Mubashar Iqbal (mubashar.iqbal@ut.ee) and Raimundas Matulevičius (rma@ut.ee)Security risk analysis of healthcare applications using blockchainhttps://creativecommons.org/licenses/by/4.0HealthOnt presents the blockchain as a countermeasure solution for security threats of traditional healthcare applications. Also, it presents what security threats can appear in blockchain-based healthcare applications.Healthcare Security Ontology (HealthOnt)2.0DustingTransactionProofOfWorkConsensusBook chapterÉric Dubois, Patrick Heymans, Nicolas Mayer, Raimundas Matulevičius289-306https://doi.org/10.1007/978-3-642-12544-7_16A Systematic Approach to Define the Domain of Information System Security Risk ManagementSpringer Berlin Heidelberg2010A Systematic Approach to Define the Domain of Information System Security Risk ManagementReferenceFundamentals of Secure System ModellingFundamentals of Secure System Modelling218BookReference2017https://doi.org/10.1007/978-3-319-61717-6Springer International PublishingRaimundas MatulevičiusA vulnerability is the characteristic of an IS asset or group of IS assets that exposes a weakness or flaw in terms of security.VulnerabilityIneffectiveLoggingComputingUniqueHashIdOfOriginalDataQuantumSafeCryptographyTraditionalApplicationCounterfeitDrugMitigatedStoreEncryptedDataOnOffChainFastTransactionDrugsDetailLackOfComputingPowerAccessControlDataExchangeAsset are valuable and plays a role accomplishing the organization’s objectives. Assets are classified as system and business assets.AssetPrivateKeyImmutableLoggingInsuranceDataBlockConfirmationBlockchainBasedDataOwnershipWeakTraceabilityControlTraditionalApplicationDataTamperingMitigatedCodeAnalyzerThe information and services are available to authorized users when needed.AvailabilityBlockchainApplicationEndpointThreatAppearedWeakControlsOnSettingsOfMedicalDeviceComputingPowerSecurity criteria is a constraint on business assets and characterize a security need which are expressed as confidentiality, integrity and availability of business assets.SecurityCriteriaInsecureCommunicationControlIoTDeviceComputationalConstraintBasedTechniqueImproperSecurityControlsForDatabaseFullNodePowerMonitoringToolDecentralizedVerificationOfInsurerDistributedLedgerEmployeeNetworkReputationAccessControlWithCryptographicPrimitive51PercentAtackNoAnonymizationOfPatientMedicalRecordDataValidationWithoutThirdPartyNoProperAuthenticationOfNodeMedicalRecordTrustedAuthorizedNodesInHLFServerLatticeBasedIPAddressErrorProneAuthenticityOfDataTraditionalApplicationDataTheftMitigatedWeakControlToProveDataChangesByAuthorizedUserBlockchainApplicationSybilBasedDenialOfServiceAppearedNodeClinicalTrialDataA threat is an incident initiated by a threat agent using an attack method to target one or more IS assets by exploiting their vulnerabilities.ThreatDistributedAccessControlMechanismIncreaseComputingPowerBlockFakeIdentitiesCreationPasswordWhiteListedNodeUnprotectedLogTraditionalApplicationRepudiationMitigatedAnonymityOverlayNetworkNetworkJoiningFeeLackOfMedicalDataAccessCentralizedControlGossipingProcessImmutableDrugsTrailTraditionalApplicationClinicalTrialFraudMitigatedNoGuaranteeOfMedicalRecordsAuthenticityKeyPharaseCredentialStakeholderMedicalDataEnhanceNetworkPolicyAlertHonestNodeDelayValidBlocksSubmissionSybilNodesParticipateInConsensusSupplyChainProcessDeviceSettingRelyingOnThirdPartyHealthcareNetworkIneffectiveCryptographicControlHealthcareSystemSmartCheckFeelerConnectionDataProcessingMonitorNodesBehaviorBlockchainApplicationQuantumComputingThreatAppearedTraditionalApplicationTamperingDeviceSettingMitigatedAntiDustModelRelyingOnCentralizedServerLackOfAwarnessRoutingTableMonitorComputingPowerThe data is only available to authorized users.ConfidentialityDisableDirectIncomingConnectionValidatorErrorProneSmartContractDrugsTraceabilityHealthcareDatabaseDistributedVerifiedRecordsAmongNodeMiningProcessObfusctedDataNodeIdentityAcceptingUnconfirmedTransactionWeakControlOverMedicalRecordMixingTechniqueAppendOnlyLedgerBlockchainApplicationDoubleSpendingAppearedWalletTraditionalApplicationSocialEngineeringMitigatedMultivariateSecurityAwarenessP2PEncryptedCommunicationMedicaRecordOwnershipPermissioningStakeRequirementsInPoSConsensusSmartContractVotingBasedConsensusClosedFormFormulaProbabilityNoBackupOfLogNetworkResourceWeakAccessControlRandomOutgoingConnectionTraditionalApplicationInsuranceFraudMitigatedDataAccessRightDeterministicRandomEvictionLedgerMultiLevelAuthenticationCryptographyPermissionedSettingImmediateBlockSubmissionSchemeTransactionAnchorConnectionNetworkListeningSystems assets are the component or part of an information system, valuable to the organization since it supports business