INCLUDES NO DIRT: A Practical Threat Modeling Approach for Digital Healthcare and Beyond

By: William Dougherty, VP of Information Technology & Security and Patrick Curry, Senior Director, Compliance and Audit

The protection of personal health data -- as well as systems and procedures to protect the infrastructure of organizations handling that data -- may be the most pressing issues in American healthcare. A recent industry report claimed that healthcare is the most breached industry. Hardly a week passes without another report of hospital records frozen and held hostage, or an insurer data breach exposing the details of thousands. And yet, the future of healthcare - in the U.S. and around the world - involves an increasing reliance on digital tools.

Next week, we’ll be presenting at the Privacy. Security. Risk. Conference hosted by the Internationals Association of Privacy Professionals (IAPP) in Las Vegas. At the conference, we’ll be unveiling Omada Health’s INCLUDES NO DIRT threat model -- a proprietary model our teams have developed to evaluate, and protect against, risks in an era of digital healthcare. 

Omada has been at the forefront of digital innovation in healthcare for most of the last decade; we were at the vanguard of digital health companies opting to act as covered entities under the

Health Insurance Portability and Accountability Act (HIPAA) Security Rule. That rule requires all covered entities and business associates to assess their risks and vulnerabilities, and take steps to reduce their risks. INCLUDES NO DIRT is our answer to that requirement.

Like many healthcare organizations, digital healthcare companies have limited resources to guide their efforts to consistently and scalably evaluate risks.  Especially in digital health, concepts may be clear, but real world methodologies are lacking. The objective of the Omada model is to provide an actionable guide for security, privacy and compliance practitioners in digital healthcare. However, we believe the processes described in this guide can extend to nearly any organization that takes security and privacy seriously.     

The NO DIRT Model has eight governing principles: 

1. Ease of use: non-security, non-privacy, or non-compliance personnel must be able to understand and interpret any governing threat model. That means explaining terms, and reasoning, in plain language. In most digital health organizations, security, privacy and compliance teams are dwarfed in size by the teams responsible for writing new software, acquiring new vendors, and managing clinical matters. NO DIRT is designed as a model that empowers any employee to self-assess a potential risk, thus acting as a force multiplier. 
2. Ease of Performance: the model must be easy to perform, especially for non-critical systems. Our company works with hundreds of vendors and dozens of internal applications. Many of them are not mission critical. But threat assessments should be performed on all of them. To make that feasible, the model should be able to be completed on a non-critical system in less than 15 minutes by a single person.
3. Adaptability: for critical systems, the model must be powerful enough and flexible enough to capture all reasonable concerns. 
4. Repeatability: we turned NO DIRT into a standard set of questions in our governance, risk and compliance (GRC) system. Using a consistent set of questions speeds the process, and storing those questions in our GRC system provides documented evidence of a team’s thought process at the time a decision is made. When facts or assumptions change, we can repeat the process to produce a new model. 
5. Classification: when operationalizing the model in our GRC system, it must have a weighted scoring system that automatically classifies the risk of the system based on the answers. This allows security, privacy and compliance teams to review self-assessments and quickly triage which systems, projects or vendors need extra attention. 
6. Actionable: the model must be useful in the architecture and design stage to guide decisions, and as an analytical tool for existing systems. 
7. Integration: the model must tie directly to our vendor assessment process. We tweaked and simplified our vendor questionnaires to only ask questions critical to the model. 
8. Memorable: the model had to be memorable, hence the extremely catchy acronym. This may seem trivial, but the name sets the stage for organizational desire to be “dirt free.”

The INCLUDES NO DIRT Model

The acronym INCLUDES NO DIRT is intended to help risk assessors identify the areas of potential weaknesses in the systems they are evaluating. In each case, the risk has a corresponding property or goal that represents the desired intent of the system being evaluated. As an example, most websites have Availability as a goal. The risk to Availability is Denial of Service. Some of the goals, such as Anonymity vs. Non-Repudiation, are mutually exclusive. This is by design. When evaluating systems in healthcare (and other industries), there are cases where privacy and security are in conflict. 

Threats

Identifiability - The property of a system that lets activities be traced to a specific user.

Non-Repudiation - The process by which it can be proven that a user performed an action.

Clinical Error - The property of a system that does not enforce agreed-up clinical standards, or does not preserve information fidelity. 

Linkability - The property of a system to relate two or more pieces of information.

Unlicensed Activity - The property of a system that does not restrict activities to licensed or certified users.

Denial of Service - The properties of a system that threaten availability.

Elevation of Privilege - The property of a system that allows a user to perform a function that exceeds her authorization.

Spoofing - The property of a system that allows a user to pretend to be another user.

Non-compliant to policy or obligation - The property of a system that violates applicable rules, regulations, internal policies, or contractual obligations.

Overuse - The property of a system that does not limit the use of information to the minimum necessary when that limit is required.

Data Error - The property of a system that risks the integrity of its data.

Information Disclosure -The property of a system that risks the confidentiality of its data.

Repudiation - The property of a system that makes it impossible to prove that a user performed an action.

Tampering - The property of a system that allows for the intentional modification of the system or its data with an intent to do harm.

Miscellaneous - Other risks that threaten the system, including physical risks, environmental risks, criminal risks, disaster risks, regulatory risks, vendor risks, or competitive risks.

A link to the full threat model is available here.

On September 23, we’ll be presenting the Omada INCLUDES NO DIRT MODEL from 11:45 am to 12:45 pm. Come by our session, “Down and Dirty with Threat Modeling, or Modeling Threats to Manage Risks,” to learn more!