Skip to main content

Risk management-based security evaluation model for telemedicine systems



Infectious diseases that can cause epidemics, such as COVID-19, SARS-CoV, and MERS-CoV, constitute a major social issue, with healthcare providers fearing secondary, tertiary, and even quaternary infections. To alleviate this problem, telemedicine is increasingly being viewed as an effective means through which patients can be diagnosed and medications prescribed by doctors via untact Thus, concomitant with developments in information and communication technology (ICT), medical institutions have actively analyzed and applied ICT to medical systems to provide optimal medical services. However, with the convergence of these diverse technologies, various risks and security threats have emerged. To protect patients and improve telemedicine quality for patient safety, it is necessary to analyze these risks and security threats comprehensively and institute appropriate countermeasures.


The security threats likely to be encountered in each of seven telemedicine service areas were analyzed, and related data were collected directly through on-site surveys by a medical institution. Subsequently, an attack tree, the most popular reliability and risk modeling approach for systematically characterizing the potential risks of telemedicine systems, was examined and utilized with the attack occurrence probability and attack success probability as variables to provide a comprehensive risk assessment method.


In this study, the most popular modelling method, an attack tree, was applied to the telemedicine environment, and the security concerns for telemedicine systems were found to be very large. Risk management and evaluation methods suitable for the telemedicine environment were identified, and their benefits and potential limitations were assessed.


This research should be beneficial to security experts who wish to investigate the impacts of cybersecurity threats on remote healthcare and researchers who wish to identify new modeling opportunities to apply security risk modeling techniques.

Peer Review reports


Healthcare is evolving towards preventive medical services for lifelong personal health management [1]. Concomitant with the fusion of healthcare with information and communication technology (ICT), various new services and networked medical devices have been developed. These networked devices provide services such as telemedicine, health information exchange, and precision medicine. As these devices have immediate effects on the lives of patients, security management is critical [2,3,4,5,6,7,8,9,10,11,12]. In particular, data transmission from wired to wireless networks requires specific security guidelines for data processing and management and medical device development [13].

In addition, infectious diseases such as COVID-19 [14, 15], SARS-CoV [16], and MERS-CoV [17] cause major social problems and are known to result in severe respiratory or gastrointestinal complications when they infect animals or people. Coronavirus (CoV) was previously considered to be a pathogen that causes minor symptoms in the community in the form of endemic infection, but there is a growing need to introduce telemedicine that can be utilized to diagnose and prescribe appropriate medication owing to the growing fear of secondary and tertiary infections [15].

Many recently developed medical devices are upgradable, which further increases the potential security threats that can affect them. For example, the vulnerability of insulin pumps to hacking was reported both in 2010 and 2013 [18]. Additionally, in August 2016, an intensive care unit infusion pump sensor without communication functionality was hacked using a low-cost infrared laser [19].

Telemedicine can be broadly categorized into five types: videoconference-based patient consultations using the Picture Archiving Communications System in large hospitals, multimedia transmission to provide remote services such as first-aid directions, remote home care, remote training of patients or health professionals, and online medical counseling and health information sharing [20].

With recent advances in internet of things technology, connectivity between objects is being driven by the medical/electronic sector [21, 22]. Healthcare services value prevention and management over the treatment of future diseases, which can be extended to diagnosis, surgery, and treatment [23]. The healthcare field is being labeled as the “next big thing,” and innovative developments are highly anticipated [24,25,26]. Implantable medical devices (IMDs), which monitor patient health and heal affected body parts, are vital in healthcare [27]. Examples of IMDs include cardiac pacemakers and defibrillators, which monitor and treat heart conditions; deep brain simulators, which treat epilepsy or Parkinson’s disease; drug delivery systems in the form of infusion pumps; and bio-instruments that acquire and process bio-signals [28].

However, IMDs, which are equipped with advanced computing and communications capabilities, also entail security and privacy threats. In some cases, such threats can have fatal consequences. Deliberate attacks can result in death if they cause intentional malfunctions, and intentional attacks can be considerably more difficult to detect than accidental attacks [29]. IMDs also store and transmit highly sensitive medical information that should be protected under the laws of Europe (e.g., Directive 95/46/ECC) and the United States (e.g., CFR 164.312) [30, 31]. Experiments have demonstrated how treatment functions can be disabled or reprogrammed to induce shock conditions in patients through wireless connections, as a part of an attack on an IMD [32,33,34]. Moreover, the device can be sabotaged by intentionally discharging the battery. In such cases, it is often necessary to replace the IMD through surgery. For cardiac IMDs, the power can be switched off using a magnetic field [35], which led to former U.S. Vice President Dick Cheney disabling the Wi-Fi function of his implantable cardioverter–defibrillator to prevent remote assassination attempts [2].

