Table 9.
Examples of telemedicine risk assessment estimates
| Asset | AV | Concern | AOP | ASP | RV | ||
|---|---|---|---|---|---|---|---|
| Telemedicine device |
RTOS/ GPOS/ gateway |
5 | Patient information leakage | 1 | 2 | 10 | L |
| 5 | Weak password set | 2 | 5 | 50 | H | ||
| 5 | Critical information transmitted owing to device operation errors | 3 | 4 | 60 | H | ||
| 5 | Loss due to improper management of telemedicine device | 2 | 5 | 50 | H | ||
| 5 | Access to internal system used by unapproved device | 1 | 1 | 5 | L | ||
| 5 | Information leakage by device because of malware infection | 1 | 1 | 5 | L | ||
| 5 | Saving important information in device | 2 | 4 | 40 | H | ||
| 5 | Leakage of significant information from lost/stolen device | 2 | 4 | 40 | H | ||
| 5 | Access to internal system and disclosure of important information owing to application vulnerabilities of device | 2 | 4 | 40 | H | ||
| 5 | Device ↔ plaintext transmission between internal system | 3 | 5 | 75 | H | ||
| 5 | Device ↔ plaintext transmission between telemedicine system | 3 | 5 | 75 | H | ||
| 5 | Device ↔ MITM attacks between telemedicine system | 3 | 1 | 15 | M | ||
| 5 | Gateway ↔ plaintext transmission between internal system | 3 | 3 | 27 | M | ||
| 5 | Information leakage because of malware infection (vaccine or latest patch) | 1 | 2 | 10 | L | ||
| 5 | Significant information disclosure by gateway hacking | 2 | 1 | 10 | L | ||
| 5 | MITM attacks using rogue gateway | 2 | 1 | 10 | L | ||
| 5 | Significant information leakage from lost/stolen gateway device | 2 | 3 | 30 | M | ||
| PC | PC | 4 | Forgery via wiretapping and spoofing | 3 | 5 | 60 | H |
| 4 | Unauthorized access via MITM attacks | 2 | 3 | 24 | M | ||
| 4 | Gateway ↔ plaintext transmission between telemedicine system | 3 | 5 | 60 | H | ||
| 4 | MITM attacks using rogue AP | 2 | 1 | 8 | L | ||
| 4 | Information leakage because of malware infection (vaccine or latest patch) | 1 | 2 | 8 | L | ||
| 4 | Significant information disclosure owing to gateway hacking | 1 | 1 | 4 | L | ||
| 4 | Internal access to national communication networks by bypassing physical security controls | 1 | 1 | 4 | L | ||
| 4 | Internal access to national communication networks by exploiting wireless network vulnerability | 1 | 1 | 4 | L | ||
| 4 | Leaving working seat for a long period after logging in | 2 | 5 | 40 | H | ||
| 4 | Nonrepudiation failure by not saving accessed records | 1 | 5 | 20 | M | ||
| 4 | Accident due to telemedicine system operation errors | 1 | 5 | 20 | M | ||
| S/W | Telemedicine software | 4 | Access to internal system and important information disclosure by exploiting vulnerabilities of application used for telemedicine treatment | 1 | 1 | 4 | L |
| 4 | Access to internal system via update files for application used for telemedicine treatment | 1 | 1 | 4 | L | ||
| Data transmission software | 3 | Access to internal system and important information disclosure by exploiting vulnerability of application used for data transmission | 1 | 1 | 3 | L | |
| Patient medical information software | 3 | Access to internal system via update files for software | 2 | 1 | 6 | L | |
| Monitoring software | 2 | Access to internal system via update files for software | 2 | 1 | 4 | L | |
| ECG software | 5 | Access to internal system via update files for telemedicine system | 2 | 1 | 10 | L | |
| Information | Personal information | 4 | Sniffing | 3 | 3 | 36 | H |
| Health information | 4 | Health information sniffing | 3 | 3 | 36 | H | |
| Medical information | 5 | Sending invalid prescriptions by changing medical information during telemedicine treatment | 1 | 1 | 5 | L | |
| 5 | Misuse of medical information by analyzing network packets during telemedicine treatment | 2 | 1 | 10 | L | ||
| 5 | Accidents caused by telemedicine system operation errors | 2 | 5 | 50 | H | ||
| 5 | Forgery via network eavesdropping and spoofing during patient information exchange | 2 | 3 | 30 | H | ||