Adapting STPA-sec for Socio-technical Cyber Security Challenges in Emerging Nations: A Case Study in Risk Management for Rwandan Health Care

摘要

Healthcare is increasingly dependent on digital systems. In emerging nations, it can be particularly hard for hospital administrators to maximize the benefits of these advances and at the same time mitigate the potential cyber security risks associated with healthcare information systems. This paper argues that limited resources, rising demand and rapidly evolving organizational structures create a pressing need for holistic approaches to address socio-technical security challenges in healthcare. We do not underestimate the technological challenges of cyber security in these countries; equally technical solutions are unlikely to be effective unless supported by holistic risk assessment. We address these problems by the use of STAMP (Systems Theoretic Accident Model and Processes) for cyber security analysis, STPA-sec. Our results show that this open-ended analytical technique requires additional methodological structure in countries where there are significant shortages of trained analysts; to guide the application of STPA-sec and also to provide common reference when individual analysts must justify their findings. It is for this reason that we explicitly integrate the US National Institute of Science and Technology (NIST) controls into STPA-sec. This provided our stakeholders with a starting point for the application of socio-technical analysis and enhanced the mainstream cyber security and risk management to provide a better fit within healthcare from emerging nations; further studies are required to determine whether such support becomes superfluous as analysts become familiar with socio-technical methods. Our arguments have been validated through extensive observation, interviews and document reviews with healthcare providers in Rwanda. In particular, we focus on an initiative to improve the cyber security of a hospital Picture Archiving and Communication System (PACS). It is our hope that the lessons learned in one country might inform cyber security risk management for healthcare across other emerging nations who face limited resources, significant public demand and an increasing range of threats.