Security requirements pertaining to the processing and management of large amounts of data transmitted wirelessly are essential, and the importance of cybersecurity in the development of medical devices is growing [3]. Various medical devices that have evolved in recent years have had several functional advances, but the potential security threats have also continued to grow. The possibility of hacking of medical devices has already been reported in several articles [4, 6], and research has demonstrated the possibility of healthcare-related security accidents.

A common paradigm in the performance of cyber risk assessment is to form two adversarial teams consisting of a “red team” whose job is to think like an attacker and a “blue team” that seeks to defend the system by developing countermeasures [36]. In many situations, red team information is applied to model the systems using techniques such as attack trees [10], attack-defense trees [37], event trees [38, 39], Markov models [40], decision diagrams such as binary decision diagrams [41], and fault trees [42, 43].

The “attack tree” process [10] is a systematic method for determining the characteristics of system security based on all attacks to which a system is exposed [6,7,8,9]. Identifying all possible defined attacks facilitates analysis of all possible cyberattack access paths and selection of the best-suited countermeasures and their optimal deployment. An attack tree consists of nodes, edges, and connectors, with each node corresponding to an attack step. The root node represents the ultimate goal of the attacker, while the children of a given node represent the subgoals. The edges represent the state change caused by the actions of the attacker. A connector is a gate (either OR (disjunctive) or AND (conjunctive)) for the nodes with two or more children for advancement to reach the attack goal [10].

In this study, the most popular modeling approach, an attack tree, was utilized, with the attack occurrence probability (AOP) and attack success probability (ASP) as variables, to develop a risk assessment method, and the benefits and potential limitations of this method were assessed.

The remainder of this paper is organized as follows. Section II describes the telemedicine system architecture and discusses potential security threats and scenarios that may arise therefrom. Section III outlines the proposed risk assessment method based on an attack tree with the AOP and ASP as variables. Section IV presents and analyzes the experimental results obtained and discusses the assumptions and limitations of the study. Finally, Section V provides the conclusions and outlines future research directions.

Telemedicine system architecture

A telemedicine system [1] can be divided into two sections according to its components: (1) components accessible to the user (or patient), such as the telemedicine terminal, and (2) components available to the telemedicine service provider only, such as the telemedicine system and medical team. The possible security threat scenarios based on information flow through the various components are summarized below [11, 12] (Fig. 1):

  1. 1

    Spreading of malicious code in the sensing (measurements) hardware, breaching the security barrier, accessing sensitive patient information, and gaining access to the main server via the sensing device.

  2. 2

    Information leakage or data forgery in the medical data transmission section.

  3. 3

    Sensing (measurement) data breach risks due to vulnerabilities in the personal computer (PC), smart device, or gateway used for data transmission by the repository or medical staff.

  4. 4

    Cyberattack risks due to a vulnerable main server and repository in the provider area.

Fig. 1
figure 1

Telemedicine system architecture

Telemedicine system threat extraction and identification

To identify the threats suitable for constructing the telemedicine attack tree, we extracted typical and scenario-based security threats in accordance with ISO/IEC 27005 Annex C. Examples of typical threats [19] and healthcare-related security threats were extracted based on ISO/IEC 27799 Annex A [44], and the collected data were reorganized. Finally, to identify the telemedicine system vulnerabilities, we reorganized the extracted threats to make them amenable to the telemedicine environment based on ISO/IEC 27005 [19]. The resulting data were used as the components of the telemedicine attack tree. Based on the system architecture and the identified security threats and vulnerabilities, we pinpointed seven telemedicine security threat areas (Fig. 2).

Fig. 2
figure 2

Seven areas related to telemedicine security threats

Use cases: seven telemedicine security threat areas

  • Threat #1: User or patient

Users receiving telemedicine (i.e., patients) are most likely residents or senior citizens who live in remote areas. Most of them have never received cybersecurity training and have little interest in cybersecurity. Therefore, their use of telemedicine terminals easily attracts security threats related to device use errors, weak passwords, device loss, phishing, etc. [28].

  • Threat #2: Telemedicine devices

A telemedicine terminal is based on either a general-purpose operating system (GPOS) or an embedded-type real-time operating system (RTOS). RTOS-based devices are safe from unauthorized access because they are optimized for specific functions at the design and production stages. Conversely, GPOS-based devices such as smartphones are vulnerable to security threats because they use external apps. The use of telemedicine terminals in such environments makes them vulnerable to security threats owing to the data saving and sharing functionalities of these devices and the risk of device loss/theft, app vulnerabilities, and plaintext transmission [28, 30, 45,46,47].

  • Threat #3: Home network

Information transmission between the telemedicine terminal in the private space of the patient (home or office) and the telemedicine system occurs primarily via a wireless network. As illustrated in Fig. 3, the types of networks used in home environments include LAN (local area network), Wi-Fi, Bluetooth, NFC (near field communication), and third and fourth generation/long-term evolution networks. While some embedded-type devices need to be connected to LANs, GPOS-based smart devices can communicate with telemedicine systems via multiple paths. In such environments, home-network-based telemedicine service systems are exposed to security threats associated with end-to-end plaintext transmission and man-in-the-middle (MITM) attacks (Fig. 3) [28, 48].

