nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems

verfasst von : Myrsini Athinaiou, Haralambos Mouratidis, Theo Fotis, Michalis Pavlidis

Erschienen in: Computer Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Security constraints that enforce security requirements characterize healthcare systems. These constraints have a substantial impact on the resiliency of the final system. Security requirements modelling approaches allow the prevention of cyber incidents; however, the focus to date has been on prevention rather than resiliency. Resiliency extends into the detection, mitigation and recovery after security violations. In this paper, we propose an enhanced at a conceptual level that attempts to align cybersecurity with resiliency. It does so by extending the Secure Tropos cybersecurity modelling language to include resiliency. The proposed conceptual model examines resiliency from three viewpoints, namely the security requirements, the healthcare context and its implementational capability. We present an overview of our conceptual model of a cyber resiliency language and discuss a case study to attest the healthcare context in our approach.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel A Proposed Privacy Impact Assessment Method Using Metrics Based on Organizational Characteristics

Nächstes Kapitel Shaping Digital Identities in Social Networks: Data Elements and the Role of Privacy Concerns

ISO/IEC/IEEE 15288:2015. https://www.iso.org/standard/63711.html. Accessed 12 July 2019

Li, T., Horkoff, J., Mylopoulos, J.: Integrating security patterns with security requirements analysis using contextual goal models. In: Frank, U., Loucopoulos, P., Pastor, Ó., Petrounias, I. (eds.) PoEM 2014. LNBIP, vol. 197, pp. 208–223. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45501-2_15CrossRef

Antón, A.I., Earp, J.B.: Strategies for developing policies and requirements for secure and private electronic commerce. In: Ghosh, A.K. (ed.) E-Commerce Security and Privacy. Advances in Information Security, vol. 2, pp. 67–86. Springer, Boston (2001). https://doi.org/10.1007/978-1-4615-1467-1_5CrossRef

Argyropoulos, N., Mouratidis, H., Fish, A.: Advances in Conceptual Modeling. Springer, Cham (2015). https://doi.org/10.1007/978-3-642-33999-8CrossRef

Arney, D., Pajic, M., Goldman, J.M., Lee, I., Mangharam, R., Sokolsky, O.: Toward patient safety in closed-loop medical device systems. In: Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems - ICCPS 2010, pp. 139–148. ACM Press, Stockholm (2010)

Athinaiou, M., Mouratidis, H., Fotis, T., Pavlidis, M., Panaousis, E.: Towards the definition of a security incident response modelling language. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 198–212. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_14CrossRef

Boddy, A., Hurst, W., Mackay, M., Rhalibi, A.E.: A study into data analysis and visualisation to increase the cyber-resilience of healthcare infrastructures. In: Proceedings of the 1st International Conference on Internet of Things and Machine Learning - IML 1917, pp. 1–7. ACM Press, Liverpool (2017)

Den Braber, F., Hogganvik, I., Lund, M.S., Stlen, K., Vraalsen, F.: Model-based security analysis in seven steps a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)CrossRef

Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)CrossRef

10.

Chapurlat, V., et al.: Towards a model-based method for resilient critical infrastructure engineering how to model critical infrastructures and evaluate ist resilience? How to model critical infrastructures and evaluate its Resilience? In: 2018 13th Annual Conference on System of Systems Engineering (SoSE), pp. 561–567. IEEE, Paris (2018)

11.

Chen, Q., Lambright, J.: Towards realizing a self-protecting healthcare information system. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), pp. 687–690. IEEE, Atlanta (2016)

12.

Chernyshev, M., Zeadally, S., Baig, Z.: Healthcare data breaches: implications for digital forensic readiness. J. Med. Syst. 43(1), 7 (2019)CrossRef

13.

Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. Technical report NIST SP 800-61r2, National Institute of Standards and Technology (2012)

14.

Cooper, T., Collmann, J., Neidermeier, H.: Organizational repertoires and rites in health information security. Camb. Q. Healthc. Ethics 17(4), 441–452 (2008)CrossRef

15.

Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed requirements acquisition. Sci. Comput. Program. 20(1–2), 3–50 (1993)CrossRef

16.

DeVoe, C., Rahman, S.S.M.: Incident response plan for a small to medium sized hospital. Int. J. Netw. Secur. Appl. 5(2), 1–20 (2013)

17.

Genes, N., Chary, M., Chason, K.W.: Case study. An academic medical centers response to widespread computer failure. Am. J. Disaster Med. 8(2), 145–150 (2013)CrossRef

18.

Ghafur, S., Grass, E., Jennings, N.A., Darzi, A.: The challenges of cybersecurity in health care: the UK National Health Service as a case study. Lancet Digit. Health 1(1), e10–e12 (2019)CrossRef

19.

Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_8CrossRef

20.

Giorgini, P., Mylopoulos, J., Sebastiani, R.: Goal-oriented requirements analysis and reasoning in the Tropos methodology. Eng. Appl. Artif. Intell. 18(2), 159–171 (2005)CrossRef

21.

He, Y., Johnson, C.: Challenges of information security incident learning: an industrial case study in a Chinese healthcare organization. Inf. Health Soc. Care 42(4), 393–408 (2017)CrossRef

22.

