Threat Model Process

From Direct Project
Jump to navigation Jump to search
Healthcare today has diverse needs with regard to the sharing of data and the need to securely move patient information among systems. Within Health Level Seven (HL7) and Integrating the Healthcare Enterprise (IHE) there are Risk Assessment Cookbook processes that are based on Risk Assessments. Security is the common thread that connects all of them. Increasingly, healthcare organizations and technology vendors are performing assessments (threat risk assessments, privacy impact assessments, business impact assessments, etc.) to ensure that installed healthcare technology will have a positive impact on healthcare delivery. These risk assessments are mandated for healthcare delivery organizations in some countries. Unfortunately, key decision makers often have difficulty understanding the relevance of the risks identified, and often overlook risks when writing standards.

The Goal

This is intended to enable the Direct Project to publish standards that have taken privacy and security considerations into account. This guide introduces security risk assessments and a process to facilitate completing a security risk assessment for the Direct Project work. Using this process will facilitate the identification of gaps in a specifications baseline security and privacy, allowing the working group to either update the standard on their own or to identify gaps. This will lead to specification that include privacy and security as part of their base, reducing the need to “bolt” security on later. As a result, the Direct Project specification will better support patient privacy and improved patient outcomes.

The Process

The formal cookbook from HL7 is documented and training is available in the Resources section below. This text comes from section 2 of the cookbook document

When considering security and privacy issues associated with a standard, one must:
  1. Identify (See section 2.2)
    1. And clearly define the scope of the standard, including the baseline assumptions
    2. New threat scenarios and describe the type of impact that scenario implies
  2. Analyze (See section 2.3)
    1. The level of impact and likelihood of occurrence for each threat scenario to determine risk
    2. Prioritize these risks in order to focus on the most important ones
  3. Plan (See section 2.4)
    1. Determine mitigation strategies that should be implemented for all medium to high risk threat scenarios
  4. Track (See section 2.5)
    1. Assess the effect of the application of the mitigation strategies
    2. Reassess the risks by going through steps 2 and 3 until all medium and high risk threat scenarios have been addressed
  5. Document all security considerations (See section 2.6)


Do NOT use [[1] this tool] :-)

Examples of Risk Assessment Spreadsheets

Threat Model - SMTP with Full Service HISPs
Threat Model - Simple SMTP