  • Threat #4: Gateway devices

Fig. 3
figure 3

Telemedicine home network

A gateway plays an intermediary role between the patient and telemedicine system, exposing the system to security threats associated with rogue gateways as well as the loss/theft of the gateways and MITM attacks [28, 49].

  • Threat #5: Internet (public network)

Communication between the patient and telemedicine system occurs via a public network (the Internet). As private, medical, and health information along with prescriptions are transmitted via the publicly accessible Internet, it is important to establish end-to-end security guidelines. In addition, encrypted data transmission is essential. In this environment, the telemedicine system is vulnerable to security threats associated with sniffing, forgery/alteration, and privilege escalations [28].

  • Threat #6: Telemedicine system

The telemedicine system is situated at the location of the telemedicine service provider. It consists of a PC and the software necessary for remote consultations, and its users are the medical staff, nursing personnel, and system administrators (security officer and other support staff). This system is very important because it handles all of the data of the patients receiving the telemedicine services. Moreover, if the telemedicine system is connected to the relevant agencies via the government network hub, stringent security guidelines are necessary to prevent infiltration of the government system. In special cases, telemedicine systems are also used for wireless communication between the exercise equipment used by patients and computers used for remote consultation in telemedicine clinics. In such environments, telemedicine systems can attract security threats associated with MITM attacks, malicious code, telemedicine app forgery/alteration, and illegal network access via physical security checks circumvention [28].

  • Threat #7: Telemedicine service provider

Telemedicine systems primarily involve doctor-to-doctor (D2D) and doctor-to-patient (D2P) interactions. D2D telemedicine is characterized by the sharing and monitoring of health and medical information and requires higher-level cybersecurity because it involves remote consultation, including the writing of prescriptions. Figure 4 shows a block diagram of D2D and D2P interactions. In this environment, the telemedicine system can attract security threats associated with MITM attacks, malicious code, telemedicine app forgery/alteration, and illegal access of Korea-Net by circumventing the physical security checks present [28]. It can also be vulnerable to security threats associated with device use errors, prescription alterations, leakage of important data, and wiretapping (see Fig. 4).

Fig. 4
figure 4

Telemedicine service provider

The security threats likely to be encountered in each of the seven telemedicine service areas above were used as the basic data to calculate the AOP from the attack tree, which was constructed as described in Section III.



The first step in telemedicine risk assessment is to identify the assets involved and calculate their values. The attack tree is used to estimate all security threats likely faced by each asset, as identified in each of the seven telemedicine security threats areas. As illustrated in Fig. 5, the AOP is calculated using the OR and AND connectors, which are the gates for each node representing attack advancement towards the goal (see Fig. 5).

Fig. 5
figure 5

Attack tree

The main advantage of an attack tree is that it allows defenders to identify potential attacks and appropriate countermeasures. Furthermore, attack trees are originally “self-documented” to facilitate interpretation. The downsides of this approach are that it is difficult to enumerate all of the actions of the attackers and that the expressive power to model attacks that involve simultaneous actions is lacking. In this study, risk assessment methods including ASP and AOP variables were investigated to address these shortcomings [37] and allow more accurate identification of attack methods involving attacker behavior.

In principle, the ASP of a potential attack increases in direct proportion to the motivation of the attacker and in inverse proportion to the effort required for mounting the attack. In this study, the asset value, AOP, and ASP were used as the parameters to assess the security risks associated with telemedicine.

Figure 6 presents an example of how risk assessment is conducted. The risk assessment procedure can be summarized as follows.

  1. (1)

    Evaluate the AV of the telemedicine system (see Tables 1, 2, and 3).

  2. (2)

    Estimate the AOPs of internal and external attacks on the telemedicine system (see Table 4).

  3. (3)

    Estimate the internal and external ASPs of the telemedicine system (see Tables 5, 6, and 7).

  4. (4)

    Select a priority target for security application of the telemedicine system (see Tables 8 and 9).

Fig. 6
figure 6

Telemedicine system risk assessment phase

Table 1 Asset value evaluation criteria [19, 44, 49,50,51,52]
Table 2 Categorization of asset values [19, 44, 49,50,51,52]
Table 3 Definitions of grades for information classification [19, 44, 49,50,51,52]
Table 4 AOP evaluation criteria [51, 52]
Table 5 Ratings for various aspects of attack potential [51, 52]
Table 6 ASP ratings [51, 52]
Table 7 Examples of ASP estimates [51, 52]
Table 8 RV ratings [51, 52]
Table 9 Examples of telemedicine risk assessment estimates

The procedure enables the actual telemedicine system to identify both hardened targets and targets that require security.

