|
| 1 | +ID,Asset,Threat,Vulnerability,Probability,Impact,Risk,Decision,Recommendation |
| 2 | +R001,Bluetooth Insulin Pump,Communication Interception,Weak BLE encryption,4,5,20,Reduce,Firmware upgrade + medical network segmentation |
| 3 | +R002,PACS Imaging Server,Ransomware,Lack of network segmentation,3,5,15,Reduce,Isolated medical VLAN + 3-2-1 offline backup |
| 4 | +R003,Patient EHR/DPI Record,Unauthorized Access,Insufficient IAM management,4,4,16,Reduce,Mandatory MFA + quarterly rights review |
| 5 | +R004,Physician Workstation,Targeted Medical Staff Phishing,Insufficient training,4,4,16,Reduce,Awareness campaigns + monthly phishing simulation |
| 6 | +R005,Patient Data Backup,Data Destruction (Ransomware),Untested backup,2,5,10,Reduce,Quarterly restoration test + 3-2-1 offline backup |
| 7 | +R006,Telemedicine VPN Connection,Credential Compromise,MFA not deployed,3,4,12,Reduce,MFA deployment (TOTP/FIDO2) on all remote access |
| 8 | +R007,Connected Pacemaker,Vital Parameter Manipulation,Lack of RF communication encryption,2,5,10,Reduce,Firmware upgrade + encrypted protocol + anomaly monitoring |
| 9 | +R008,Medication Dispensing System,Dosing Error by Modification,Unauthorized database modification,2,5,10,Reduce,Integrity control + audit logs + double verification |
| 10 | +R009,Laboratory Database,Analysis Data Leak,Failing patch management,3,4,12,Reduce,Patch policy <30d critical + monthly vulnerability scan |
| 11 | +R010,Patient Monitoring Device,Equipment Denial of Service,Lack of high availability,3,4,12,Reduce,Critical equipment redundancy + automatic failover |
| 12 | +R011,Mobile Nurse Tablet,Device Theft/Loss,Lack of disk encryption,3,3,9,Reduce,Bitlocker/LUKS full disk + MDM + remote wipe |
| 13 | +R012,Medication Label Printer,Insecure Sensitive Document Printing,Open network access,2,3,6,Accept,Logs monitoring + isolated network if budget available |
| 14 | +R013,Patient Web Portal,SQL Injection via forms,Unaudited code + missing WAF,3,4,12,Reduce,Security code audit + WAF + secure dev training (OWASP) |
| 15 | +R014,HL7 FHIR Data Exchange API,Patient Data Exposure,Weak API authentication,3,4,12,Reduce,OAuth 2.0 + rate limiting + access logging + mTLS |
| 16 | +R015,Online Appointment System,DDoS Availability Attack,Lack of perimeter protection,2,3,6,Transfer,Cloudflare/AWS Shield + CDN |
| 17 | +R016,Connected CGM Glucose Sensor,Glycemia Data Falsification,Missing data validation,2,4,8,Reduce,Data checksum + abnormal value alerts + double verification |
| 18 | +R017,Long-term Patient Archiving,GDPR Retention Non-compliance,Conservation period not respected,3,4,12,Reduce,Automated retention policy + auto purge + annual audit |
| 19 | +R018,HDS Cloud Provider,Host Service Unavailability,Insufficient SLA 99.5%,2,4,8,Transfer,SLA 99.9% contract + penalties + documented continuity plan |
| 20 | +R019,Medical WiFi Network,Patient Traffic Interception,WPA2 KRACK vulnerabilities,3,3,9,Reduce,WPA3-Enterprise migration + 802.1X certificates + VLAN segmentation |
| 21 | +R020,MRI/Scanner Imaging Station,Malware via USB Peripherals,Lack of USB port control,2,4,8,Reduce,USB blocking via GPO + peripheral whitelist + certified medical antivirus |
| 22 | +R021,Billing System,Fraudulent Rate Modification,Lack of admin access control,2,4,8,Reduce,Separation of duties + immutable logs + monthly review |
| 23 | +R022,Secured Physician Messaging,Patient Email Interception,Non-encrypted SMTP TLS,3,3,9,Reduce,Enforce TLS 1.3 + DMARC/SPF/DKIM + PGP awareness |
| 24 | +R023,Connected Surgery Telescope,Operative Video Stream Manipulation,Non-isolated network,1,5,5,Accept,Dedicated operating room network (if budget) + monitoring |
| 25 | +R024,Patient Mobile Application,Account Credential Theft,Insecure local storage,3,3,9,Reduce,Keychain/Keystore secure + biometrics + session timeout |
| 26 | +R025,Active Directory Server,Domain Compromise (Golden Ticket),Lack of admin tiering,2,5,10,Reduce,AD Tiering (Tier 0/1/2) + PAW + Credential Guard |
0 commit comments