A Threat Tree for Health Information Security and Privacy

Authors

Jeffrey P. Landry, University of South AlabamaFollow
J. Harold Pardue, University of South AlabamaFollow
Tom Johnsten, University of South AlabamaFollow
Matt Campbell, University of South AlabamaFollow
Priya PatidarFollow

Track

Health Care IT

Abstract

This paper begins a process of organizing knowledge of health information security threats into a comprehensive catalog.We begin by describing our risk management perspective of health information security, and then use this perspective tomotivate the development of a health information threat tree. We describe examples of three threats, breaking each downinto its key risk-related data attributes: threat source and action, the health information asset and its vulnerability, andpotential controls. The construction of such a threat catalog is argued to be useful for risk assessment and to inform publichealth care policy. As no threat catalog is ever complete, guidance for extending the health information security threat tree isgiven.

Recommended Citation

Landry, Jeffrey P.; Pardue, J. Harold; Johnsten, Tom; Campbell, Matt; and Patidar, Priya, "A Threat Tree for Health Information Security and Privacy" (2011). AMCIS 2011 Proceedings - All Submissions. 468.
https://aisel.aisnet.org/amcis2011_submissions/468