Asset value

The U.S. National Institute of Standards and Technology (NIST) developed a risk management framework (RMF) to protect computer networks from cyberattacks [53]. The NIST-RMF guidelines categorize risk management activities into the following six security lifecycle steps: (1) categorize, (2) select (based on factors such as minimum security requirements and cost analysis), (3) implement (tailor to the given security environment), (4) assess (determine whether the operation is as intended), (5) authorize (determine whether the risk is acceptable), and (6) monitor (detect changes or signs of attack). Federal Information Processing Standards Publication 199 (FIPS PUB 199) defines the categorization criteria for information and information system security (based on the potential impact of the system) to provide a common framework for taxonomy. It sets three security objectives (confidentiality, integrity, and availability) and defines the levels of the potential effects of security breaches on individuals and organizations as low, moderate, and high [54].

When categorizing threats, the total asset value for each asset to be protected is calculated as follows:

$$ \mathrm{AV}a\left( asset\ value\right)={\sum}_{i=1}^n{A}_i, $$

where AVa is the sum of the asset values (3–12) of asset a, calculated as the sum of the areas associated with the asset values (1–3: contributions of confidentiality, integrity, and availability). Table 1 lists the criteria for asset value evaluation. The asset values of each of the four evaluated items (security objectives) are rated on a three-point scale. The total asset value score is calculated by adding all of the individual scores, and the asset value grade is determined based on the calculated result.

The asset value is assessed in terms of each of the four security objectives (confidentiality, integrity, availability, and asset contribution) at three levels corresponding to the potential effects of each security objective, as described in Table 2, and varies between 3 and 12. By substituting the calculated value into Eq. (1), the asset-value-dependent importance grade, which ranges from 1 to 5, can be obtained.

Table 3 presents the definitions of each of the importance grades categorized above. The evaluated asset values are analyzed using mutatis mutandis, ISO/IEC 27005 [19], and ISO 31000 RM [50] and examined using mutatis mutandis, the risk assessment method based on confidentiality, integrity, and availability, as per NIST 800–37 RMF, FIPS PUB 199, and failure mode, effects, and criticality analysis [55].


The AOP is defined as the ratio of the number of attack events of all of the children to the number of attack nodes linked to the parent node in order to achieve the attack goal of the parent node. It is calculated as follows [53]. Let the child node (“X”) be a leaf node; then, AOP = 1 (see Eqs. (2) and (3)).

$$ If\ x\ is\ an\ AND\ connection, AOP={\prod}_{i=1}^k\frac{1}{n\left({x}_k\right)},i= child\ node\ number $$
$$ If\ x\ is\ an\ OR\ connection,\kern0.5em AOP=\frac{1}{No. of\ x} $$

However, such an attack tree scenario has two major limitations. First, no weight is assigned to the nodes, even though every node has a different risk level and its potential threat can result in different degrees of damage. Second, in lieu of comparison of the node occurrence probabilities, only the probability for achieving the upper node goal is indicated without considering the node occurrence frequency and risk level of each node, making it difficult to quantify the security threat vulnerabilities of telemedicine devices. The AOP is calculated by designing an attack tree for each security threat scenario according to the seven telemedicine security threats areas, as illustrated in Fig. 7.

Fig. 7
figure 7

Example of a user or patient attack tree

The AOP for the example in Fig. 7 can be calculated as follows. Because ν8 or ν9 can be selected to move to ν4, ν2 has an AOP of 1/2. Further, as one of the methods represented by ν4, ν5, ν6, and ν7 must be selected to achieve ν4, its AOP is 1/4. Because the single node ν3 is selected to achieve ν1, its AOP is 1. Consequently, if the attack target is the user, the AOP for patient information leakage is calculated to be 6.25%, as follows:

$$ AOP=\frac{1}{2}\times \frac{1}{4}\times \frac{1}{2}=\frac{1}{16}\times 100. $$

Following attack tree construction for each of the seven telemedicine security threat areas, the AOP of each attack tree is calculated, and a score assigned to each area accordingly. An AOP assessment grade is allocated to each area based on a three-point scale, as per the AOP value calculated by Eq. (4) and in keeping with the evaluation criteria (Table 4).


The ASP, defined in ISO/IEC 15408 [51] and ISO/IEC 18045 [52], is assessed based on the following factors [52]:

  • Time taken by an attacker to identify a vulnerability, develop an attack method, and mount the attack

  • Specialist expertise required

  • Knowledge of the system under investigation

  • Window of opportunity to access the attack target

  • IT hardware/software or other equipment required to identify and exploit a vulnerability

These factors affecting the ASP are not independent, but rather are interchangeable from various angles. For example, the expertise and equipment needed can be replaced by the elapsed time (see Table 5).

