# A Cyber Risk Assessment Approach to Federated Identity Management Framework-Based Digital Healthcare System

**Authors:** Shamsul Huda, Md. Rezaul Islam, Jemal Abawajy, Vinay Naga Vamsi Kottala, Shafiq Ahmad

PMC · DOI: 10.3390/s24165282 · 2024-08-15

## TL;DR

This paper introduces a new cyber-risk assessment method for digital healthcare systems using federated identity management to improve security and patient safety.

## Contribution

A novel three-dimensional cyber-risk assessment approach tailored for FIM-based healthcare systems is proposed.

## Key findings

- The approach integrates IT infrastructure, medical devices, and FIM protocols for interconnected vulnerability analysis.
- Threat modeling with attack trees and diagrams validated the method across diverse IoMT and MCPS devices.
- The method provides evidence-based security recommendations to enhance system resilience and safety.

## Abstract

This paper presents a comprehensive and evidence-based cyber-risk assessment approach specifically designed for Medical Cyber Physical Systems (MCPS)- and Internet-of-Medical Devices (IoMT)-based collaborative digital healthcare systems, which leverage Federated Identity Management (FIM) solutions to manage user identities within this complex environment. While these systems offer advantages like easy data collection and improved collaboration, they also introduce new security challenges due to the interconnected nature of devices and data, as well as vulnerabilities within the FIM and the lack of robust security in IoMT devices. To proactively safeguard the digital healthcare system from cyber attacks with potentially life-threatening consequences, a comprehensive and evidence-based cyber-risk assessment is crucial for mitigating these risks. To this end, this paper proposes a novel cyber-risk assessment approach that leverages a three-dimensional attack landscape analysis, encompassing existing IT infrastructure, medical devices, and Federated Identity Management protocols. By considering their interconnected vulnerabilities, the approach recommends tailored security controls to prioritize and mitigate critical risks, ultimately enhancing system resilience. The proposed approach combines established industry standards like Cyber Resilience Review (CRR) asset management and NIST SP 800-30 for a comprehensive assessment. We have validated our approach using threat modeling with attack trees and detailed attack sequence diagrams on a diverse range of IoMT and MCPS devices from various vendors. The resulting evidence-based cyber-risk assessments and corresponding security control recommendations will significantly support healthcare professionals and providers in improving both patient and medical device safety management within the FIM-enabled healthcare ecosystem.

## Full-text entities

- **Species:** Homo sapiens (human, species) [taxon 9606]

## Figures

15 figures with captions in the complete paper: https://tomesphere.com/paper/PMC11360572/full.md

---
Source: https://tomesphere.com/paper/PMC11360572