Lee, I., et al.: Challenges and research directions in medical cyberphysical systems. Proc. IEEE 100(1), 75–90 (2012)CrossRef

23.

Jalali, M.S., Russell, B., Razak, S., Gordon, W.J.: EARS to cyber incidents in health care. J. Am. Med. Inf. Assoc. 26(1), 81–90 (2019)CrossRef

24.

Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32CrossRefMATH

25.

van Lamsweerde, A.: Goal-oriented requirements engineering: a guided tour. In: Proceedings Fifth IEEE International Symposium on the Requirements Engineering, pp. 249–262. IEEE Computer Society, Toronto (2000)

26.

van Lamsweerde, A., Letier, E.: From object orientation to goal orientation: a paradigm shift for requirements engineering. In: Wirsing, M., Knapp, A., Balsamo, S. (eds.) RISSEF 2002. LNCS, vol. 2941, pp. 325–340. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24626-8_23CrossRef

27.

Lin, L., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Introducing abuse frames for analyzing security requirements. J. Lightwave Technol. 371–372 (2003). IEEE Comput. Soc, Monterey Bay, CA, USA

28.

Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33CrossRefMATH

29.

McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceedings 15th Annual Computer Security Applications Conference (ACSAC 1999), pp. 55–64. IEEE Computer Society, Phoenix (1999)

30.

McGlade, D., Scott-Hayward, S.: ML-based cyber incident detection for Electronic Medical Record (EMR) systems. Smart Health 12, 3–23 (2019)CrossRef

31.

Mead, N.R., Stehney, T.: Security quality requirements engineering (SQUARE) methodology. ACM SIGSOFT Softw. Eng. Notes 30(4), 1 (2005)CrossRef

32.

Meland, P.H., Paja, E., Gjre, E.A., Paul, S., Dalpiaz, F., Giorgini, P.: Threat analysis in goal-oriented security requirements modelling. In: Computer Systems and Software Engineering: Concepts, Methodologies, Tools, and Applications, pp. 2025–2042. IGI Global (2018)

33.

Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the secure tropos approach. In: Karagiannis, D., Mayr, H., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, pp. 357–380. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39417-6_16CrossRef

34.

Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)CrossRef

35.

Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, K.-K.R.: Analysis and triage of advanced hacking groups targeting western countries critical national infrastructure: APT28, RED October, and Regin. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds.) Critical Infrastructure Security and Resilience. ASTSA, pp. 221–244. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-00024-0_12CrossRef

36.

Pavlidis, M., Islam, S., Mouratidis, H.: A CASE tool to support automated modelling and analysis of security requirements, based on secure tropos. In: Nurcan, S. (ed.) CAiSE Forum 2011. LNBIP, vol. 107, pp. 95–109. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29749-6_7CrossRef

37.

Pavlidis, M., Islam, S., Mouratidis, H., Kearney, P.: Modeling trust relationships for developing trustworthy information systems. Int. J. Inf. Syst. Model. Des. 5(1), 25–48 (2014)CrossRef

38.

Pavlidis, M., Mouratidis, H., Panaousis, E., Argyropoulos, N.: Selecting security mechanisms in secure tropos. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) TrustBus 2017. LNCS, vol. 10442, pp. 99–114. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64483-7_7CrossRef

39.

Ransford, B., Clark, S.S., Kune, D.F., Fu, K., Burleson, W.P.: Design Challenges for Secure Implantable Medical Devices. In: Burleson, W., Carrara, S. (eds.) Security and Privacy for Implantable Medical Devices, pp. 157–173. Springer, New York (2014). https://doi.org/10.1007/978-1-4614-1674-6_7CrossRef

40.

Ross, R., Graubart, R., Bodeau, D., McQuaid, R.: Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. Technical report, NIST (2018)

41.

Schumacher, M.: Toward a security core ontology. In: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, pp. 87–96. no. 2754, LNCS, Springer, New York (2003). https://doi.org/10.1007/b11930CrossRef

42.

Sindre, G., Firesmith, D.G., Opdahl, A.L.: A reuse-based approach to determining security requirements. Requirements Eng. 10, 34–44 (2004)CrossRef

43.

Sittig, D., Singh, H.: A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Appl. Clin. Inf. 07(02), 624–632 (2016)CrossRef

44.

Wiant, T.L.: Information security policy’s impact on reporting security incidents. Comput. Secur. 24(6), 448–459 (2005)CrossRef

45.

Williams, P.A.H.: Is cyber resilience in medical practice security achievable? In: Proceedings of the 1st International Cyber Resilience Conference, pp. 105–111. Edith Cowan University, Perth (2010)

46.

Yu, E.S.K.: Modeling strategic relationships for process reengineering, Ph.D. thesis, University of Toronto, Canada (1995)

47.

Jiang, Z., Pajic, M., Mangharam, R.: Cyberphysical modeling of implantable cardiac medical devices. Proc. IEEE 100(1), 122–137 (2012)CrossRef

Titel: A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems
verfasst von: Myrsini Athinaiou
Haralambos Mouratidis
Theo Fotis
Michalis Pavlidis
Verlag: Springer International Publishing
Buch: Computer Security
Print ISBN: 978-3-030-42047-5

Electronic ISBN: 978-3-030-42048-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-42048-2_10

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"