The ASP is calculated by applying the factor value (Table 5) as per the attack scenario for the seven telemedicine security threat areas. Subsequently, a rating is assigned based on the attack potential value (see Table 6), and categorization is performed based on the attack potential level (see Table 7). To calculate the ASP of each security threat, the categorized ASP levels are mapped onto the leaf nodes of the attack tree. For example, each leaf node in Fig. 7 is mapped at the ASP level assigned to it according to the ASP estimates (see Table 7).


The telemedicine risk value (RV) is the product of the AV, AOP, and ASP:

$$ RV=\mathrm{AV}\times \mathrm{AOP}\times \mathrm{ASP} $$

The calculated RVs are assessed at three levels: low, normal, and high (see Table 8).

When interpreting the risk assessment results, the higher the AV, AOP, and ASP, the higher the RV (see Fig. 8).

Fig. 8
figure 8

Examples of RV estimates


The telemedicine risk analysis results represent the security threat risk levels and can be interpreted in terms of the relative effect of a given attack. It is necessary to establish the appropriate security guidelines based on the AV of each threat while considering its AOP and ASP (see Table 9).

In this study, the most popular modelling method, an attack tree, was applied to the telemedicine environment, and the security concerns for telemedicine systems were found to be very large. Risk management and evaluation methods suitable for the telemedicine environment were identified, and their benefits and potential limitations were assessed.


In this study, data were collected via on-site verification and security vulnerability analysis (intrusion testing, threat modeling) of the telemedicine system shown in Table 7, and models were analyzed based on assumptions. Table 1 lists the three-point classification approach employed based on the RMF [19, 44, 49,50,51,52]; in addition, the importance of the telemedicine system can be evaluated by referring to Tables 2 and 3. The proposed model uses attack tree modeling to evaluate the ASP and AOP to estimate the total risks of remote healthcare systems, accounting for security threats. This report provides a method of evaluating cybersecurity risks in remote medical systems, an area of technological convergence for recently illuminated untact (i.e., non-face-to-face) [56] medical services.

The limits of the proposed model are that the technical environment of the hospital should be considered when applying the model to the telemedicine system and the participation of telemedicine professionals is necessary. Another limitation is that biomedical engineers may not always be able to accept the outcome of security threat prioritization, and the weight of each criterion and/or the severity of the assigned security grade may have to be reassessed and reassigned. The analysis of security threats in a telemedicine environment requires the participation of information security experts with medical expertise and the cooperation of medical professionals. Such analyses can be performed using methods such as those employed to intelligently analyze forecasting data mining techniques. Intelligent analysis of prediction data mining techniques is widely used to support optimization of future decision-making in various fields, including healthcare and medical diagnoses. The methods used include Chi-squared Automatic Interaction Detection (CHAID), Exchange Chi-squared Automatic Interaction Detection (ECHAID), Random Forest Regression and Classification (RFRC), Multivariate Adaptive Regression Splines (MARS), and Boosted Tree Classifiers and Regression (BTCR) [57,58,59,60,61,62,63,64].

Nevertheless, this research will contribute significantly to the literature by facilitating the assessment and prioritization of cybersecurity risk factors lacking prior research in the telemedicine sector.

In addition, at a time when the need for noncontact medical care is growing due to concerns about infectious diseases such as CoV, countermeasures against new security threats resulting from the convergence of ICT with the medical sector, such as through telemedicine and precision medicine, are essential.


The range of cybersecurity problems associated with telemedicine services necessitates the implementation of security guidelines for the maintenance and management of appropriate security measures that address the security threats posed to each of the seven areas of telemedicine services identified in this paper. The results of the security threat assessment and analysis performed in this study should serve as the basis for establishing efficient security guidelines in telemedicine environments. In the current healthcare service environment, wherein telemedicine services are provided by outsourced ICT personnel without medical security backgrounds, telemedicine is highly prone to cyberattacks.

There is a huge risk that life could be affected if a cyberattack modifies information that is normally prescribed for telemedicine services. Thus, telemedicine is a very important system that must be considered for safety as well as security. By presenting a systematic approach for security threat identification and vulnerability diagnosis, this study will further telemedicine usage while ensuring its safe and smooth operation.

In a follow-up study, the AOP values estimated in this study will be verified through mockup tests performed in real-life settings, and a process or security verification algorithm will be developed to counter the security threats faced based on prioritization of the security requirements determined from the risk assessment performed. Additionally, the concept of “precision medicine” has led to a personally customized medical era and the application of optimized diagnosis and treatment based on personal health information such as genetics and lifestyle information. Further research will be required to address the ever-increasing number of cybersecurity threats in the medical paradigm as ICT and medical technologies evolve.

