CWRAF Vignette Details - Domain pub-health
The MITRE Corporation Copyright © 2013
http://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
Project Coordinator:
Bob Martin (MITRE)
|
Document Editor:
Steve Christey (MITRE)
|
CWRAF Vignettes - pub-health
CWRAF Vignettes - pub-health
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability. For example, in an e-commerce context,
99.999% uptime may be a strong business requirement that drives the
interpretation of the severity of discovered weaknesses.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 2 vignettes within
the "pub-health" domain. These are illustrative only; the CWRAF
community will help to refine these and develop others. Feedback is
welcome.
|
Vignette Summary
Vignette Summary
Name | Description |
Medical Billing | Medical encoding and billing. Data used includes Electronic Health Records (EHR),
financial management, and interactions with insurance companies. |
Human Medical Devices | Medical devices - "implantable" or "partially embedded" in humans, as well as
usage in clinic or hospital environments ("patient care" devices). Includes items
such as pacemakers and automatic drug delivery. Control or monitoring of the device
might be performed by smartphones. The devices are not in a physically secured
environment. |
Vignette Details
Vignette Details
Vignette Definition: Medical Billing
Name | Medical Billing
| ID | med-billing
| Maturity | under-development
| Domain | pub-health
| Desc | Medical encoding and billing. Data used includes Electronic Health Records (EHR),
financial management, and interactions with insurance companies.
| Archetypes | Web browser, Web server, Database, General-purpose OS, B2B Communications |
Business Value Context (BVC) | Privacy is very important, claimed by one source to be the largest obstacle for
sharing medical records; yet life-and-death situations in (critical care) may have
different criteria than in a clinical setting. Electronic medical breaches could
lead to discrimination, not just personal embarrassment or discomfort.
Availability is less important - could cause delays in billing but do not directly
affect health of the patient.
| Notes |
| References |
- Blog entry - privacy considerations and EHR
quote: Privacy concerns have been the main deterrent to "wiring" medical
records... in life-and-death cases, ease of access to patient records can
make a critical difference. Electronic medical record breaches open the door
to new kinds of discrimination. Imagine a healthy person losing a job
opportunity because her family history suggests an elevated risk of a
debilitating disease. Imagine embarrassing disclosures based on prescription
drug information. Imagine insurers -- let's assume for a moment that not
every insurer is scrupulous -- basing payment decisions on information they
are not legally allowed to see.
- Hospital Employee's Stolen Laptop Contained Info for 21K
Patients
Birth dates, SSN, insurance information stolen from laptop; employee had
downloaded this data to a personal laptop, where it was stored unencrypted.
- Usenix HealthSec '10 report
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 8 | Attacker could modify billing amount or recipient, leading to financial
loss.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 6 | Privacy / HIPAA violations if unauthorized people can read medical
records or financial PII.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 4 | Billing is delayed, but other methods may be utilized if an outage is
extended.
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | 4 | Billing is delayed, but other methods or channels may be utilized if an
outage is extended.
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | 10 | Attacker could shut down the system or disable the application.
| Execute unauthorized code or commands | Application | 10 | Attacker could read or modify billing data, private patient information
(financial and medical), shut down the system.
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | 7 |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | 7 |
| Bypass protection mechanism | Application | 7 |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | 2 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Application | 2 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Network | 2 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Enterprise | 2 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
|
Vignette Definition: Human Medical Devices
Name | Human Medical Devices
| ID | med-device
| Maturity | under-development
| Domain | pub-health
| Desc | Medical devices - "implantable" or "partially embedded" in humans, as well as
usage in clinic or hospital environments ("patient care" devices). Includes items
such as pacemakers and automatic drug delivery. Control or monitoring of the device
might be performed by smartphones. The devices are not in a physically secured
environment.
| Archetypes | Web client, General-purpose OS, Embedded Device, Smartphone |
Business Value Context (BVC) | Power consumption and privacy a concern. Key management important. Must balance
ease-of-access during emergency care with patient privacy and day-to-day security.
Integrity and availability are essential - improper execution or failure of the
device could lead to illness or death.
| Notes |
| References |
- Implantable Medical Devices: Security and Privacy for Pervasive,
Wireless Healthcare
Video and slides available at bottom of page.
- Medical device security center - publications
- Patients, Pacemakers, and Implantable Defibrillators: Human Values
and Security for Wireless Implantable Medical Devices
Includes some discussion of properties/priorities
- Improving the Security and Privacy of Implantable Medical
Devices
William H. Maisel, M.D., M.P.H., and Tadayoshi Kohno, Ph.D. N Engl J Med
2010; 362:1164-1166. April 1, 2010
- Usenix HealthSec '10 report
"Approximately 13 different attacks" reported to FDA. Distinction between
"implanted" (pacemakers) vs. "partially embedded" (e.g. insulin pump).
Insulin pumps can have remote wireless interfaces, ability to update
settings by PC or smartphone. Some mention of keeping "emergency-access"
keys - e.g., on wristbands, or implanted in skin (tattoos).
- Insulin Pump Security
Nate Paul et al.
Includes an insulin pump system threat model. Smartphones can interact
with the pump.
- Security and Privacy for Implantable Medical
Devices
Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and
William H. Maisel. Vol. 7, No. 1 January.March 2008 In "Pervasive Computing"
ICD (implantable cardiac defibrillators), drug delivery, neurostimulators
- Medical Device Security
Elliot Sloane, Drexel
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | 10 | Device failure or instability could cause sudden medical emergency due to
modification of critical settings such as amount and frequency of treatment
delivery.
| Modify data | Application | 10 | Device failure or instability could cause sudden medical emergency due to
modification of critical settings such as amount and frequency of treatment
delivery.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 7 | Violate patient expectations of privacy, leading to embarrassment or
abuse.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | 10 | Device failure or instability could prevent treatment and suddenly cause
medical emergency.
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | 8 | Slowdown of device operation could lead to eventual medical emergency.
Could significantly increase power consumption.
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | 10 | Device failure or instability could suddenly cause medical emergency.
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | 1 | Device is typically not multi-user.
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | 7 | Successful attack could lead to device failure or slowdown.
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | 3 | Unable to identify source of attack. Failure symptoms might not indicate
that an attack even took place.
| Hide activities | Application | 3 | Unable to identify source of attack. Failure symptoms might not indicate
that an attack even took place.
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
More information is available — Please edit the custom filter or select a different filter.
|