assets.SystemAssetBlockchainApplicationSmartContractThreatAppearedMiningIncentivePoisoningNodesRoutingTableListeningPeriodNetworkAnalysisTamperResistantIncreaseRiskOfEarningLessIncentiveLackOfImmutableLogP2PNetworkPluggableConsensusInadequateClinicalTrialsDataBlockGenerationUserNewNodeDataValidationCountermeasures are controls to improve the security of the system. Countermeasure can be processes, policies, devices, practices or other actions or components of the information system and its organisation that act to reduce risks.CountermeasureBlockchainApplicationEclipseAttackAppearedInformationProcessingDecentralizedNetworkIncreaseConfirmedBlockInformationFlowNotHandlingLargeNumberOfRequestsToServerInsuranceClaimHealthcareOperationTraditionalApplicationMedicalRecordsMishandlingMitigatedTraditionalApplicationSinglePointFailureMitigatedTransactionFeeBlockchainApplicationSybilAttackAppearedBlockchainBasedVersioningSchemeMiningProtocolImproperInsuranceClaimVerificationPenetrationTestingIneffectivePatientRecruitmentBlockchainApplicationBlockWithholdingDelayAppearedActionLogIntegrity refers to the certainty that the data is not tampered with during or after the submission.IntegrityPossibleToManipulateEmployeesToGetDataAccessTraditionalApplicationManInTheMiddleMitigatedTransactionValidationRingSignaturePatientDataServiceDigitalAssetDataProvenanceValidateNodeConnectionStoringDevicesSettingsInImmutableLedgerBlockchainAnonymizeDataNoQuantumSafeCryptographyInsertObserverCommunicationMinerBlockchainApplicationDeanonymizationAppearedMissingRequestsFilteringMedicalTransactionHardwareSecurityModuleTorBusiness assets describe the information, processes, capabilities and skills essential to the business and its core mission.BusinessAssetZeroKnowledgeProofMedicalBillDistributedIPFSForStorageTraceableDrugsTrailIt is an inverse relation of constraintOf where security criteria is a constraint of business assets.hasConstraintVulnerability negates the defined security criteria of business assets.negatesA countermeasure mitigates one or more vulnerabilities associated to a particular threat.mitigatesSecurity criteria is a constraint of business assets.constraintOfIt is an inverse relation of exploits where vulnerability in the system is exploited by threat.isExploitedByIt is an inverse relation of harms where an asset is harmed by a vulnerability.isHarmedByIt is an inverse relation of mitigates where one or more vulnerabilities associated to a particular threat are mitigated by countermeasure.isMitigatedByIt is an inverse relation of targets where one or more system assets are targeted by threat.isTargetedByA system asset supports one or more business assets.supportsIt is an inverse relation of negates where security criteria of business assets is negated by vulnerability.isNegatedByA vulnerability harms an asset.harmsIt is an inverse relation of supports where one or more business assets is supported by system asset.isSupportedByIt is an inverse relation of characteristicOf where one or more system assets has a characteristic vulnerability that exposes weakness of system assets.hasCharacteristicA threat targets one or more system assets.targetsA threat exploits vulnerabilities in the system.exploitsA vulnerability is a characteristic of a one or more system assets that exposes weakness.characteristicOfIt defines the authors of the book, book chapter, or research paper.AuthorsIt defines who published the book, book chapter, or reserach paper.PublisherDigital object identifier to uniquely identify a book, book chapter, or research paper.DOIIt defines the number of pages in the book, book chapter, or research paper.PagesIt defines the title of the book, book chapter, or research paper.TitleIt defines the type, for example, is it a book, book chapter, research paper, or web article.TypeIt defines in which year the book, book chapter, or research paper is published.YearIt defines the link of the source if it is a web article.Link
https://www.dublincore.org/specifications/dublin-core/dcmi-terms
Specification of all metadata terms maintained by the Dublin Core Metadata Initiative.Dublin coredc:isReferencedByIt is a dublin core metadata term.This annotation property indicates the source from which the knowledge is retrieved for a particular concept.dcterms:licenseIt is a dublin core metadata term.This annotation property indicates the license document.dc:creatorIt is a dublin core metadata term.This annotation property defines who created this ontology.dc:titleIt is a dublin core metadata term.This annotation property defines the title of ontology.dcterms:isPartOfIt is a dublin core metadata term.Dublin core annotation property to determine if the threat is connected to traditional or blockchain-based applications.