Table 2 List of threats identified in the risk assessment
ID | Threats/unwanted incidents |
|---|---|
Locally– at the patient’s home | |
c1 | Unauthorised persons can view/read personal (sensitive) health information because the user has forgotten to switch off (or “log out” from) the RPD. |
c3 | Unauthorised persons can view/read personal (sensitive) health information because the PIN code (or password or another authentication mechanism) is available/known – e.g. too weak/simple (a general problem) |
c4 | Unauthorised persons can view/read personal (sensitive) health information because the RPD with stored information is stolen, then restarted and accessed without authorisation. |
c5 | Video conference (VC) to participant at home (individual sessions): Unauthorised persons present in the patient’s home, outside camera view, may happen to hear personal information given to this patient by health personnel (e.g. instructions/education regarding his/her own disease) Remember: Unauthorised persons are persons (including family members and visitors) with whom the patient does not want to share that information. |
c6 | Group education via VC (all patients in their own home): Unauthorised persons in a patient’s home, outside camera view, can see and hear other patients/participants without their knowledge. |
c7 | The RPD is compromised because of software weaknesses, making it possible for unauthorised persons to see/log ongoing activity. |
c8 | Wireless data transfer from sensor to RPD can be intercepted by others. |
i1 | Unauthorised persons (e.g. grandchildren who play with the sensor) can by accident (i.e. unintentionally) insert false values if the system is not fail safe. That is, measures taken from other persons than the registered user are entered. |
i3 | Unauthorised persons (e.g. other family members or visitors) can deliberately insert fake values. |
i4 | The patient him-/herself can by mistake modify inserted values or insert erroneous values (e.g. it is easy to type in wrong O2 values). |
i7 | The patient him/herself can deliberately insert fake values or modify inserted values. |
i8 | Data in the RPD is corrupted - e.g. wrong clock time from a sensor may follow the sensor value and cause existing data to be overwritten. |
i9 | SW/HW-weaknesses in the RPD that can be exploited (e.g. by malware) in such a way that the information is being damaged or modified. |
i10 | The RPD is stolen and software, keys or configuration are being exploited for unauthorised communication. |
i12 | The RPD is being compromised because of SW weaknesses and becomes a relay for attacking healthcare systems, e.g. by sending messages containing executable payload. |
i14 | Unauthorised persons can remotely configure the RPD, install/update software, etc., thus making the system behave differently than specified. |
a1 | The service is unavailable for both the patient and the health personnel because the RPD has been stolen. |
a2 | Data from the RPD cannot be retrieved locally by the patient (SW or HW errors, e.g. disk crash). |
a3 | Data from the RPD cannot be sent to the health personnel (SW or HW errors). |
a4 | The RPD is damaged (crushed, fire, dropped to the floor etc.) so that data cannot be retrieved or inserted. |
a5 | Shutdown because of electricity power failure in the patient’s home. |
a6 | The patient forgets his PIN-code (or other authentication method) so that data cannot be retrieved from the RPD at home. (Information sent is available at the central server.) |
a7 | PKI certificates expire. If this happens, it is not possible to send data with valid signatures or to encrypt correctly for the specified recipient. |
a8 | SW/HW weaknesses in the RPD that can be exploited (e.g. by malware) in such a way that stored information is destroyed/deleted or access is blocked (e.g. Denial of Service attack, DoS) |
a9 | Patients will not use the system: “Too high-tech”. Fear of surveillance. Feeling of lack of control. Afraid of damaging the system. Think it is difficult to use. |
a10 | Patients will not use the service because too many errors occur, too often. E.g. in the case of an alert function, error which leads to triggering of the alert. |
During data transfer | |
c9 | Unauthorised persons obtain access to personal (sensitive) information during transfer: measurement values from sensors, textual information from patient at home |
c10 | Unauthorised persons obtain access to personal (sensitive) information being transferred in the two-way video conference, both audio (what is said) and video (see patients in their homes). |
i15 | Unauthorised persons can modify or delete personal health information during transfer. |
i18 | Errors during transfer lead to duplication of messages. |
a11 | Unauthorised persons can delete personal health information during transfer so that it does not reach the intended recipient. |
a13 | Low network quality (QoS): the quality of the connection is so low that the remote education and exercising is useless. |
a14 | DoS attack (on the network or a network component) so that the information does not reach the intended recipient. |
a15 | Low network quality (QoS): data is not transferred, is lost during transfer, or is delayed. |
a16 | Information corrupted or lost during transfer (caused by errors), i.e. cannot be used by the intended recipient. |
Data in the central server/database, in the health institution | |
c11 | Unauthorised persons obtain access to personal health information (in server/database) in the health institution. The server contains information about all patients/participants. If unauthorised persons obtain access, information about several patients can be seen at a time, not just that concerning a single patient. |
i21 | Information stored on the central server is deliberately manipulated (modified, deleted) by unauthorised persons. |
i22 | Information stored on the central server is manipulated (modified, deleted) by mistake (e.g. wrong usage) |
a17 | Permanent loss of data from central server (because of SW errors or HW failures), data are lost or destroyed |
a18 | Data on the central server are unavailable for a short or a longer time period (e.g. electricity power failure) |
Quality of video communication | |
q1 | The video quality from the patient’s home is inadequate (e.g. because of limited bandwidth, camera type, use of camera, placement of camera, lighting, etc.) for the healthcare workers to be able to instruct the patients. They do not see clearly enough what the patient is doing (exercise, use of medical equipment) |
q2 | Unacceptable audio quality, e.g. echo, jitter, drop-out. The healthcare workers can hear their own echo in the sound from the participants. The patients at home can hear an echo if the healthcare workers do not use an extra microphone |