|
A threat analysis of a networked medical device |
PDF |
| Print | |
E-mail |
A threat analysis of a medical device for critical patient monitoring -
Licensed under the Creative Commons Attribution LicenseDanny LiebermanA threat analysis was performed on a network of Windows-based embedded medical devices used for patient monitoring. The system helps hospital staff prevent crisis situations through ongoing supervision of patient status, early detection of warning signs, and alert notifications of changes in patient condition. The threat analysis used the PTA (Practical threat analysis) methodology, described in Appendix A of the medical device threat analysis report. Our analysis considered threats to three assets: the ability of the medical device to monitor patients, the hospital enterprise network and patient confidentiality/HIPAA compliance Following the threat analysis, a prioritized plan of security countermeasures is suggested in Section III. We devoted special interest to the issue of propagation of viruses and malware into the hospital network. Our analysis clearly shows that there is no added value in installing anti-virus software on the medical devices. Agent software such as an anti-virus does not reduce residual risk and only serves to increase complexity of the medical device configuration; a detailed discussion appears in Section IV of our paper. Section V proposes a way of segregating bio-med functions from the hospital enterprise IT. Section VI provides a summary of the analysis and its findings. A novel benefit of our approach is derived by providing the analytical results as a standard PTA threat model database, which can be used by medical device manufacturers and hospital customers to model changes in risk profile as technology and customer environment evolve. Download the detailed threat analysis and discussion of HIPAA compliance of medical devices and download the medical device threat model. |
|
|
SOX Compliance risk analysis |
PDF |
| Print | |
E-mail |
We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling (BTM) methodology, a practical threat analysis PTA threat model was constructed and a number of threat scenarios were analyzed. Data was collected using structured interviews and network surveillance (with a Fidelis XPS appliance). Assets were valuated by the CFO and the IT security operations and technologies were valuated by the CIO. The output of the study was a cost-effective, prioritized program of security controls.This program was presented and approved by the management board of the company- leading to an immediate cost savings of over $120,000/year in the information security budget.The detailed threat model was provided to the client and is currently used to perform what-if analysis and track the data security implementation. Download the data security case study and download the data security report to the management. |
|
Read more...
|
|
Integrating TV, PC and the Internet |
PDF |
| Print | |
E-mail |
Integrating TV, PC and the Internet in your living room The majority of our professional consulting work is performed with technology companies - from IPTV and VOD specialist vendors up to large established players like Sun Microsystems who need specific expertise. A pre-seed stage company, commissioned us to research the technology and market issues for a system that would integrate TV sets, PC and the Internet in order to deliver interactive video content to niche markets such as retired people. Read Integrating TV, PC and the Internet |
|
|
Protecting customer data at diamonds.com |
PDF |
| Print | |
E-mail |
Data loss prevention in on-line trading, How DLP helped diamonds.com be more secure and more competitive. We designed and implemented a large scale IT infrastructure modernization project that was tasked with improving availability, scalability and security of the online diamond trading networks at diamonds.com and diamonds.net. Network DLP appliances were deployed in the US and in EMEA at the company's hosted server farms in order to help protect sensitive customer and commercial data.Read the Customer solution case study |
|
Telecom customer data protection |
PDF |
| Print | |
E-mail |
Using DLP to protect customer data and PII at a telecom service provider Our first data loss prevention project (DLP) was in 2005 with 013 Barak - now 013 Barak/Netvision. It followed on the heels of an extensive business vulnerability assessment and management level decision to protect customer data. It's significant that 013 Netvision were well prepared with their DLP system attacks like the Israeli trojan. 013 Barak Data Leakage case study |
|
|
|
|
<< Start < Prev 1 2 Next > End >>
|
|
Page 1 of 2 |
