Design > Security

Release Information

Project: EGADSS
Internal Release Number: $Revision: 1.4 $ $State: Exp $
Related Documents: Design document

Overview



This document elaborates on all known security threats and specifies all security enhancing mechanisms to be implemented. The document is structured according to the physical deployment model in the security deployment model below.

The architecture comprises the EGADSS server (the actual decision support system) and the EMR System (the physician's Electronic Medical Record system - not provided by the EGADSS team). There is another external node (EGADSS Maintenance) to monitor the operations of the EGADSS server and update the guideline base. (No confidential data will be monitored).

 
security deployment architecture

Security Threat Analysis (by computational node)

When analyzing the security threats, we use the following threat taxonomy to structure our analysis. Threats are linked to a threat source, a vulnerability and a consequence. Furthermore, threats have a probability and a severity. The risk is assessed relative to probablity and severity.
threat taxonomy

1. EGADSS Server
Data: The EGADSS server is memory-less. It does not persist any confidential information. It receives a patient summary, executes its guideline base on it and returns a recommendation document. At this time all data about the patient summary is deleted. The only information persisted at the EGADSS server is high-level meta-information about the decision support service, e.g., a log book of interactions with the EMR system and the execution times of the decision support system.

Threats:
Threat # Source Vulnerability Consequence Mitigation strategy Probability Severity Risk
1 Hacker data transmission between server
and EMR system		 disclosure
  • server in secure location
  • firewall blocks server port
    from outside access
 very low high low
2 Malicious
insider		 compromising EGADSS server to
intercept data		 disclosure
  • OS security will restrict login
    on EGADSS server to admin
    personnel only
 very low high low
3 Malicious
insider		 load wrong guidelines into
EGADSS server		 Usurpation,
disruption
  • OS security will restrict login
  • guideline authenticity will
    be checked cryptographically
 very low high low
4 Personnel errors
and ommissions		 accidentally leave door to server
room open		 disclosure
theft of device
  • train staff to lock door
 very low low
(no data persisted)		 low
5 Hacker load wrong guidelines into
EGADSS server using
the maintenance interface
 Usurpation,
disruption
  • Authenticity of maintenance request
    will be cryptographically checked
  • We will use non-standard ports and
    protocols for the interface
 very low high low




2. EMR System
Data: The EMR system maintains medical records about patients. These records are highly confidential. The EMR system is an outside component - not provided by the EGADSS group. We do not have the power to control the security of the EMR system. Therefore, we do not specify any security constraints here.

All text is available under the terms of the GNU Free Documentation License.

SourceForge.net Logo