This paper provides a method of attack tree modeling and analysis for cyber risk management. The basic elements of this modeling approach were reviewed, and the limitations of the approach were discussed. In future research, additional cyber risk modeling paradigms will be investigated, such as binary decision-making diagrams and Markov models, to identify the limitations of their representativeness and their abilities to quantify and mitigate risks. In addition, research on ways to identify and mitigate new security threats to telemedicine will be needed, as the need for untact (i.e., non-face-to-face) [56] medical services increase due to issues related to infectious diseases such as CoV. Theoretical generalizations for these mathematical modeling techniques will then be developed to overcome these limitations.

Availability of data and materials

All data generated or analyzed during this study are included in this published article.



Information and communication technology


Picture Archiving Communications System


Implantable medical device


Personal computer


Real-time operating system


General-purpose operating system








Attack success probability


National Institute of Standards and Technology


Risk management framework


Federal Information Processing Standards Publication 199


Attack occurrence probability


Risk value


  1. Shaikh A, Memon M, Memon N, Misbahuddin M. The role of service oriented architecture in telemedicine healthcare system. In: International Conference on Complex, Intelligent and Software Intensive Systems. Fukuoka; 2009. p. 208–14.

  2. Naked security by SOPHOS. Doctors disabled wireless in Dick Cheney’s pacemaker to thwart hacking. Available from: Accessed 5 Jan 2020.

  3. Food and Drug Administration. Postmarket management of cybersecurity in medical devices. Silver Spring: Food and Drug Administration; 2016.

    Google Scholar 

  4. Paul N, Kohno T, Klonoff DC. A review of the security of insulin pump infusion systems. J Diabetes Sci Technol. 2011;5:1557–62.

    Article  PubMed  PubMed Central  Google Scholar 

  5. Ray I, Poolsapassit N. Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati SC, Syverson P, Gollmann D, editors. Computer security – ESORICS 2005. ESORICS 2005. Lecture notes in computer science, vol. 3679. Berlin: Springer; 2005. p. 231–46.

    Chapter  Google Scholar 

  6. Abdo H, Kaouk M, Flaus JM, Masse F. A safety/security risk analysis approach of industrial control systems: a cyber bowtie–combining new version of attack tree with bowtie analysis. Comput Secur. 2018;72:175–95.

    Article  Google Scholar 

  7. Maciel R, Araujo J, Melo C, Dantas J, Maciel P. Impact assessment of multi-threats in computer systems using attack tree modeling. In: 2018 IEEE International Conference on Systems, Man, and Cybernetics (SMC). Miyazaki; 2018. p. 2448–53.

  8. Myagmar S, Lee AJ, Yurcik W. Threat modeling as a basis for security requirements. Symp Requir Eng Inf Secur. 2005;1:1–8.

    Google Scholar 

  9. Ten CW, Manimaran G, Liu CC. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern Syst Hum. 2010;40:853–65.

    Article  Google Scholar 

  10. Schneier B. Attack trees. Dr Dobbs J. 1999;24:21–9.

    Article  Google Scholar 

  11. Maji A, Mukhoty A, Majumdar A, Mukhopadhyay J, Sural S, Paul S, et al. Security analysis and implementation of web-based telemedicine services with a four-tier architecture. In: Proceedings of the Second International Conference on Pervasive Computing Technologies for Healthcare. Tampere; 2008. p. 46–54.

  12. She H, Lu Z, Jantsch A, Zheng LR, Zhou D. A network-based system architecture for remote medical applications. Asia-Pac Adv Netw. 2007;1:27–31.

    Google Scholar 

  13. Park CY. Trend of u-healthcare standardization technology. Electron Telecommun Trends. 2012;25:48–59.

    Article  Google Scholar 

  14. Wu Z, McGoogan JM. Characteristics of and important lessons from the coronavirus disease 2019 (COVID-19) outbreak in China: summary of a report of 72 314 cases from the Chinese Center for Disease Control and Prevention. JAMA. 2020;323:1239–42.

    Article  CAS  Google Scholar 

  15. Hollander JE, Carr BG. Virtually perfect? Telemedicine for Covid-19. N Engl J Med. 2020.

  16. World Health Organization. Cumulative Number of Reported Probable Cases of Severe Acute Respiratory Syndrome (SARS). 2003. Accessed 5 Jan 2020.

    Google Scholar 

  17. Groot RJ, Baker SC, Baric RS. Middle East respiratory syndrome coronavirus (MERS-CoV): announcement of the coronavirus study group. J Virol. 2013;87:7790–2.

    Article  CAS  PubMed  PubMed Central  Google Scholar 

  18. Oh AS. A study on home healthcare convergence for IEEE 11073 standard. J Korea Inst Inf Commun Eng. 2015;19:422–7.

    Article  Google Scholar 

  19. International Organization for Standardization. Information security risk management. (second edition). ISO/IEC 27005:2011; 2011.

    Book  Google Scholar 

  20. Zetter K. Hospital networks are leaking data, leaving critical devices vulnerable. 2014. Available from: Accessed 4 Jan 2020.

