Skip to main content

Table 2 List of threats identified in the risk assessment

From: Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education

ID Threats/unwanted incidents
Locally– at the patient’s home
c1 Unauthorised persons can view/read personal (sensitive) health information because the user has forgotten to switch off (or “log out” from) the RPD.
c3 Unauthorised persons can view/read personal (sensitive) health information because the PIN code (or password or another authentication mechanism) is available/known – e.g. too weak/simple (a general problem)
c4 Unauthorised persons can view/read personal (sensitive) health information because the RPD with stored information is stolen, then restarted and accessed without authorisation.
c5 Video conference (VC) to participant at home (individual sessions): Unauthorised persons present in the patient’s home, outside camera view, may happen to hear personal information given to this patient by health personnel (e.g. instructions/education regarding his/her own disease) Remember: Unauthorised persons are persons (including family members and visitors) with whom the patient does not want to share that information.
c6 Group education via VC (all patients in their own home): Unauthorised persons in a patient’s home, outside camera view, can see and hear other patients/participants without their knowledge.
c7 The RPD is compromised because of software weaknesses, making it possible for unauthorised persons to see/log ongoing activity.
c8 Wireless data transfer from sensor to RPD can be intercepted by others.
i1 Unauthorised persons (e.g. grandchildren who play with the sensor) can by accident (i.e. unintentionally) insert false values if the system is not fail safe. That is, measures taken from other persons than the registered user are entered.
i3 Unauthorised persons (e.g. other family members or visitors) can deliberately insert fake values.
i4 The patient him-/herself can by mistake modify inserted values or insert erroneous values (e.g. it is easy to type in wrong O2 values).
i7 The patient him/herself can deliberately insert fake values or modify inserted values.
i8 Data in the RPD is corrupted - e.g. wrong clock time from a sensor may follow the sensor value and cause existing data to be overwritten.
i9 SW/HW-weaknesses in the RPD that can be exploited (e.g. by malware) in such a way that the information is being damaged or modified.
i10 The RPD is stolen and software, keys or configuration are being exploited for unauthorised communication.
i12 The RPD is being compromised because of SW weaknesses and becomes a relay for attacking healthcare systems, e.g. by sending messages containing executable payload.
i14 Unauthorised persons can remotely configure the RPD, install/update software, etc., thus making the system behave differently than specified.
a1 The service is unavailable for both the patient and the health personnel because the RPD has been stolen.
a2 Data from the RPD cannot be retrieved locally by the patient (SW or HW errors, e.g. disk crash).
a3 Data from the RPD cannot be sent to the health personnel (SW or HW errors).
a4 The RPD is damaged (crushed, fire, dropped to the floor etc.) so that data cannot be retrieved or inserted.
a5 Shutdown because of electricity power failure in the patient’s home.
a6 The patient forgets his PIN-code (or other authentication method) so that data cannot be retrieved from the RPD at home. (Information sent is available at the central server.)
a7 PKI certificates expire. If this happens, it is not possible to send data with valid signatures or to encrypt correctly for the specified recipient.
a8 SW/HW weaknesses in the RPD that can be exploited (e.g. by malware) in such a way that stored information is destroyed/deleted or access is blocked (e.g. Denial of Service attack, DoS)
a9 Patients will not use the system: “Too high-tech”. Fear of surveillance. Feeling of lack of control. Afraid of damaging the system. Think it is difficult to use.
a10 Patients will not use the service because too many errors occur, too often. E.g. in the case of an alert function, error which leads to triggering of the alert.
During data transfer
c9 Unauthorised persons obtain access to personal (sensitive) information during transfer: measurement values from sensors, textual information from patient at home
c10 Unauthorised persons obtain access to personal (sensitive) information being transferred in the two-way video conference, both audio (what is said) and video (see patients in their homes).
i15 Unauthorised persons can modify or delete personal health information during transfer.
i18 Errors during transfer lead to duplication of messages.
a11 Unauthorised persons can delete personal health information during transfer so that it does not reach the intended recipient.
a13 Low network quality (QoS): the quality of the connection is so low that the remote education and exercising is useless.
a14 DoS attack (on the network or a network component) so that the information does not reach the intended recipient.
a15 Low network quality (QoS): data is not transferred, is lost during transfer, or is delayed.
a16 Information corrupted or lost during transfer (caused by errors), i.e. cannot be used by the intended recipient.
Data in the central server/database, in the health institution
c11 Unauthorised persons obtain access to personal health information (in server/database) in the health institution. The server contains information about all patients/participants. If unauthorised persons obtain access, information about several patients can be seen at a time, not just that concerning a single patient.
i21 Information stored on the central server is deliberately manipulated (modified, deleted) by unauthorised persons.
i22 Information stored on the central server is manipulated (modified, deleted) by mistake (e.g. wrong usage)
a17 Permanent loss of data from central server (because of SW errors or HW failures), data are lost or destroyed
a18 Data on the central server are unavailable for a short or a longer time period (e.g. electricity power failure)
Quality of video communication
q1 The video quality from the patient’s home is inadequate (e.g. because of limited bandwidth, camera type, use of camera, placement of camera, lighting, etc.) for the healthcare workers to be able to instruct the patients. They do not see clearly enough what the patient is doing (exercise, use of medical equipment)
q2 Unacceptable audio quality, e.g. echo, jitter, drop-out. The healthcare workers can hear their own echo in the sound from the participants. The patients at home can hear an echo if the healthcare workers do not use an extra microphone