The CORAS approach for modelbased risk analysis applied to the telemedicine domain - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

The CORAS approach for modelbased risk analysis applied to the telemedicine domain

Description:

The CORAS approach for model-based risk analysis applied to the ... Electrocardiograph : ECG. episode_folder : Collaboration Context. CARDIOLOGIST : Health ... – PowerPoint PPT presentation

Number of Views:348
Avg rating:3.0/5.0
Slides: 35
Provided by: evahen
Category:

less

Transcript and Presenter's Notes

Title: The CORAS approach for modelbased risk analysis applied to the telemedicine domain


1
The CORAS approach for model-based risk analysis
applied to the telemedicine domain
  • Nortelemed, Tromsø
  • 1 October 2002
  • Eva Henriksen, Norwegian Centre for Telemedicine

2
CORAS is ...
  • a European RD project within the 5th framework
    program
  • with 11 partners from industry and RD
  • from 4 countries


The Consortium The CORAS consortium consists of
three commercial companies - Intracom
(Greece), - Solinet (Germany) and - Telenor
(Norway) seven research institutes - CLRC/RAL
(UK), - CTI (Greece), - FORTH (Greece), - IFE
(Norway), - NCT (Norway), - NR (Norway) and -
SINTEF (Norway) as well as one university
college - Queen Mary University of London (UK).
The Consortium The CORAS consortium consists of
three commercial companies - Intracom
(Greece), - Solinet (Germany) and - Telenor
(Norway) seven research institutes - CLRC/RAL
(UK), - CTI (Greece), - FORTH (Greece), - IFE
(Norway), - NCT (Norway), - NR (Norway) and -
SINTEF (Norway) as well as one university
college - Queen Mary University of London (UK).
The Consortium The CORAS consortium consists of
three commercial companies - Intracom
(Greece), - Solinet (Germany) and - Telenor
(Norway) seven research institutes - CLRC/RAL
(UK), - CTI (Greece), - FORTH (Greece), - IFE
(Norway), - NCT (Norway), - NR (Norway) and -
SINTEF (Norway) as well as one university
college - Queen Mary University of London (UK).
The Consortium The CORAS consortium consists of
three commercial companies - Intracom
(Greece), - Solinet (Germany) and - Telenor
(Norway) seven research institutes - CLRC/RAL
(UK), - CTI (Greece), - FORTH (Greece), - IFE
(Norway), - NCT (Norway), - NR (Norway) and -
SINTEF (Norway) as well as one university
college - Queen Mary University of London (UK).
The Consortium The CORAS consortium consists of
three commercial companies - Intracom
(Greece), - Solinet (Germany) and - Telenor
(Norway) seven research institutes - CLRC/RAL
(UK), - CTI (Greece), - FORTH (Greece), - IFE
(Norway), - NCT (Norway), - NR (Norway) and -
SINTEF (Norway) as well as one university
college - Queen Mary University of London (UK).
The Consortium The CORAS consortium consists of
three commercial companies - Intracom
(Greece), - Solinet (Germany) and - Telenor
(Norway) seven research institutes - CLRC/RAL
(UK), - CTI (Greece), - FORTH (Greece), - IFE
(Norway), - NCT (Norway), - NR (Norway) and -
SINTEF (Norway) as well as one university
college - Queen Mary University of London (UK).
3
Main objectives
  • To develop a practical framework for a precise,
    unambiguous and efficient risk analysis of
    security critical systems, by combining
  • methods for risk analysis
  • semiformal description methods (object-oriented
    modelling)
  • computerised tools
  • To apply the framework in security critical
    application domains
  • Telemedicine
  • E-commerce
  • To assess the applicability, usability, and
    efficiency of the framework

4
The telemedicine trial
  • Targets Two telemedicine pilot services in Crete
  • ATTRACT a video-conference service for remote
    follow-up of asthmatic children.
  • TeleCardiology a web-based service for
    GP-to-specialist tele-consultation in the case of
    patients with acute heart problems.
  • Both services make use of HYGEIAnet,
  • the regional healthcare network of Crete,
    connecting
  • 4 regional hospitals
  • 21 primary health care centres and community
    doctors

5
The CORAS Risk Management Process
6
The CORAS Risk Management Process
7
Sub-process 1Context Identification
  • Preparatory work before risk assessment meeting
  • Identify areas of relevance
  • Identify and value assets
  • Identify security requirements/policies
  • Determine risk evaluation criteria
  • During risk assessment meeting
  • Walk-through / Approval

