A new medium-sized health care facility just opened and you are hired as the CIO. The CEO is somewhat technical and has tasked you with creating a threat model. The CEO needs to decide from 3 selected models but needs your recommendation. Review this week’s readings, conduct your own research, then choose a model to recommend with proper justifications. Items to include (at a minimum) are:
User authentication and credentials with third-party applications
3 common security risks with ratings: low, medium or high
Justification of your threat model (why it was chosen over the other two: compare and contrast)
You will research several threat models as it applies to the health care industry, summarize three models and choose one as a recommendation to the CEO in a summary with a model using UML Diagrams (Do not copy and paste images from the Internet). In your research paper, be sure to discuss the security risks and assign a label of low, medium or high risks and the CEO will make the determination to accept the risks or mitigate them
Full Answer Section
Justification for STRIDE Model
The STRIDE model was chosen over the PASTA and OCTAVE models due to its simplicity and ease of use. The STRIDE model provides a clear framework for identifying and assessing potential security threats, making it a valuable tool for organizations of all sizes.
UML Diagram: STRIDE Model
Conclusion
By adopting the STRIDE model, the healthcare facility can develop a comprehensive threat model that identifies potential security risks and helps to mitigate them. By addressing these risks proactively, the organization can protect patient data and ensure the continuity of its operations.
Sample Answer
Threat Model for a New Medium-Sized Healthcare Facility
Introduction
A threat model is a structured approach to identifying and assessing potential security risks to an organization. In the healthcare industry, where patient data is highly sensitive, a robust threat model is essential to protect against cyberattacks and other security threats.
Three Threat Models
- STRIDE Model: This model identifies six common security threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
- PASTA Model: This model focuses on identifying assets, threats, vulnerabilities, and mitigations.
- OCTAVE Model: This model is a risk-based approach that involves identifying critical assets, analyzing threats, and developing countermeasures.
Recommended Threat Model: STRIDE Model
For a new healthcare facility, the STRIDE model is particularly well-suited due to its focus on identifying specific security threats. By systematically evaluating each of the six categories, the organization can gain a comprehensive understanding of its potential vulnerabilities.
Security Risks and Ratings
- User authentication and credentials with third-party applications: Medium risk. While third-party applications can provide valuable functionality, they may introduce additional security risks if not properly managed.
- Phishing attacks: High risk. Healthcare organizations are frequent targets of phishing attacks, which can compromise sensitive patient data.
- Ransomware attacks: High risk. Ransomware attacks can disrupt healthcare operations and lead to significant financial losses.