Wireless Hospital Ward Thread Modeling

Posted by throx on Monday, October 30th 2006   

30
Oct

Author: T. Y. Fam
Research Assignment

1. Introduction

Wireless hospital ward is trialing the use of wireless and healthcare mobility applications in the convenient way for patient care. This project is currently running by the Monash Medical Centre’s neurology ward in Melbourne. PDA and others devices such as laptop and tablet PC will be used in this system to obtain patient history reports and display information such as X-ray [1].

This project main aim is to speed up the work flow of patient information and to reduce the inaccurate data being stored in the database. This system will allow doctors and nurses to retrieve update information at any places such as patient bedside [1].

Security will be the main concern as everything is processed electronically and wirelessly. Security expert need to ensure the system is as secure as possible before running this system in hospital. The system will be using multiple WLAN connections due to the flexible of this protocol compared to others [1].

2. Thread Modeling Part 1

2.1 Security Objective
Confidentially, Integrity and Availability will be considered when outlining the security objectives for Wireless Hospital Ward system. Confidentially will identified the ways to protecting against unauthorized and information enclosure. Integrity is to prevent any unauthorized data has been changed and Availability will mainly concern the availability of backup system when the main system is down due to attack by hackers or other reasons [2].

Security Objectives:
a) Stop unauthorized person to retrieve or modified patient’s data.
b) Prevent unauthorized person to obtain access username and password.
c) Meets industrial standards level on availability when system down.

2.2 Application Overview

2.2.1 End to end deployment scenario

hosward01.jpg

Figure 1.0 above shows the Wireless Hospital Ward System Components [3]. The main components are:
a) The Patients’ Record Manager (PRM)
b) The Workflow Manager (WM) and the Personal Organizer (PO)
c) The Legacy System Interface (LSI)

2.2.2 Identify Roles
hosward02.jpg

2.2.3 Identify Technologies

Devices:

  • PDA
  • Laptop or Tablet PC

Operating System:

  • Microsoft Windows

Network Equipments:

  • Wi-Fi access point
  • Local area networks

Databases:

  • Oracle

2.2.4 Identify Application Security Mechanisms

• Input and data validation
• Authentication
• Authorization
• Configure workflow
• Confidential patient’s data
• Session and html cookie control
• Data encryption
• Data backup
• Users logging
• Firewall

2.3 Application Decomposition

2.3.1 Identify Trust Boundaries
• Firewall will be the first trust boundary. IT filters authorized data out of the unauthorized data to your data server.
• PRM and WF database. Database can sometimes include in the trust boundaries. Network protocols act as a firewall to the database. This will control the database being exposed to the public.
• When doctors or nurses need to login to the system, they need to enter their username and password. The server will then check their login details and process the authentication. This is a trust boundary.
• The boundary between different hospitals to share information.

2.3.2 Identify Data Flows

hosward03.jpg

1. User login and the server will authenticate the login details. If true, it will then assign a session to the user and allowed to connect to the system.
2. User will be able to retrieve or update the patient’s database.
3. Finalized data will be saved to the legacy system.

2.3.3 Identify Entry Points
There are different entry points in the Wireless Hospital Ward system. For example the administrator login page, unauthorized person may break through this level and enter the system directly. System should be able to detect and block the connection which is not connected normally from the level 1 interface.

2.3.4 Identify Exit Points
A user sending a client’s data back to the server, the data will first reach the Wi-Fi access point routers and then routes to the appropriate server. It is important that there are no hijacked access points between different exit points.

3. Thread Modeling Part 2

3.1 Identify Threats
There are two basic approaches that can be use to identify threats and attacks:
1. Start with common threats and attacks
In this approach, we can start with a group of common threats and then apply the list to our Hospital Ward system. During testing phase, we will eliminate some of the threats if it was not appropriate [2].

2. Use a question-driven approach
This can be done by using STRIDE model to ask a question that related to the system. This approach is concentrated on how a attacker break into the system [2].
There are multiple tier and layer in the Wireless Hospital Ward system. The security areas that this system usually will be mistaken are the connection between devices and access point. Data encryption is a must in this area as access point can be broke in quite easily sometimes. Therefore if all the data is encrypted, no one else can read the data.

3.2 Common Threats

hosward04.jpg

3.3 Wireless Hospital Ward Security Frame [2]

Authentication
• Attacker may use a key generator to spoof identity
• Attacker may be able to enter to the system by using spoof identity
• If an attacker hack into system directory, all password file might be stolen
• Attacker can bypass the session time by getting new session key

Authorization
• Attacker can steal the username and password and login to the system
• If the attacker bypass security and enter to the main system, he can adjust user permission level and break in the entire systems.

Input and Data Validation
• Attacker may record the network traffic and create fake data packets
• Attacker may sending fake data packet to the server

Configuration Management
• Attacker can gain access to configuration file by break in to the system directory
• Attacker can break into system directory by using a stolen username and password

Sensitive Data
• Sensitive data such as patient’s privacy should be store in a safe area
• Sensitive data will be pass across networks when doctors or nurses retrieve and updating the patient’s details
• Attacker could read the sensitive data by logging into the system or capture all the network traffic
Session Management
• Attacker could hijacked user’s session by using a tool such as “tap” to take over existing login sessions of the system
• Attacker will be able to get into the system without any login details if the previous user has already login.

Cryptography
• To crack an encryption the attacker will required to have a decryption key
• Attacker can get the decryption keys by hack into the system
Parameter Manipulation:
• Attacker can manipulate parameters to influence security on SQL server

Exception Management
• How could an attacker crash the application?
• How could an attacker gain useful exception details?

Auditing and Logging
• Attacker could cover his or her tracks by deleting the logging file
• By checking the login date, time and location. We can prove that whether the person is attacker or legitimate user

3.4 Use Cases Diagram

hosward05.jpg

3.5 Data Flows Diagram

hosward06.jpg

In level 1, security remain the main issue as these are the main path that usually used by attackers. D1 to D3 which should installed with appropriate firewall and remains trust boundaries.

3.6 Threats by Using Attack Trees
The use of attack tree can helps identified other threat possibilities. Attack tree analyzed deeper path compared to other thread diagrams. There are 2 normal way an attacker could break into the system by using the authentication and networks vulnerabilities. Figure 5.0 below is an attack tree shows the possible threats carried on by an attacker once they break into the system.

hosward07.jpg

Threat no: 1 Attacker obtains login details

1.1 Spoofing access details
1.1.1 Login to patient’s directory and retrieve data
1.2 Access to network and monitoring traffic packets
1.2.1 Read important network information
1.2.2 Spamming network traffic causing system crashed

3.7 System Vulnerabilities

hosward08.jpg

hosward09.jpg

List of References:

[1] Kristyn Maslog-Levis, “Monash neurology ward trials wireless,” Jan 2005; http://www.necbs.com.au/mediacoverage/2005/ wardtrialswireless.htm

[2] J.D. Meier, A. Mackman, B. Wastell, “Thread Modelling Web Application,” May 2005; http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnpag2/html/tmwatemplatesample.asp.

[3] “Wireless Hospital Ward,” Practicalwork.doc provided by unit website.

[4] CACI, “Computer Security Threats,” http://www.caci.com/business/ia/ threats.html

Subscribe to the post comments feeds or Leave a trackback

Filed under: Research Essay     
   

1 Comment Already

Pingback & Trackback
mygif
Pingback from Click here
June 27th, 2008 @8:07 am  

Related Post

Please Leave Your Comments Below

Please Note: All comments will be moderated

« Virtual Private Network
How to Install IE7 and WMP11 bypassing the WGA check »