Threats Management Throughout the Software Service Life-Cycle

Software services are inevitably exposed to a fluctuating threat picture. Unfortunately, not all threats can be handled only with preventive measures during design and development, but also require adaptive mitigations at runtime. In this paper we describe an approach where we model composite services and threats together, which allows us to create preventive measures at design-time. At runtime, our specification also allows the service runtime environment (SRE) to receive alerts about active threats that we have not handled, and react to these automatically through adaptation of the composite service. A goal-oriented security requirements modelling tool is used to model business-level threats and analyse how they may impact goals. A process flow modelling tool, utilising Business Process Model and Notation (BPMN) and standard error boundary events, allows us to define how threats should be responded to during service execution on a technical level. Throughout the software life-cycle, we maintain threats in a centralised threat repository. Re-use of these threats extends further into monitoring alerts being distributed through a cloud-based messaging service. To demonstrate our approach in practice, we have developed a proof-of-concept service for the Air Traffic Management (ATM) domain. In addition to the design-time activities, we show how this composite service duly adapts itself when a service component is exposed to a threat at runtime.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Digitale sårbarheter i helsesektoren - En oppsummering av funn fra workshop holdt i mai 2015 i regi av Lysneutvalget

Digitalt sårbarhetsutvalg (Lysneutvalget) ble nedsatt av regjeringen den 20. juni 2014. Utvalget skal foreslå konkrete tiltak for å styrke beredskapen og redusere den digitale sårbarheten i samfunnet. Lysneutvalget har vært gjennom en fase med informasjonsinnhenting, hvor flere aktører fra helsesektoren har, eller er i ferd med, å bidra med skriftlige innspill. På bakgrunn av dette ble en rekke aktører med tilknytning til helsesektoren, invitert til en workshop for å drøfte sårbarheter innenfor denne sektoren, og diskutere effektive tiltak for å møte dagens og fremtidens utfordringer. SINTEF ble av Lysneutvalget engasjert for å bistå med fasilitering av workshopen som ble avholdt 21. mai 2015 i Oslo med 26 deltakere med tilknytning til sektoren. Programmet bestod av fem innlegg, gruppediskusjoner og plenumsdiskusjoner. Denne rapporten oppsummerer hovedfunnene fra workshopen med tanke på sårbarheter og tiltak som har blitt påpekt av deltakerne under hele workshopen

Sensitive Information on Display: Using flexible de-identification for protecting patient privacy in (semi-) public hospital environments

In later years, the health care work in hospitals has become increasingly fragmented, in a sense where different people and professions are required for the treatment of every single patient. As a consequence, personnel should be assisted to greater awareness of what is happening, so that they can better plan where to put in their efforts. Making information about ongoing activities more accessible to its users is hence important, but this will in turn require increased distribution of sensitive data inside the hospital. The concept of flexible de-identification has been proposed as a solution for the privacy issues raised by this, but then again new issues emerge when it comes to how useful the de-identified data are to its authorized end users, in practice.A series of six rapid field tests was executed along with a literature review on de-identification. The purpose was to explore some ideas to how de-identification could be implemented for information screens located in public and semi-public hospital environments, such as hallways, where personnel are likely to see them. The appropriateness of several techniques for de-identification was hence evaluated for being used in real-time visualizations, in contrast to previous known applications of the concept. This input was in turn used to design a high-fidelity prototype for use in a series of four experiments in a usability laboratory. The experiments involved role-play sessions, where nurses from a university hospital used the prototype in a simulation of realistic ward work. In a focused interview directly afterwards, they each assessed the usefulness of having a system available in such locations, considering that the information was de-identified. Moreover, the nurses evaluated six alternative approaches to de-identification of the sensitive information, and ranked them with respect to which, if any, would be best suited for use in their regular work environment.The experiments indicate that users appreciate being notified via large screens when new information is available, but disagree on what is the preferred level of de-identification. Some would emphasize the legislative requirements and privacy issues raised, while others would put their own utility needs first. As a response to this, an interactive prototype was designed to demonstrate how users can be given interactive control over how identifiable the displayed information is. This idea of giving users flexible control over what is seen on a screen, depending on how they assess the context for access, is grounded in a framework for evaluation that considers the quality requirements of identification utility, legislation and usability.Useful applications of non-interactive de-identification to screens in public environments, are effectively disqualified by the legislative requirements regulating how personal health information can be disclosed. The de-identification can however be useful for enabling an intermediate security level, which can be accessed as long as there is a authorized user present. Appropriate techniques for achieving such de-identification, are found to be suppression of variables, coding, masking and generalization. With this overall approach, users may gradually authorize themselves until the required utility is reached, and hence be able to access useful information in public places. The information depth available must also be accordingly limited, so that the increased risk of abuse is mitigated. The result is possibly a security mechanism that is both legal to implement, it serves the utility needs of personnel, and it is more usable in practice than existing time-demanding login routines. Finally, these ideas have been included in the design of an interactive prototype, which still remains to see tested in practice

Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research

Risk transfer can be an economically favorable way of handling security and privacy issues, but choosing this option indiscriminately and without proper knowledge is a risk in itself. This report provides an overview of knowledge gaps related to cyber-insurance as a risk management strategy. These are grouped into three high-level topics; cyber-insurance products, understanding and measuring risk and estimation of consequences. The topics are further divided into 11 knowledge areas with recommendations for further research. The work is based on a study of academic literature and other written materials, such as various reports and newspaper articles. There is a clear lack of empirical data on cyber-insurance, and in particular qualitative studies aiming to understand and describe needs, obstacles and processes relevant for cyber-insurance. We recommend a stronger emphasis on research related to topics that are specific to cyber-insurance, covering decision models for buyers of insurance, barriers for information sharing, impact of cyber-insurance on security, and business models for insurer

Personal Health Information on Display: Balancing Needs, Usability and Legislative Requirements

Large wall-mounted screens placed at locations where health personnel pass by will assist in self-coordination and improve utilisation of both resources and staff at hospitals. The sensitivity level of the information visible on these screens must be adapted to a close-to-public setting, as passers-by may not have the right or need to know anything about patients being treated. We have conducted six informal interviews with health personnel in order to map what kind of information they use when identifying their patients and their next tasks. We have compared their practice and needs to legislative requirements and conclude that it is difficult, if not impossible, to fulfil all requirements from all parties.© 2011 European Federation for Medical Informatics. All rights reserved. This is the authors' accepted and refereed manuscript to the article

Personal Health Information on Display: Balancing Needs, Usability and Legislative Requirements

Large wall-mounted screens placed at locations where health personnel pass by will assist in self-coordination and improve utilisation of both resources and staff at hospitals. The sensitivity level of the information visible on these screens must be adapted to a close-to-public setting, as passers-by may not have the right or need to know anything about patients being treated. We have conducted six informal interviews with health personnel in order to map what kind of information they use when identifying their patients and their next tasks. We have compared their practice and needs to legislative requirements and conclude that it is difficult, if not impossible, to fulfil all requirements from all parties.© 2011 European Federation for Medical Informatics. All rights reserved. This is the authors' accepted and refereed manuscript to the article

Designing privacy-friendly digital whiteboards for mediation of clinical progress.

BACKGROUND: In hospitals, digital versions of dry-erase whiteboards are increasingly becoming more common. One of the purposes with such whiteboards is to support coordination of care by augmenting visibility and availability of clinical information. However, clinical information usually concerns patients and is regarded as sensitive personal health information, meaning that it should be access controlled. The purpose of this study is to explore how digital whiteboards can be designed for supporting coordination of care, by providing clinicians with useful information in a usable way, and at the same time protect patient privacy. METHODS: A demo application was designed, demonstrated and evaluated iteratively. In total, 15 professional ward nurses role-played a scenario in which the application played a central part. Afterwards, the participants were interviewed. All interviews were recorded, transcribed verbatim, and analysed qualitatively. RESULTS: The participants valued having updated clinical information presented on a digital whiteboard, even if the information was de-identified and abstracted. According to the participants, such information could possibly improve inter-departmental communication, reduce the number of electronic health record-logins, and make nurses more rapidly aware of new information. The participants expected that they would be able to re-identify much of the de-identified information in real situations based on their insight into their patients' recent and expected care activities. Moreover, they also valued being able to easily access more detailed information and verify patient identities. While abstraction and de-identification was regarded to sufficiently protect the patients' privacy, the nurses also pointed out the importance of having control over what can be seen by other patients and passers-by if detailed medical information was accessed on a digital whiteboard. CONCLUSIONS: Presenting updated information from patient care activities on a digital whiteboard in a de-identified and abstracted format may support coordination of care at a hospital ward without compromising patient privacy.<p>© 2014 Gjære and Lillebo; licensee BioMed Central Ltd.</p><p>This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.</p