Overview
The first step in telemedicine risk assessment is identifying the assets involved and calculating their values. The attack tree is used to estimate all security threats likely faced by each asset, as identified in each of the seven telemedicine security threats areas. As illustrated in Fig. 5, the AOP is calculated using the OR and AND connectors, which are the gates for each node representing attack advancement towards the goal (see Fig. 5).
In principle, the attack success probability (ASP) of a potential attack increases in direct proportion to the attacker’s motivation and in inverse proportion to the effort required for mounting the attack. In this study, the asset value, AOP, and ASP are used as the parameters for assessing the security risks associated with telemedicine.
Asset value
The U.S. National Institute of Standards and Technology (NIST) developed a Risk Management Framework (RMF) to protect computer networks from cyberattacks. [42] The NIST-RMF guidelines categorize risk management activities into the following six security lifecycle steps: (1) categorize, (2) select (based on factors such as minimum security requirements and cost analysis), (3) implement (tailor to the given security environment), (4) assess (determine whether operating as intended), (5) authorize (determine whether the risk is acceptable), and (6) monitor (detect changes or signs of attack). Federal Information Processing Standards Publication 199 (FIPS PUB 199) defines the categorization criteria for information and information system security (based on the potential impact of the system) in order to provide a common framework for taxonomy. It sets three security objectives (confidentiality, integrity, and availability) and defines the levels of the potential effect of security breaches on individuals and organizations as low, moderate, and high. [43]
When categorizing threats, the total asset value for each asset to be protected is calculated as follows:
where AVa is the sum of the asset values (3–12) of asset a, calculated as the sum of the areas associated with the asset values (1–3: contributions of confidentiality, integrity, and availability). Table 1 lists the criteria for evaluating the asset value. The asset values of each of the four evaluated items (security objectives) are rated on a three-point scale. The total asset value score is calculated by adding all of the individual scores, and the asset value grade is determined based on the calculated result.
The asset value is assessed in terms of each of the four security objectives (confidentiality, integrity, availability, and asset contribution) at three levels corresponding to the potential effect of each security objective, as described in Table 2, and varies between 3 and 12. By substituting the calculated value into Eq. (1), the asset-value-dependent importance grade, which ranges from 1 to 5, can be obtained.
Table 3 presents the definitions of each of the importance grades categorized above. The evaluated asset values are analyzed using mutatis mutandis, ISO/IEC 27005, [17] and ISO 31000 RM [44] and examined using, mutatis mutandis, the risk assessment method based on confidentiality, integrity, and availability, as per NIST 800-37 RMF, FIPS PUB 199, and the Failure Mode, Effects, and Criticality Analysis (FMECA). [45]
Attack occurrence probability (AOP)
AOP is defined as the ratio of the number of attack events of all of the children to the number of attack nodes linked to the parent node in order to achieve the attack goal of the parent node. It is calculated as follows. [42] Let the child node (“X”) be a leaf node; then, AOP = 1 (see Eqs. (2) and (3)).
However, such an attack tree scenario has two major limitations. First, no weight is assigned to the nodes, even though every node has a different risk level and its potential threat can result in different degrees of damage. Second, in lieu of a comparison of the node occurrence probabilities, only the probability for achieving the upper node goal is indicated without considering node occurrence frequency and the risk level of each node, making it difficult to numerically quantify the telemedicine devices’ security threat vulnerabilities. The AOP is calculated by designing an attack tree for each security threat scenario according to the seven telemedicine security threats areas, as illustrated in Fig. 6.
The AOP for the example in Fig. 6 can be calculated as follows. Because ν8 or ν9 can be selected to move to ν4, ν2 has an AOP of 1/2. Further, as one of the methods represented by ν4, ν5, ν6, and ν7 must be selected to achieve ν4, its AOP is 1/4. Because the single node ν3 is selected to achieve ν1, its AOP is one. Consequently, if the attack target is the user, the AOP for patient information leakage is calculated to be 6.25%, as follows:
Following attack tree construction for each of the seven telemedicine security threats areas, the AOP of each attack tree is calculated, and a score assigned to each area accordingly. An AOP assessment grade is allocated to each area based on a three-point scale, as per the AOP value calculated by Eq. (4) and in keeping with the evaluation criteria (Table 4).
Attack success probability (ASP)
ASP, defined in ISO/IEC 15408 [46] and ISO/IEC 18045, [47] is assessed based on the following factors: [47]
- Time taken by an attacker to identify a vulnerability, develop an attack method, and mount the attack
- Specialist expertise required
- Knowledge of the system under investigation
- Window of opportunity to access the attack target
- IT hardware/software or other equipment required to identify and exploit a vulnerability
These factors affecting ASP are not independent, but rather, interchangeable from various angles. For example, the expertise and equipment needed can be replaced by the elapsed time (see Table 5).
ASP is calculated by applying the factor value (Table 5) as per the attack scenario for the seven telemedicine security threat areas. Subsequently, a rating is assigned based on the attack potential value (see Table 6), and categorization is performed based on the attack potential level (see Table 7). To calculate the ASP of each security threat, the categorized ASP levels are mapped onto the leaf nodes of the attack tree. For example, each leaf node in Fig. 6 is mapped at the ASP level assigned to it according to the ASP estimates (see Table 7).
Risk
The telemedicine risk value (RV) is the product of the AV, AOP, and ASP:
The calculated RVs are assessed at three levels: low, normal, and high (see Table 8).
When interpreting the risk assessment results, the higher the AV, AOP, and ASP levels, the higher the RV (see Fig 7).
Security requirements prioritization
The telemedicine risk analysis results represent the security threat risk levels and can be interpreted in terms of the relative effect of a given attack. The appropriate security guidelines will have to be established based on the AV of each threat while considering its AOP and ASP (see Table 9).