基于DREAD和STRIDE模型的物联网健康设备安全风险评估

IF 5.9 2区工程技术 Q1 ENGINEERING, MULTIDISCIPLINARY

Ain Shams Engineering Journal Pub Date : 2025-08-29 DOI:10.1016/j.asej.2025.103721

Buhang Zhai , Oluwatobi Noah Akande , Saurabh Agarwal , Wooguil Pak

{"title":"基于DREAD和STRIDE模型的物联网健康设备安全风险评估","authors":"Buhang Zhai , Oluwatobi Noah Akande , Saurabh Agarwal , Wooguil Pak","doi":"10.1016/j.asej.2025.103721","DOIUrl":null,"url":null,"abstract":"<div><div>A high volume of IoT devices used in healthcare is not regulated for security, which can allow attacks to occur that endanger healthcare organizations based on the value of patient data. Such devices are primarily implemented in a way that prioritizes usability and cost. Security is rarely prioritized due to a lack of universal security standards. The threats are constantly evolving, and strengthening device security has become a high-priority task. We conducted a qualitative and quantitative risk assessment of the twenty-three top IoT-based health devices using the qualitative STRIDE model for threat identification, and the quantitative DREAD model for threat prioritization. Specific countermeasures are proposed for each risk, which, if properly implemented, can considerably reduce vulnerabilities. We also present a prototype web platform for interactive, user-friendly risk assessment and security awareness in healthcare IoT, designed to enable improved protection for patients from the inefficient provision of security through unsafe technologies.</div></div>","PeriodicalId":48648,"journal":{"name":"Ain Shams Engineering Journal","volume":"16 11","pages":"Article 103721"},"PeriodicalIF":5.9000,"publicationDate":"2025-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Security risk assessment of internet of things health devices using DREAD and STRIDE models\",\"authors\":\"Buhang Zhai , Oluwatobi Noah Akande , Saurabh Agarwal , Wooguil Pak\",\"doi\":\"10.1016/j.asej.2025.103721\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>A high volume of IoT devices used in healthcare is not regulated for security, which can allow attacks to occur that endanger healthcare organizations based on the value of patient data. Such devices are primarily implemented in a way that prioritizes usability and cost. Security is rarely prioritized due to a lack of universal security standards. The threats are constantly evolving, and strengthening device security has become a high-priority task. We conducted a qualitative and quantitative risk assessment of the twenty-three top IoT-based health devices using the qualitative STRIDE model for threat identification, and the quantitative DREAD model for threat prioritization. Specific countermeasures are proposed for each risk, which, if properly implemented, can considerably reduce vulnerabilities. We also present a prototype web platform for interactive, user-friendly risk assessment and security awareness in healthcare IoT, designed to enable improved protection for patients from the inefficient provision of security through unsafe technologies.</div></div>\",\"PeriodicalId\":48648,\"journal\":{\"name\":\"Ain Shams Engineering Journal\",\"volume\":\"16 11\",\"pages\":\"Article 103721\"},\"PeriodicalIF\":5.9000,\"publicationDate\":\"2025-08-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Ain Shams Engineering Journal\",\"FirstCategoryId\":\"5\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2090447925004629\",\"RegionNum\":2,\"RegionCategory\":\"工程技术\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"ENGINEERING, MULTIDISCIPLINARY\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Ain Shams Engineering Journal","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2090447925004629","RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

摘要

医疗保健中使用的大量物联网设备没有受到安全监管，这可能会导致基于患者数据价值的攻击，危及医疗保健组织。这样的设备主要以优先考虑可用性和成本的方式实现。由于缺乏通用的安全标准，安全很少被优先考虑。威胁不断演变，加强设备安全已成为当务之急。我们对23个基于物联网的顶级医疗设备进行了定性和定量风险评估，使用定性STRIDE模型进行威胁识别，定量DREAD模型进行威胁优先级排序。针对每种风险提出了具体对策，如果实施得当，可以大大减少脆弱性。我们还提出了一个用于交互式、用户友好的医疗物联网风险评估和安全意识的原型web平台，旨在通过不安全的技术提高对患者的保护，使其免受低效安全提供的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Security risk assessment of internet of things health devices using DREAD and STRIDE models

A high volume of IoT devices used in healthcare is not regulated for security, which can allow attacks to occur that endanger healthcare organizations based on the value of patient data. Such devices are primarily implemented in a way that prioritizes usability and cost. Security is rarely prioritized due to a lack of universal security standards. The threats are constantly evolving, and strengthening device security has become a high-priority task. We conducted a qualitative and quantitative risk assessment of the twenty-three top IoT-based health devices using the qualitative STRIDE model for threat identification, and the quantitative DREAD model for threat prioritization. Specific countermeasures are proposed for each risk, which, if properly implemented, can considerably reduce vulnerabilities. We also present a prototype web platform for interactive, user-friendly risk assessment and security awareness in healthcare IoT, designed to enable improved protection for patients from the inefficient provision of security through unsafe technologies.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Ain Shams Engineering Journal Engineering-General Engineering

CiteScore

10.80

自引率

13.30%

发文量

441

审稿时长

49 weeks

期刊介绍： in Shams Engineering Journal is an international journal devoted to publication of peer reviewed original high-quality research papers and review papers in both traditional topics and those of emerging science and technology. Areas of both theoretical and fundamental interest as well as those concerning industrial applications, emerging instrumental techniques and those which have some practical application to an aspect of human endeavor, such as the preservation of the environment, health, waste disposal are welcome. The overall focus is on original and rigorous scientific research results which have generic significance. Ain Shams Engineering Journal focuses upon aspects of mechanical engineering, electrical engineering, civil engineering, chemical engineering, petroleum engineering, environmental engineering, architectural and urban planning engineering. Papers in which knowledge from other disciplines is integrated with engineering are especially welcome like nanotechnology, material sciences, and computational methods as well as applied basic sciences: engineering mathematics, physics and chemistry.