8
The ATTRACT Service
Sub-process 1 Context Identification System
description
9
The ATTRACT Service
Sub-process 1 Context Identification System
description
10
The TeleCardiology Service
Sub-process 1 Context Identification System
description
Collaboration infrastructure WebOnCOLL
General Practitioner in Remote healthcare Center
Medical Specialists at the Teleconsultation Cente
r
Creation of Teleconsultation Folder
Selection of specialist
11
The Telecardiology service
Sub-process 1 Context Identification System
description
12
Sub-process 1 Context Identification System
description
The TeleCardiology service
Health Care Professional
Clinical Information System
Collaboration Manager
13
Sub-process 1 Context Identification SWOT
14
Sub-process 1 Context IdentificationAssets
15
Sub-process 1 Context IdentificationSecurity
requirements
16
The CORAS Risk Management Process
17
Sub-process 2Risk Identification
  • Identify threats to assets
  • Identify vulnerabilities of assets
  • Describe unwanted incidents

18
Sub-process 2 Risk IdentificationIdentify
threats, vulnerabilities and unwanted incidents
19
Sub-process 2 Risk IdentificationIdentify
threats, vulnerabilities and unwanted incidents
FTA (Fault Tree Analysis)
Local Network
failure
Misconfiguration
Power failures
Misconfiguration
Disconnection
of networking
(LAN
of network
of cables
devices
equipment)
settings at PC
Malicious person
Administrator of
Malicious person
PC user (by
that has access to
network devices
that has access
mistake)
network devices
(by mistake)
to PC
20
The CORAS Risk Management Process
21
Sub-process 3Risk Analysis
  • Consequence evaluation
  • Likelihood/Frequency evaluation

22
Sub-process 3 Risk AnalysisDetermine consequence
Examples of consequence definitions
23
Sub-process 3 Risk AnalysisDetermine likelihood
Examples of likelihood definitions
24
The CORAS Risk Management Process
25
Sub-process 4Risk Evaluation
  • Determine level of risk
  • Prioritize risks
  • Categorise risks
  • Determine interrelationships among risk themes
  • Prioritise the resulting risk themes and risks

26
Sub-process 4 Risk EvaluationDetermine level of
risk
27
Sub-process 4 Risk EvaluationCategorise risks
  • Examples of risk categorisation groups
  • Protection of human life and peoples safety
  • Integrity of Medical data
  • Prevention from unauthorized use of the service
  • Reputation of the stakeholders
  • Network availability
  • Software availability
  • Medical expert availability
  • Room and equipment availability
  • Power availability
  • Technical support availability

28
The CORAS Risk Management Process
29
Sub-process 5Risk Treatment
  • Identify treatment options
  • Assess alternative treatment approaches

30
Sub-process 5 Risk TreatmentIdentify treatment
options
  • Possible treatment options
  • Changes to security requirements
  • Changes to security policies, for example
    policies for change of passwords
  • Changes to system architecture
  • Strategies for testing
  • Strategies for monitoring
  • Possible approaches
  • a) Risk avoidance
  • b) Reduction of likelihood
  • c) Reduction of consequence
  • d) Risk transfer
  • e) Risk retention

31
The CORAS Risk Management Process
32
Communicate and consult
  • Provide stakeholders with risk assessment report
    and recommendations with respect to treatment
  • Main results of the CORAS Risk Management
    Process
  • Risk assessment report
  • A collection of easily retrievable and reusable
    documentation of all identified stakeholders,
    assets, threats, vulnerabilities, unwanted
    incidents, risks, risk themes, treatment options
    and proposed treatment actions related to the
    target of assessment (in the CORAS repository)
  • UML models of system descriptions relevant for
    the risk assessment and results

33
Effort spent by medical doctors
  • For each participating doctor
  • 2 preparatory meetings (2 hrs each)
  • introduction to the CORAS risk management process
  • discussions about models and functionality of the
    service
  • identification and definition of levels of
    likelihood, consequence and risk
  • 12 one-day risk assessment meetings
  • identify threats
  • identify consequences and likelihoods
  • 1 wrap-up meeting (1 hr)
  • discussing preliminary results

34
Feedback from doctors
  • Easy to take part, easy to understand.
  • The risk assessment process helped us to
    increase our knowledge of the potential security
    threats of the service.
  • The risk assessment process made us aware of
    some vulnerabilities we should address.
  • The risk assessment process made us aware of
    possible security threats and vulnerabilities at
    the other side.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "The CORAS approach for modelbased risk analysis applied to the telemedicine domain" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!