Table 9 Examples of telemedicine risk assessment estimates
From: Risk management-based security evaluation model for telemedicine systems
Asset | AV | Concern | AOP | ASP | RV | ||
|---|---|---|---|---|---|---|---|
Telemedicine device | RTOS/ GPOS/ gateway | 5 | Patient information leakage | 1 | 2 | 10 | L |
5 | Weak password set | 2 | 5 | 50 | H | ||
5 | Critical information transmitted owing to device operation errors | 3 | 4 | 60 | H | ||
5 | Loss due to improper management of telemedicine device | 2 | 5 | 50 | H | ||
5 | Access to internal system used by unapproved device | 1 | 1 | 5 | L | ||
5 | Information leakage by device because of malware infection | 1 | 1 | 5 | L | ||
5 | Saving important information in device | 2 | 4 | 40 | H | ||
5 | Leakage of significant information from lost/stolen device | 2 | 4 | 40 | H | ||
5 | Access to internal system and disclosure of important information owing to application vulnerabilities of device | 2 | 4 | 40 | H | ||
5 | Device ↔ plaintext transmission between internal system | 3 | 5 | 75 | H | ||
5 | Device ↔ plaintext transmission between telemedicine system | 3 | 5 | 75 | H | ||
5 | Device ↔ MITM attacks between telemedicine system | 3 | 1 | 15 | M | ||
|  |  | 5 | Gateway ↔ plaintext transmission between internal system | 3 | 3 | 27 | M |
| Â | Â | 5 | Information leakage because of malware infection (vaccine or latest patch) | 1 | 2 | 10 | L |
| Â | Â | 5 | Significant information disclosure by gateway hacking | 2 | 1 | 10 | L |
| Â | Â | 5 | MITM attacks using rogue gateway | 2 | 1 | 10 | L |
| Â | Â | 5 | Significant information leakage from lost/stolen gateway device | 2 | 3 | 30 | M |
PC | PC | 4 | Forgery via wiretapping and spoofing | 3 | 5 | 60 | H |
4 | Unauthorized access via MITM attacks | 2 | 3 | 24 | M | ||
4 | Gateway ↔ plaintext transmission between telemedicine system | 3 | 5 | 60 | H | ||
4 | MITM attacks using rogue AP | 2 | 1 | 8 | L | ||
4 | Information leakage because of malware infection (vaccine or latest patch) | 1 | 2 | 8 | L | ||
4 | Significant information disclosure owing to gateway hacking | 1 | 1 | 4 | L | ||
4 | Internal access to national communication networks by bypassing physical security controls | 1 | 1 | 4 | L | ||
4 | Internal access to national communication networks by exploiting wireless network vulnerability | 1 | 1 | 4 | L | ||
4 | Leaving working seat for a long period after logging in | 2 | 5 | 40 | H | ||
4 | Nonrepudiation failure by not saving accessed records | 1 | 5 | 20 | M | ||
| Â | Â | 4 | Accident due to telemedicine system operation errors | 1 | 5 | 20 | M |
S/W | Telemedicine software | 4 | Access to internal system and important information disclosure by exploiting vulnerabilities of application used for telemedicine treatment | 1 | 1 | 4 | L |
4 | Access to internal system via update files for application used for telemedicine treatment | 1 | 1 | 4 | L | ||
Data transmission software | 3 | Access to internal system and important information disclosure by exploiting vulnerability of application used for data transmission | 1 | 1 | 3 | L | |
Patient medical information software | 3 | Access to internal system via update files for software | 2 | 1 | 6 | L | |
Monitoring software | 2 | Access to internal system via update files for software | 2 | 1 | 4 | L | |
ECG software | 5 | Access to internal system via update files for telemedicine system | 2 | 1 | 10 | L | |
Information | Personal information | 4 | Sniffing | 3 | 3 | 36 | H |
| Â | Health information | 4 | Health information sniffing | 3 | 3 | 36 | H |
| Â | Medical information | 5 | Sending invalid prescriptions by changing medical information during telemedicine treatment | 1 | 1 | 5 | L |
| Â | 5 | Misuse of medical information by analyzing network packets during telemedicine treatment | 2 | 1 | 10 | L | |
| Â | Â | 5 | Accidents caused by telemedicine system operation errors | 2 | 5 | 50 | H |
| Â | Â | 5 | Forgery via network eavesdropping and spoofing during patient information exchange | 2 | 3 | 30 | H |