    Google Scholar 

  21. Kim TY, Youm S, Jung JJ, Kim EJ. Multi-hop WBAN construction for healthcare IoT systems. In: 2015 International Conference on Platform Technology and Service. Jeju; 2015. p. 27–8.

  22. Jeong YS. An efficient IoT healthcare service management model of location tracking sensor. J Digit Converg. 2016;14:261–7.

    Article  Google Scholar 

  23. Zhang B, Wang XW, Huang M. A data replica placement scheme for cloud storage under healthcare IoT environment. In: 11th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). Xiamen; 2014. p. 542–7.

  24. Wehde M. Healthcare 4.0. IEEE Eng Manag Rev. 2019;47:24–8.

    Article  Google Scholar 

  25. Mohamed N, Al-Jaroodi J. The impact of Industry 4.0 on healthcare system engineering. In: Proceedings of the 2019 IEEE Int Syst Conf; 2019. p. 1–7.

    Chapter  Google Scholar 

  26. Alloghani M, Al-Jumeily D, Hussain A, Aljaaf AJ, Mustafina J, Petrov E. Healthcare services innovations based on the state of the art technology trend Industry 4.0. In: 2018 11th Int Conf developments in n eSystems engineering (DeSE), vol. 2018. Cambridge. p. 64–70.

  27. Hansen JA, Hansen NM. A taxonomy of vulnerabilities in implantable medical devices. In: Proceedings of the second annual workshop on security and privacy in medical and home-care systems. Chicago: ACM; 2010. p. 13–20.

    Chapter  Google Scholar 

  28. Camara C, Peris-Lopez P, Tapiador JE. Security and privacy issues in implantable medical devices: a comprehensive survey. J Biomed Inf. 2015;55:272–89.

    Article  Google Scholar 

  29. US Food and Drug Administration. Medical device safety. 2017. Accessed 3 Oct 2019.

    Google Scholar 

  30. HIPPA. Security standards: Technical safeguards, vol. 2; 2007. p. 1–17.

    Google Scholar 

  31. Shivshankar S, Summerhayes K. The challenges of conducting medical device studies. Boston: Institute of Clinical Research; 2007. ISBN-10: 0954934555.

    Google Scholar 

  32. Fu K. Inside risks: reducing risks of implantable medical devices. Commun ACM. 2009;52:25–7.

    Article  Google Scholar 

  33. Halperin D, Heydt-Benjamin TS, Ransford B, Clark SS, Defend B, Morgan W, et al. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In: Proceedings of the 29th Annual IEEE Symposium on Security and Privacy. Oakland; 2008. p. 129–42.

  34. Li C, Raghunathan A, Jha NK. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In: 13th IEEE International Conference on e-Health Networking Applications and Services. Columbia; 2011. p. 150–6.

  35. Medtronic. Implantable pacemaker and defibrillator information. 2015. Accessed 12 Dec 2019.

    Google Scholar 

  36. Nagaraju V, Fiondella L, Wandji T. A survey of fault and attack tree modeling and analysis for cyber risk management. In: 2017 IEEE International Symposium on Technologies for Homeland Security (HST). Waltham; 2017. p. 1–6.

  37. Ekstedt M, Sommestad T. Enterprise architecture models for cyber security analysis, Power Systems Conference and Exposition. In, Seattle; 2009. p. 1–6.

  38. Kravitz H, Driessen G, Gomberg R, Korach A. Accidental falls from elevated surfaces in infants from birth to one year of age. Pediatrics. 1969;44(5):869–76.

    Google Scholar 

  39. Roth M, Liggesmeyer P. Modeling and analysis of safety-critical cyber physical systems using state/event fault trees. Toulouse: International Conference on Computer Safety, Reliability and Security; 2013.

    Google Scholar 

  40. Bernstein S. Sur l’extension du théoréme limite du calcul des probabilités aux sommes de quantités dépendantes [On the extension of the limit theorem of calculating probabilities to sums of dependent quantities]. Math Ann. 1927;97:1–59.

    Article  Google Scholar 

  41. Lee C. Representation of switching circuits by binary-decision programs. Bell Syst Tech J. 1959;38:985–99.

    Article  Google Scholar 

  42. Watson H. Bell telephone laboratories launch control safety study. In: bell telephone laboratories. Nature: Murray Hill; 1961.

    Book  Google Scholar 

  43. Vesely W, Goldberg F, Roberts N, Haasl D. Fault Tree Handbook. Washington: Systems and Reliability Research, Office of Nuclear Regulatory Research; 1981.

    Google Scholar 

  44. International Organization for Standardization. Health informatics - Information security management in health using ISO/IEC 27002. ISO/DIS 27799:2014(E); 2015.

    Book  Google Scholar 

  45. Arney D, Venkatasubramanian KK, Sokolsky O, Lee I. Biomedical devices and systems security. In: Annual International Conference of the IEEE Engineering in Medicine and Biology Society. Boston; 2011. p. 2376–9.

