reproducibility, exploitability, affected users, and discoverability) model. It considers five aspects of threats, and each aspect of the model is assigned a value from 1 (low) to 3 (high). The sum of all aspects is then divided by five to yield a three-tier low, medium, or high value.
Model Selection Justification
STRIDE Mitigation methods are identified
Mature product
Rich documentation is available
Considers threat vectors
Ease of adoption
PASTA Mitigation methods are identified
Stakeholder collaboration is encouraged
Rich documentation is available
Within-app threat ranking
VAST Mitigation methods are identified
Stakeholder collaboration is encouraged
Consistent results
Agile-focused
In recommending STRIDE, one noted feature is the model’s focus on threat vectors. Since HIS require external access to function efficiently, authorization and authentication are critical. Various external applications need access to specific data; for example, billing, scheduling, medical review, procedure entry, care plan modifications are a few. While some of these functions are also performed internally, medical staff and third-party payers are often provided network access over Internet-facing connections. It is essential to consider access control, including authorization and authentication, whether based on roles or attributes or the novel BiLayer Access Control Model. STRIDE considers vectors attackers could use to circumvent access control.
Security Threat Labeling
Twenty-two potential categories could affect HIS. They expand the list with the five most critical risks facing HIS: Power loss, human error, technological obsolescence, hardware failure, software errors. exhibit four tables considering threats using STRIDE categories and DREAD labels, which is more applicable to the recommended threat model. They include authentication threats, authorization and access threats, privacy threats, and adversarial learning threats.
CEO Summary
Recommended is the implementation of STRIDE for threat modeling and DREAD for threat ranking. STRIDE is a mature, well-documented product enhanced by Microsoft. The acronym represents significant threats the hospital could face in an attack, either external or internal. STRIDE considers Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. By considering threat vectors, methods to mitigate an attack are identified. It is proactive and easily adopted.
A method to calculate an acceptable risk appetite is provided by DREAD. This ranking method considers five areas of risk. Numerical scores are given to each identified threat based on these risks, resulting in a three-level score of low, medium, or high. DREAD simplifies the effort of threat modeling when coupled with threat analysis.
Conclusion
This paper presented an overview of three threat modeling methods that could be used in healthcare. A combination of STRIDE and DREAD was selected to identify risks and quantify the risks’ acuities. It discussed HIPAA’s impact on the operation and governance of PHI. Further, it discussed the critical risks of human intervention and functional obsolescence, demonstrating the necessity of healthcare systems to improve in these categories.