  46. Industry Canada. Medical devices operating in the 401–406 MHz frequency band. 2010.$FILE/rss243.pdf Accessed 23 Nov 2019.

    Google Scholar 

  47. Denning T, Borning A, Friedman B, Gill BT, Kohno T, Maisel WH. Patients, pacemakers, and implantable defibrillators: human values and security for wireless implantable medical devices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Atlanta; 2010. p. 917–26.

  48. Bao SD, Poon CCY, Yuan-Ting Z, Shen LF. Using the timing information of heartbeats as an entity identifier to secure body sensor network. IEEE Trans Inf Technol Biomed. 2008;12:772–9.

    Article  PubMed  Google Scholar 

  49. Partala J, Keräneny N, Särestöniemi M, Hämäläinen M, Iinatti J, Jämsä T, Reponen J, Seppänen T. Security threats against the transmission chain of a medical health monitoring system. In: IEEE 15th International Conference on e-Health Networking, Applications and Services. Lisbon; 2013. p. 243–8.

  50. International Organization for Standardization. Risk management. ISO 31000:2018; 2018.

    Book  Google Scholar 

  51. International Organization for Standardization. Information technology – Security techniques – Evaluation criteria for IT security Part 1: Introduction and general model. ISO/IEC 15408–1:2009; 2009.

    Book  Google Scholar 

  52. International Organization for Standardization. Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045. ISO/IEC 18045; 2015.

    Book  Google Scholar 

  53. Joint Task Force Transformation Initiative. Guide for applying the risk management framework to federal information systems: A security life cycle approach. NIST SP800–37 Rev. 1; 2010.

    Book  Google Scholar 

  54. Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J, Gulick J. Guide for mapping types of information and information systems to security categories. NIST SP800–64 Rev. 4; 2008.

    Google Scholar 

  55. FMECA. Failure mode, effects and criticality analysis. FMECA MIL-P-1629; 2007.

    Book  Google Scholar 

  56. Lee SM, Lee D. “Untact”: a new customer service strategy in the digital age. Serv Bus. 2020;14:1–22.

    Article  CAS  Google Scholar 

  57. Al-Janabi S, Alkaim AF. A nifty collaborative analysis to predicting a novel tool (DRFLLS) for missing values estimation. Soft Comput. 2020;24:555–69.

    Article  Google Scholar 

  58. Al-Janabi S, Mahdi M. Evaluation prediction techniques to achievement an optimal biomedical analysis. Int J Grid Utility Comput. 2019;10:512–27.

    Article  Google Scholar 

  59. Al-Janabi S, Mohammad M, Al-Sultan A. A new method for prediction of air pollution based on intelligent computation. Soft Comput. 2019.

  60. Patel A, Al-Janabi S, AlShourbaji I, Pedersen J. A novel methodology towards a trusted environment in mashup web applications. Comput Secur. 2014;49:107–22.

    Article  Google Scholar 

  61. Al-Janabi S, AlShourbaji I. A study of cyber security awareness in educational environment in the Middle East. J Inf Knowl Manag. 2016;15:1650007.

    Article  Google Scholar 

  62. Al-Janabi S, Rawat S, Patel A, AlShourbaji I. Design and evaluation of a hybrid system for detection and prediction of faults in electrical transformers. Int J Electr Power Energy Syst. 2015;67.

  63. Kalajdzic K, Al-Janabi S, Patel A. Rapid lossless compression of short text messages. Comput Standards Interfaces. 2014.

  64. Mahdi M, Al-Janabi S. A novel software to improve healthcare base on predictive analytics and mobile services for cloud data centers. In: International conference on big data and networks technologies. Cham: Springer; 2019. p. 320–39.

    Chapter  Google Scholar 

Download references


This research was supported by a grant for the Korea Health Technology R&D Project through the Korea Health Industry Development Institute (KHIDI), funded by the Ministry of Health & Welfare, Republic of Korea (grant number: HI19C0811).


This research was supported by a grant for the Korea Health Technology R&D Project through the Korea Health Industry Development Institute (KHIDI), funded by the Ministry of Health & Welfare, Republic of Korea (grant number: HI19C0811).

Author information

Authors and Affiliations



All authors contributed to the study conception and design. Material preparation, data collection, and analysis were performed by K. D.W., C. J.H., and H. K.H. The first draft of the manuscript was written by and all authors commented on subsequent revisions. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Keun-hee Han.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare that they have no conflicts of interest.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit The Creative Commons Public Domain Dedication waiver ( applies to the data made available in this article, unless otherwise stated in a credit line to the data.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, Dw., Choi, Jy. & Han, Kh. Risk management-based security evaluation model for telemedicine systems. BMC Med Inform Decis Mak 20, 106 (2020).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: