Cybersecurity Risk Management Framework for Blockchain Identity Management Systems in Health IoT
Abstract
:1. Introduction
- Presenting a Systematic Literature Review (SLR) on security risks conducted on HIoT, IdM, and BC;
- Proposing a novel security taxonomy and a comprehensive security framework for HIoT BC-IdM;
- Developing of a novel cybersecurity risk management framework for HIoT BC-IdM;
- Comparing the proposed framework with other frameworks.
2. Background
2.1. Blockchain-Based IdM
2.2. Standards for BC-Based IdM Systems
2.3. Architecture of BC-IdM in HIoT
- Users: users in HIoT BC-IdM are the stakeholders of the system, such as HIoT service providers, patients, physicians, nurses, and emergency staff. Entities in BC-based IAM can be a thing, a person, or an organization, which plays roles in the BC-based IdM process as a requester, issuer, holder, verifier, and relying party. BC-based IdM user definitions and components are shown in Table 3 [6].
- Application: Remote health monitoring systems are used in the HIoT, wallets are used for the IdM system, and APIs are used to exchange data between these applications. Every one of these has security requirements and controls to ensure data protection.
- BC Technology: The BC network is at the system’s core, where the IdM’s main functions, such as ID registration, provisioning, de-provisioning, and access control, are performed.
- Off-chain technology: In BC-based IdM, there is usually a need to use off-chain storage technologies, such as IPFS, CouchDB, and OrbitDB, to offload data from BC.
- Connectivity technology: HIoT BC-IdM-comprised communication protocols, gateways, and technologies used between the system stakeholders and assets, such as HTTP, MQTT, CoAP, and cloud technologies.
- HIoT device: Many HIoT device types are used in HIoT systems, which can be classified as either well-being, diagnosis, prognostic, or assistive HIoT devices.
2.4. Security Risk Frameworks
2.4.1. ISO27005 and Related Standards
2.4.2. NIST 800-30 and Related Standards
- RQ 1: What are the security requirements, standards, and risks in HIoT BC-IdM?
- RQ 2: What are the components of the proposed cybersecurity risk frameworks in BC, IdM, and HIoT?
- RQ 3: How can a cybersecurity risk management framework for BC-IdM in HIoT ensure security and privacy be developed?
3. Methodology
3.1. Literature Review
3.2. Security Taxonomy
3.3. Security Framework
3.4. Security Risk Management Development
4. Literature Review
5. Results
6. Taxonomy
6.1. Assets
6.2. Standards
6.3. Requirements and Principles
6.4. Threats
6.5. Attacks
6.6. Vulnerabilities
6.7. Impacts
6.8. Metric Benchmark
6.9. Controls
6.10. Countermeasures
6.11. Concerns
6.12. Risk
7. HIoT BC-IdM System Security Framework
8. Risk Management Framework
8.1. Preparation
8.2. Assessment
8.3. Treatment
8.4. Communication
8.5. Evaluation
Authors | Contributions | Strengths | Weaknesses |
---|---|---|---|
[S1] Sepczuk and Kotulski [22] | Risk assessment as a service for IdM authentication, applies ISO/IEC27005. | Covers authentication process in IdM systems. | Does not follow risk management standards. |
[S2] Wang et al. [31] | Risk assessment for BC applications within China, follows the Chinese Classified Protection Cybersecurity (CPC) law. | Based on national standards. It covers Bitcoin, Ethereum, and Hyperledger Fabric BCs and gives evaluation metrics and controls for P2P network, consensus, Distributed Ledger, and contract layers. | It lacks main components of risk management. |
[S3] Kim et al. [32] | Risk analysis for DID document in the W3C DID technical standards. | Scenario-based risk analysis for DID authentication used to provide Self-Sovereign Identity technologies. | Does not follow risk management standards. |
[S4] Vakhter et al. [45] | Threat modelling and risk analysis for HIoT (miniaturized) applies NIST SP 800-30. | Covers HIoT assets with a focus on miniaturized HIoT, and gives risk analysis. | Does not cover BC and IdM assets. |
[S5] Schlatt et al. [74] | BC cybersecurity framework for BC. | Covers the relations between stockholders (users, developers, attackers) in BC applications and the BC infrastructure. | Lack of main components of risk management. |
[S6] Alzahrani et al. [81] | Assessment model for BC-based electronic health records. | Covers BC-based electronic health records and security and privacy risks. | General assessment does not follow risk management standards. |
[S7] Psychoua et al. [90] | Privacy risk assessment for HIoT (wearable). | Covers privacy aspect with a focus on Privacy by Design. | Does not follow risk management standards and does not cover BC and IdM assets. |
[S8] Tseng et al. [91] | Risk assessment for HIoT (wearable) using STRIDE and DREAD approaches. | Covers HIoT assets. | Does not follow risk management standards and does not cover BC and IdM assets. |
[S9] Cagnazzo et al. [92] | Threat modelling for HIoT (mHealth) using STRIDE and DREAD approaches. | Covers HIoT assets. | Does not follow risk management standards and does not cover BC and IdM assets. |
[S10] Paul et al. [93] | Risk management for HIoT applying ISO/IEC 80001-and AAMI TIR57. | Proposes security risk management for HIoT(WBAN) and reviews regulations/standards and security and privacy controls. | Does not cover IdM and BC assets. |
[S11] Sheik et al. [94] | Threat modelling for BC-IdM using the STRIDE approach. | Covers BC-IdM. | Does not follow risk management standards and does not cover HIoT assets and emerging BC-IdM standards, such as DID. |
[S12] A Shostack [100] | General threat modelling methodology. | Covers Security and Privacy. | It is general and does not support short-term repetition processes. |
[S13] Bhardwaj et al. [107] | Dynamic penetration test for SC-based applications. Applies OWASP top 10 vulnerabilities. | Covers BC SC. | Does not follow risk management standards and only focuses on SC assets. |
[S14] Lv et al. [111] | Static risk analysis for SCs in Hyperledger Fabric. | Covers SC assets in Hyperledger Fabric. | Does not follow risk management standards and only focus on SC assets. |
[S15]Wen et al. [115] | BC cybersecurity framework. | Covers attacks and countermeasures in a BC-layered framework. | It lacks risk management main components. |
[S16] Naik et al. [116] | Tree-based risk analysis for BC-IdM (SSI). | Covers BC-IdM components, such as DID, and shows attack vectors. | It does not follow risk management general standards and does cover HIoT assets. |
[S17] Konig et al. [117] | Risk analysis for BC. | Presents a BC-layered framework and shows the prerequisites for attacks. | Does not follow risk management standards. |
[S18] Alsubaei et al. [118] | Security risk assessment for HIoT (risk assessment as a service (tool) testing 260 attributes), and considers standards, such as HITECH Act, HIPPA, GDPR, PCEHR Act, ISO/iec27018, ISO/IEC 27034, AICPA, FIPS, GSMA, MDD39/42/EEC, MDR2017/745, ISO/IEC80001, ISO14971, ISO13485, ISO/IEC22301, and ISO/IEC27001. | Covers HIoTs. | Does not follow risk management standards and does not cover IdM and BC aspects. |
[S19] Wang et al. [124] | Uses Identified Security Attributes (ISA) framework for HIoT. | Covers HIoT assets and gives systematic approach to evaluate security solutions and decision making. | Does not follow risk management standards and does not cover BC and IdM assets. |
[S20] Lopatina et al. [137] | Risk assessment for HIoT. | Covers HIoT assets. | Does not follow risk management standards and does not cover BC and IdM assets. |
[S21] Mallah et al. [138] | Security risk assessment for BC-based transportation applications. Uses ISO31000 and ISO27005. | Covers BC Assets. | Does not cover HIoT and IdM assets. |
[S22] Ruf et al. [139] | Threat modelling for BC-based industrial IoT applications. | Covers BC assets and presents a case study. | Only on-premise threat analysis, does not give details about threat modelling methods, and does not cover HIoT and IdM assets. |
[S23] Cha et al. [140] | Security control framework for permissioned BC applications, and uses PCI-DSS, CIS controls, and ISO/IEC27001 and ISO/IEC 27002 standards. | Covers controls in different layers. | Does not cover the main security risk management phases. |
[S24] Morganti et al. [141] | Risk assessment for BC technology, which follows NIST SP-800-30. | Covers BC assets. | Covers BC in general but does not cover HIoT and IdM assets. |
[S25] Homoliak et al. [142] | Security reference architecture (SRA)-based risk assessment for BC technology, which uses ISO/IEC 15408 standards. | Covers BC nodes (consensus, validating, lightweight), and gives detailed analysis of threats, vulnerabilities, and defences. | Covers BC applications in general. |
[S26]Putz and Pernul [143] | Threat modelling for Hyperledger Fabric BC. | Covers BC assets and threat indicators in Hyperledger Fabric BC. | It lacks the main components of security risk management. |
[S27] Zhao et al. [144] | Risk analysis for BC technology communications. | Presents a BC-layered framework. | Does not follow risk management standards. |
[S28] Wilson et al. [145] | Digital identity security framework for IdM in IoT systems. | A stack model covers privacy in IdM. | Does not follow risk management standards, and does cover HIoT and BC assets. |
[S29] Arias-Cabarcos et al. [146] | Risk assessment for IdM, which uses multi-attribute utility theory (MAUT). | Covers IdM physical and digital authentication aspects and gives quantitative evaluation for security and privacy. | Does not follow risk management standards. |
[S30] Attaallah et al. [147] | Risk assessment for HIoT. | Covers the security requirements of HIoT. | Does not follow risk management standards, does not cover IdM and BC assets, and lacks details. |
[S31] YIN et al. [148] | Security risk management for HIoT, which applies ISO/IEC27005 standards. | Presents a case study in a hospital. | Lacks details and does not cover BC and IdM assets. |
9. Limitations and Future work
10. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Appendix A. The Contributions of Included Studies in the SLR
Title | Contributions |
---|---|
[S1] Risk Assessment Methodologies for the Internet of Medical Things: A Survey and Comparative Appraisal [12] | A literature review on HIoT risk, which investigates risk assessment methodology research and gives categorizations. |
[S2] Threat Analysis for Wearable Health Devices and Environment Monitoring Internet of Things Integration System [91] | Wearable HIOT threat analysis using DREAD and STRIDE: assets and threats. |
[S3] The Internet of Things for Health Care: A Comprehensive Survey [87] | A survey study on HIoT, including attacks taxonomy. |
[S4] Internet of Things Security: A Review of Risks and Threats to Healthcare Sector [120] | Review on Health IOT security risks. |
[S5] Security and Privacy in the Internet of Medical Things: Taxonomy and Risk Assessment [132] | Review study on HIoT showing risk assessment and attack taxonomy. |
[S6] ISA Evaluation Framework for the Security of Internet of Health Things System Using AHP-TOPSIS Methods [124] | Risk assessment framework showing security requirements (i.e., 13 security evaluation attributes) and proposed Identified Security Attributes (ISA) framework used for decision making. |
[S7] Security and Privacy for the Internet of Medical Things Enabled Healthcare Systems: A Survey [78] | A survey showing privacy and security requirements, threats, countermeasures in HIOT, authentication block diagram, and metrics for biometric authentication systems. |
[S8] Review on security threats, vulnerabilities, and countermeasures of 5G enabled Internet-of-Medical-Things [149] | Review showing attacks and countermeasures in 5G HIoT, including BC applications. |
[S9] Security and privacy risks for remote healthcare monitoring systems [89] | Review study showing vulnerabilities, security requirements, and countermeasures in HIoT. |
[S10] Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review [43] | Review study showing HIoT regulations, security requirements, vulnerabilities, and countermeasures. |
[S11] Security in iomt communications: A survey [53] | Survey showing HIOT communication and security protocols. |
[S12] A Survey on Security Threats and Countermeasures in Internet of Medical Things (IoMT) [104] | Survey showing HIoT security threats and countermeasures. |
[S13] Privacy preservation in healthcare systems [99] | Review study showing HIoT privacy reservation taxonomy. |
[S14] Review of Security and Privacy for the Internet of Medical Things (IoMT) [26] | Review study showing HIoT assets, security, and privacy. |
[S15]Threat Modelling for Mobile Health Systems [92] | Threat modelling for mHealth using STRIDE and DREAD. |
[S16] Data Risks Identification in Healthcare Sensor Networks [137] | Risk assessment for HIoT showing risks and countermeasures. |
[S17] Data Protection and Privacy of the Internet of Healthcare Things (IoHTs) [29] | A review study covering Privacy by design for HIoT and privacy assessment recommendations. |
[S18] Review of security challenges in healthcare internet of things [130] | Review showing security risk factor and countermeasures. Countermeasures are classified based on goals (preventive, detection, monitoring). |
[S19] Security and Privacy in IoT–cloud-Based e-Health Systems—A Comprehensive Review [79] | Review study on HIoT showing privacy and security requirements based on layers. |
[S20] Developing a comprehensive information security framework for mHealth: a detailed analysis [150] | Comprehensive security framework on mHealth taxonomy, showing the cloud-based hardware and software architecture and security requirements. |
[S21] Security Benchmarks for Wearable Medical Things: Stakeholders-Centric Approach [126] | Benchmark framework showing 14 security and privacy attributes and metrics, which include authentication and access-control systems. |
[S22] Authentication and Identity Management of IoHT Devices: Achievements, Challenges, and Future Directions [95] | Review study on IoT showing perception-layer security threats. |
[S23] Device Security Assessment of Internet of Healthcare Things [147] | Risk assessment showing seven criteria to assist security. |
[S24] Exploring Challenges and Opportunities in Cybersecurity Risk and Threat Communications Related to The Medical Internet of Things (MIoT) [136] | A survey showing the importance of engaging HIoT users in cybersecurity risk assessments. |
[S25] IoMT-SAF: Internet of Medical Things Security Assessment Framework [118] | Risk assessment by design, a tool programmed using Python to allow users to evaluate security risks; web-based framework tests programmed 260 attributes divided into web–software–update–development life-cycle–storage–connectivity–trust–risk assessment–regulatory compliance–privacy–physical–intrusion prevention–memory protection–incident response–cloud service-authentication–access-control systems. |
[S26] Privacy Risk Awareness in Wearables and the Internet of Things [90] | Privacy risk analysis by design, which proposes a privacy-risk-aware framework as a service. It is divided into four main components, one of which included privacy-risk metrics. |
[S27] The internet of things in healthcare: an overview, challenges and model plan for security risks management process [148] | Security risk assessment based on ISO27005 with a case study in Kuala lumbur hospital. |
[S28] The governance of safety and security risks in connected healthcare [80] | Review study showing the importance of merging safety with security in risk management, providing recommendations for cybersecurity governance. |
[S29] Threat Modelling and Risk Analysis for Miniaturized Wireless Biomedical Devices [45] | Threat modelling conducted on MWBDs with a case study. |
[S30] Security Assessment as a Service Cross-Layered System for the Adoption of Digital, Personalized and Trusted Healthcare [151] | Security risk assessment as service (by design); a layer of risk assessment in the system architecture. |
[S31] Security Requirements of Internet of Things-Based Healthcare System: a Survey Study [102] | Review study showing cybersecurity and cyber resiliency requirements. |
[S32] Towards Design and Development of a Data Security and Privacy Risk Management Framework for WBAN Based Healthcare Applications [93] | Security and privacy risk management framework for WBAN based on AAMI TIR57:2016 (Beta version after validation). |
Title | Contributions |
---|---|
[S33] A Model for Privacy and Security Risks Analysis [152] | Categories of security risk factors mapped to security requirements. |
[S34] Decentralized Identity Systems: Architecture, Challenges, Solutions and Future Directions [153] | Review study showing BC-IdM system architecture, components, and challenges. |
[S35] A Comparative Study of Cyber Threats on Evolving Digital Identity Systems [94] | Threat model showing STRIDE model and BC-IdM requirement classifications. |
[S36] A Digital Identity Stack to Improve Privacy in the IoT [145] | A structure model proposed for privacy of IdM systems. |
[S37] A Survey on Blockchain-based Identity Management and Decentralized Privacy for Personal Data [154] | A survey showing BC-IdM evaluation with a focus on GDPR (right to be forgotten). |
[S38] An Attack Tree Based Risk Analysis Method for Investigating Attacks and Facilitating Their Mitigations in Self-Sovereign Identity [116] | Security risk assessment to potential attacks in Self-Sovereign Identity (SSI). It identifies three security risks (fake identity–Id theft–DDoS), showing attack tree-based risk analysis models, including attack goals, vectors, and mitigations. |
[S39] Analysis of Identity Management Systems Using Blockchain Technology [5] | Review and evaluation to uPort, Sovrin, and ShoCard BC-IdM systems, using the seven laws for digital identity. |
[S40] Analyzing Interoperability and Portability Concepts for Self-Sovereign Identity [71] | Review and evaluation for interoperability and portability in BC-IdM systems. |
[S41] Cloud identity management security issues and solutions: a taxonomy [155] | Review study showing a taxonomy of requirements and components of IdM systems. |
[S42] Blockchain-Based Identity Management: A Survey From the Enterprise and Ecosystem Perspective [125] | Survey study identifying 73 Evaluation criteria for BC-IdM systems divided into three categories (compliance, end-user experience, technical). |
[S43] Clear the Fog: Towards a Taxonomy of Self-Sovereign Identity Ecosystem Members [20] | GL study showing a taxonomy of key players in BC-IdM systems. |
[S44] Criteria for evaluating the privacy protection level of Identity Management Services [123] | Survey showing evaluation criteria for privacy in IdM system life cycle. |
[S45] Identity and access management in a cloud environment: Mechanisms and challenges [83] | Review study on IdM security threats in a cloud environment conducting security analysis. |
[S46] Evaluation of Privacy and Security Risks Analysis Construct for Identity Management Systems [134] | Privacy and security risk analysis: evaluation of security taxonomy using the Delphi method. |
[S47] Trust Requirements in Identity Management [103] | Review showing eight trust requirements in IdM systems and trust pillars (dependency, reliability, risk). |
[S48] Identity Management as a target in cyberwar [84] | A review study showing three categories of the impacts of attacking IdM systems and attack vectors in IdM systems. |
[S49] Introduction to Identity Management Risk Metrics [121] | Review study showing the importance of having IdM metrics. Metrics classified to Id Provider, provisioning, and identity metrics. |
[S50] Measuring Identity and Access Management Performance - An Expert Survey on Possible Performance Indicators [156] | Survey study identifying 19 performance indicators (metrics) for IdM systems, which are categorized into five categories. |
[S51] Cloud identity management: A survey on privacy strategies [85] | Survey showing a taxonomy for privacy features and properties in IdM systems. |
[S52] A Metric-Based Approach to Assess Risk for "On Cloud" Federated Identity Management [86] | Review study showing risk metrics taxonomy for cloud-based federated IdM systems. |
[S53] The Gaps of Identity Management in Fulfilling Personal Data Protection Regulations’ Requirements and Research Opportunities [33] | Survey showing the mapping of functional requirements from five data protection laws (GDPR, PDPA, PA1988, FIA, PIPA) to IdM system capabilities, and the importance of privacy impact assessments. |
[S54] Privacy by Design in Federated Identity Management [101] | Survey study showing privacy principles, Privacy by Design RQMTS, and architectural RQMTS in federated IdM. |
[S55] A Taxonomy of Privacy and Security Risks Contributing Factors [82] | Survey showing a taxonomy for privacy- and security-contributing factors in token-based IdM. |
[S56] A new risk-based authentication management model oriented on user’s experience [22] | Risk assessment based on contextual data and user experience in authentication management. |
[S57] The Seven Flaws of Identity Management: Usability and Security Challenges [135] | Survey showing seven challenges and considerations to compact IdM risks in IdM systems. |
[S58] Trust Requirements in Identity Federation Topologies [157] | Review study showing service provider and Id provider risks and the need for trust requirements in FIdM systems. |
[S59] User-Centric Identity Management: New Trends in Standardization and Regulation [21] | Review study showing the importance of complying with data protection laws in IdM systems and providing privacy. |
[S60] Blended Identity: Pervasive IdM for Continuous Authentication [146] | Risk assessment for IDM in pervasive environment. |
Title | Contributions |
---|---|
[S61] Actor-based Risk Analysis for Blockchains in Smart Mobility [133] | Security risk analysis on smart mobility application based on public-permissioned BC. |
[S62] Actor-based analysis Cyber-Security Risk Assessment Framework for Blockchains in Smart Mobility [138] | Cybersecurity risk assessment consisting of three steps with a case study on smart transportation. |
[S63]Blockchain-based Application Security Risks:A Systematic Literature Review [158] | Review study showing security risks in Blockchain-based applications and countermeasures. |
[S64] Exploring Sybil and Double-Spending Risks in Blockchain Systems [129] | Risk management for Sybil and double spending risks with a case study of Ethuerum-based healthcare systems. |
[S65] Blockchain security risk assessment and the auditor [128] | Review study presenting an investigation on risks (four categories) in private Blockchain, with an emphasis on the importance of auditors’ role in risk assessments for BC applications. |
[S66] The Blockchain Revolution: An Analysis of Regulation and Technology Related to Distributed Ledger Technologies [122] | A review study on Blockchain performance metrics and regulations. |
[S67] A survey on Blockchain technology and its security [98] | A survey on security risks showing six risk categories, conducting Smart Contract bytecode analysis, and showing the need for BC regulations. |
[S68] A Security Analysis of Blockchain-Based Did Services [88] | A survey on Destabilized identifiers (DID) security analysis, showing components, data flow, and 18 attack vectors divided to 7 main security threats. |
[S69] Vision: A Critique of Immunity Passports and W3C Decentralized Identifier [131] | A review study on DID and Verifiable Credentials (VC) security analysis with a case study (COVID-19 immunity certificate system). |
[S70] Analysis on the Privacy of DID Service Properties in the DID Document [32] | Review study showing security and privacy of DID, with a focus on DID document. It shows privacy breaches based on PIPA, and dataveillance privacy issues with potential countermeasures. |
[S71] Quantum computers put Blockchain security at risk [159] | Survey on risks caused by quantum computing on Blockchain (forging digital signatures), showing the potential of using quantum computing as a countermeasure to prevent forgery. |
[S72] A Security Risk Management Framework for Permissioned Blockchain Applications [140] | Security risk management for permissioned BC-based applications, which involves six-tier risk security framework with controls for every tier. |
[S73] Security Threats of a Blockchain-Based Platform for Industry Ecosystems in the cloud [139] | Threat model showing security threats of BC-based IIoT, divided based on assets (IIoT, BC, and cloud), and showing the data flow diagram and risk metrics. |
[S74] Air Gapped Wallet Schemes and Private Key Leakage in Permissioned BC Platforms [160] | Security risk analysis using Markov model to analyse the private key leakage risks in air-gapped wallet of permissioned BC and attack vector. |
[S75] The Human-side of Emerging Technologies and Cyber Risk: A case analysis of Blockchain across different verticals [119] | A survey: interviews with leaders from financial companies resulted in five security risk categories for financial BC applications. |
[S76] Risk Assessment of Blockchain Technology [141] | Security risk assessment using NISTSP-800-30, showing threats (4 types), related attacks, and potential countermeasures for attacks. |
[S77] The Security Reference Architecture for Blockchains: Toward a Standardized Model for Studying Vulnerabilities, Threats, and Defenses [142] | Risk assessment model showing security architecture for BC and based on ISO/IEC15408, showing layers, assets, threat agents, vulnerabilities, threats, risks, countermeasures for every layer. IdM assets are covered. |
[S78] Security and Privacy for Healthcare Blockchains [161] | A survey on privacy and security risks and requirements for BC-based medical data sharing systems (categorized into three health systems). |
[S79] A Survey on Blockchain Technology: Evolution, Architecture and Security [162] | A survey showing an analysis of security risks of eight BC technologies, including vulnerabilities and threats, and their cryptographic techniques. |
[S80] Alice in Blockchains: Surprising Security Pitfalls in PoW and PoS Blockchain Systems [163] | A survey study showing security risks in non-financial BC technologies, including databases, such as cocuhDB. |
[S81] Detecting Blockchain Security Threats [143] | A survey study showing attack classifications in permissioned BC (i.e., Hyperledger Fabric), external threats/attackers, a four-control-classifications (including detective controls) BC security-monitoring pipeline, data flow, and evaluation metrics. |
[S82] Attacking the trust machine: Developing an information systems research agenda for Blockchain cybersecurity [74] | Review study showing an investigation on BC security, which covers 5 common attack vectors (p2p network–consensus mechanisms–VM/language–application logic–client application/wallet), including 78 further attacks, and showing the users’, developers’, and attackers’ relations with BC applications and infrastructure. |
[S83] Attacks and countermeasures on Blockchains: A survey from layering perspective [115] | Survey showing six-layered security framework (data–network–consensus–incentive–contract–application) and identifying potential attacks and countermeasures. |
[S84] Security Assessment of Blockchain in Chinese Classified Protection of Cybersecurity [31] | Risk assessment for BC technologies (Bitcoin–Ethereum–Hyperledger Fabric), giving an evaluation for layers (P2P network–consensus–Distributed Ledger–contract), metrics, and controls based on Classified Protection Cybersecurity (CPC) law. The importance of BC being classified as critical infrastructure based on national standards, such as Chinese Classified Protection of Cybersecurity (CPC), to meet the country’s security requirements. |
[S85] The Future of Cryptocurrency Blockchains in the Quantum Era [164] | Review study showing an analysis of the threat of quantum computing on cryptocurrency and BC, an analysis of cryptography techniques vulnerable to quantum, and countermeasures to quantum. It also shows quantum-safe and quantum-unsafe BC classifications. |
[S86] Study on Security and Privacy-related Issues in Blockchain-Based Applications [165] | Review on the security and privacy threats and countermeasures in BC-based solutions. |
[S87] Assessment of the Blockchain Technology Adoption for the Management of the Electronic Health Record Systems [81] | Literature review and assessment model showing use of Hierarchical Decision Model (HDM) methodology to investigate expert perspective on using BC in electronic health record (HER) management. Seventeen adoption-impacting factors are categorized into five categories (financial–social–technical–organizational–legal). |
[S88] The Impact of Crypto-Currency Risks on the Use of Blockchain for Cloud Security and Privacy [166] | Review study showing the operational and market risks of using cryptocurrencies and their relation to the security and privacy of BC applications. |
[S89] Potential Risks of Hyperledger Fabric Smart Contracts [167] | A survey showing 14 potential security risks related to the Smart Contracts that are written by Go language and used in Hyperledger Fabric BC; additionally, it proposes a tool to discover security risks in Smart Contracts. |
[S90] Evil Chaincode: APT Attacks Based on Smart Contract [112] | Review study covering the advanced persistent threat (APT) attacks on Smart Contracts, which is an attack experiment on Hyperledger Fabric that provides recommendations to build countermeasures to security vulnerabilities in Smart Contracts. |
[S91] Penetration testing framework for Smart Contract Blockchain [107] | A Review study and a penetration test for Smart Contracts, showing security threats and attack vectors in SC (categorized to network, application, data integrity, and end-user). |
[S92] Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract [108] | Review study on an Ethereum BC-based Smart Contract, showing vulnerabilities divided to three categories (solidity programming language–Ethereum virtual machine–Ethereum Blockchain design), SC security analysis tools, attacks, and preventive methods. |
[S93] Smart Contract Security: A Software Lifecycle Perspective [109] | Review study on the security vulnerabilities in Ethereum Smart Contract and Hyperledger Fabric chaincode, which covers the Smart Contract life-cycle security model (with potential solutions). |
[S94] On the Security and Privacy of Hyperledger Fabric: Challenges and Open Issues [168] | Review study showing the security threats and vulnerabilities toward architecture in Hyperledger Fabric divided into four layers (consensus–network–privacy–chaincode) and mitigation techniques. |
[S95] Security Challenges and Opportunities for Smart Contracts in Internet of Things: A Survey [110] | Survey study and a threat model using STRIDE approach, showing security issues (inherited vulnerabilities–programming vulnerabilities–Attacks on SC), security audits for programming vulnerabilities (signature matching–formal verification–symbolic execution), and countermeasures. |
[S96] Potential Risk Detection System of Hyperledger Fabric Smart Contract based on Static Analysis [111] | Risk analysis and transaction flows showing 16 potential security risks in SCs divided into three types of risks (non-determinism risk–logical security risk–privacy data security risk). |
[S97] Blockchain Application in Healthcare Industry: Attacks and Countermeasures [113] | Review study identifying eight Attacks on BC applications in healthcare, as well as countermeasures. |
[S98] The 51 Attack on Blockchains: A Mining Behaviour Study [105] | Review study covering an investigation of the 51 (the majority) attack risks on consensus mechanisms in Ethereum and Bitcoin BC technologies, showing characterization profile and anomalous behaviour to the suspicious miners and analysis of 10 prevention techniques. |
[S99] The Internet of Things ecosystem: the Blockchain and privacy issues. The challenge for a global privacy standard [96] | Review study covering the seven privacy principles, privacy risks in IoT (identification–profiling–geolocation–liability for data breaches), the importance of DPIA and Privacy by Design in light of GDPR, and identifying the four main aspects to ensure the security and privacy of IoT applications. |
[S100] Psychological and System-Related Barriers to Adopting Blockchain for Operations Management: An Artificial Neural Network Approach [1] | Survey (data collection) showing 178 responses from Malaysian manufacturing firms to investigate the barriers on BC adoption in operation management. Barriers are categorized into two main and seven secondary categories (psychological (information, usage, functional risks barriers), system-related (security and privacy, compatibility, interoperability, and system quality), showing that functional risks, security and privacy, and system usage showed the highest impacts on BC adoption. |
[S101] Research on Progress of Blockchain Access Control [169] | Review on the functional requirements for BC-based access control, including an analysis of 16 BC technologies (Bitcoin, Ethereum, and consortium Blockchains)-based access control. It identified four main risks (privacy exposure issues, cross-organizational access issues, cross-chain access control problems, and performance optimization issues). |
[S102] An empirical analysis of Blockchain cybersecurity incidents [170] | Security-incident analysis study that summarises and analyses 65 cybersecurity incidents related to Ethereum and Bitcoin BCs. Vulnerabilities are divided to Ethereum Virtual Machine bytecode, solidity, and BC network. Fraud and fraud victims classifications are given. |
[S103]Evaluating Countermeasures for Verifying the Integrity of Ethereum Smart Contract Applications [127] | Review study including evaluation of the effectiveness of Ethereum Smart Contract vulnerability countermeasure solutions. A dynamic analysis tool to verify the integrity of SCs are proposed. A total of 11 static and dynamic countermeasures are identified and classified based on vulnerabilities and functionalities. |
[S104] Security risk and response analysis of typical application architecture of information and communication Blockchain [144] | Review showing BC security risks, classified to storage layer (e.g., CouchDB and Level D.B.), protocol layer (consensus, security, and networking mechanisms), extension layer (SC, incentive, punishment mechanisms), and application layer (IoT-inherited vulnerabilities). |
[S105] A Survey on Blockchain: Challenges, Attacks, Security, and Privacy [114] | Survey showing five security attack vectors in BC applications, as well as attacks and countermeasures. Seven Security and privacy (identity privacy and transaction privacy) requirements are identified. |
[S106] The Risks of the Blockchain: A Review on Current Vulnerabilities and Attacks [117] | Review study identifying 24 security risks in BC, which are classified to four groups (BC structure vulnerabilities–consensus mechanism attacks–application attacks–attacks on the P2P network). |
References
- Wong, L.W.; Tan, G.W.H.; Lee, V.H.; Ooi, K.B.; Sohal, A. Psychological and System-Related Barriers to Adopting Blockchain for Operations Management: An Artificial Neural Network Approach. IEEE Trans. Eng. Manag. 2021, 70, 67–81. [Google Scholar] [CrossRef]
- Dubois, É.; Heymans, P.; Mayer, N.; Matulevičius, R. A Systematic Approach to Define the Domain of Information System Security Risk Management. In Intentional Perspectives on Information Systems Engineering; Nurcan, S., Salinesi, C., Souveyet, C., Ralyté, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 289–306. [Google Scholar] [CrossRef] [Green Version]
- Albakri, S.H.; Shanmugam, B.; Samy, G.N.; Idris, N.B.; Ahmed, A. Security risk assessment framework for cloud computing environments. Secur. Commun. Netw. 2014, 7, 2114–2124. [Google Scholar] [CrossRef]
- Alamri, B.; Crowley, K.; Richardson, I. Blockchain-Based Identity Management Systems in Health IoT: A Systematic Review. IEEE Access 2022, 10, 59612–59629. [Google Scholar] [CrossRef]
- Haddouti, S.E.; Ech-Cherif El Kettani, M.D. Analysis of Identity Management Systems Using Blockchain Technology. In Proceedings of the 2019 International Conference on Advanced Communication Technologies and Networking (CommNet), Rabat, Morocco, 12–14 April 2019; pp. 1–7. [Google Scholar] [CrossRef]
- Lesavre, L. A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [CrossRef]
- ISO. Risk Management—Principles and Guidelines; International Organization for Standardization: Geneva, Switzerland, 2009. [Google Scholar]
- ISO 31000:2018(en). Risk Management—Guidelines. Available online: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en (accessed on 13 July 2022).
- Meriah, I.; Arfa Rabai, L.B. Comparative Study of Ontologies Based ISO 27000 Series Security Standards. Procedia Comput. Sci. 2019, 160, 85–92. [Google Scholar] [CrossRef]
- The Joint Task Force Transformation Initiative. Guide for Conducting Risk Assessments; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2012.
- The Joint Task Force Transformation Initiative. SP 800-39. Managing Information Security Risk: Organization, Mission, and Information System View; National Institute of Standards & Technology: Gaithersburg, MD, USA, 2011.
- Malamas, V.; Chantzis, F.; Dasaklis, T.K.; Stergiopoulos, G.; Kotzanikolaou, P.; Douligeris, C. Risk Assessment Methodologies for the Internet of Medical Things: A Survey and Comparative Appraisal. IEEE Access 2021, 9, 40049–40075. [Google Scholar] [CrossRef]
- ISO. ISO/IEC 27005:2018—Information Technology—Security Techniques—Information Security Risk Management. Available online: https://www.iso.org/standard/75281.html (accessed on 14 July 2022).
- ISO. ISO/IEC 27002:2022—Information Security, Cybersecurity and Privacy Protection—Information Security Controls. Available online: https://www.iso.org/standard/75652.html (accessed on 14 July 2022).
- Joint Task Force. NIST Special Publication 800-37 Risk Management Framework for Information Systems and Organizations a System Life Cycle Approach for Security and Privacy Joint Task Force; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [CrossRef]
- Joint Task Force. Security and Privacy Controls for Information Systems and Organizations; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2017.
- Joint Task Force. Assessing Security and Privacy Controls in Information Systems and Organizations. NIST Spec. Publ. 2022, 800, 53A. [Google Scholar]
- Keele, S. Guidelines for Performing Systematic Literature Reviews in Software Engineering; Version 2.3 EBSE Technical Report; EBSE: Newcastle, UK, 2007. [Google Scholar]
- Nickerson, R.C.; Varshney, U.; Muntermann, J. A method for taxonomy development and its application in information systems. Eur. J. Inf. Syst. 2013, 22, 336–359. [Google Scholar] [CrossRef]
- Schmidt, K.; Mühle, A.; Grüner, A.; Meinel, C. Clear the Fog: Towards a Taxonomy of Self-Sovereign Identity Ecosystem Members. In Proceedings of the 2021 18th International Conference on Privacy, Security and Trust (PST), Auckland, New Zealand, 13–15 December 2021; pp. 1–7. [Google Scholar] [CrossRef]
- Bramhall, P.; Hansen, M.; Rannenberg, K.; Roessler, T. User-Centric Identity Management: New Trends in Standardization and Regulation. IEEE Secur. Priv. 2007, 5, 84–87. [Google Scholar] [CrossRef]
- Sepczuk, M.; Kotulski, Z. A new risk-based authentication management model oriented on user’s experience. Comput. Secur. 2018, 73, 17–33. [Google Scholar] [CrossRef]
- The 18 CIS Critical Security Controls. Available online: https://www.cisecurity.org/controls/cis-controls-list (accessed on 16 July 2022).
- Official PCI Security Standards Council Site—Verify PCI Compliance, Download Data Security and Credit Card Security Standards. Available online: https://www.pcisecuritystandards.org/about_us/ (accessed on 18 July 2022).
- NIS Directive—ENISA. Available online: https://www.enisa.europa.eu/topics/nis-directive?tab=details (accessed on 20 July 2022).
- Hatzivasilis, G.; Soultatos, O.; Ioannidis, S.; Verikoukis, C.; Demetriou, G.; Tsatsoulis, C. Review of Security and Privacy for the Internet of Medical Things (IoMT). In Proceedings of the 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS), Santorini Island, Greece, 29–31 May 2019; pp. 457–464. [Google Scholar] [CrossRef]
- General Data Protection Regulation (GDPR)—Official Legal Text. Available online: https://gdpr-info.eu/ (accessed on 13 July 2022).
- Data Protection Impact Assessments. Data Protection Commissioner. Available online: https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments (accessed on 13 July 2022).
- Shahid, J.; Ahmad, R.; Kiani, A.K.; Ahmad, T.; Saeed, S.; Almuhaideb, A.M. Data Protection and Privacy of the Internet of Healthcare Things (IoHTs). Appl. Sci. 2022, 12, 1927. [Google Scholar] [CrossRef]
- Cyber security and resilience for Smart Hospitals—ENISA. Available online: https://www.enisa.europa.eu/publications/cyber-security-and-resilience-for-smart-hospitals (accessed on 14 August 2022).
- Wang, D.; Zhu, Y.; Zhang, Y.; Liu, G. Security assessment of blockchain in Chinese classified protection of cybersecurity. IEEE Access 2020, 8, 203440–203456. [Google Scholar] [CrossRef]
- Kim, K.H.; Lim, S.; Hwang, D.Y.; Kim, K.H. Analysis on the Privacy of DID Service Properties in the DID Document. IEEE Comput. Soc. 2021, 2021, 745–748. [Google Scholar] [CrossRef]
- Ratti, D.R.; Chua, H.N. The Gaps of Identity Management in Fulfilling Personal Data Protection Regulations’ Requirements and Research Opportunities. IT Converg. Secur. 2021, 782, 43–54. [Google Scholar] [CrossRef]
- ISO. ISO 14971:2019—Medical Devices—Application of Risk Management to Medical Devices. Available online: https://www.iso.org/standard/72704.html (accessed on 15 August 2022).
- ISO/TR 24971:2020(en), Medical Devices—Guidance on the Application of ISO 14971. Available online: https://www.iso.org/obp/ui/#iso:std:iso:tr:24971:ed-2:v1:en (accessed on 15 August 2022).
- ISO. IEC 80001-1:2010—Application of Risk Management for IT-Networks Incorporating Medical Devices—Part 1: Roles, Responsibilities and Activities. Available online: https://www.iso.org/standard/44863.html (accessed on 15 August 2022).
- Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff. Available online: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices (accessed on 17 August 2022).
- ISO. IEC 62304:2006—Medical Device Software—Software Life Cycle Processes. Available online: https://www.iso.org/standard/38421.html (accessed on 16 August 2022).
- AAMI TIR57: 2016—Principles for Medical Device Security—Risk Management. Available online: https://webstore.ansi.org/Standards/AAMI/aamitir572016 (accessed on 16 August 2022).
- Principles and Practices for Medical Device Cybersecurity | International Medical Device Regulators Forum. Available online: https://www.imdrf.org/documents/principles-and-practices-medical-device-cybersecurity (accessed on 20 August 2022).
- Chase, P.; Coley, S.C. Rubric for Applying CVSS to Medical Devices; Technical Report; MITRE Corporation: Bedford, MA, USA, 2019. [Google Scholar]
- Regulation (EU) 2017/ 745 of The European Parliament and of The Council—of 5 April 2017—on Medical Devices, Amending Directive 2001/ 83/ EC, Regulation (EC) No 178/ 2002 and Regulation (EC) No 1223/ 2009 and Repealing Council Directives 90/ 385/ EEC and 93/ 42/ EEC. Technical Report. Available online: https://op.europa.eu/en/publication-detail/-/publication/83bdc18f-315d-11e7-9412-01aa75ed71a1/language-en (accessed on 20 August 2022).
- Yaqoob, T.; Abbas, H.; Atiquzzaman, M. Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review. IEEE Commun. Surv. Tutor. 2019, 21, 3723–3768. [Google Scholar] [CrossRef]
- Boeckl, K.; Fagan, M.; Fisher, W.; Lefkovitz, N.; Megas, K.N.; Nadeau, E.; O’Rourke, D.G.; Piccarreta, B.; Scarfone, K. Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2019.
- Vakhter, V.; Soysal, B.; Schaumont, P.; Guler, U. Threat Modeling and Risk Analysis for Miniaturized Wireless Biomedical Devices. IEEE Internet Things J. 2022, 9, 13338–13352. [Google Scholar] [CrossRef]
- Group, I.I.C.S.W.; Hogan, M.; Piccarreta, B. Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [CrossRef]
- Fagan, M.; Megas, K.N.; Scarfone, K.; Smith, M. Foundational Cybersecurity Activities for IoT Device Manufacturers; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [CrossRef]
- Fagan, M.; Fagan, M.; Megas, K.N.; Scarfone, K.; Smith, M. IoT Device Cybersecurity Capability Core Baseline; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020.
- ISO. ISO/IEC 27400:2022—Cybersecurity—IoT Security and Privacy—Guidelines. Available online: https://www.iso.org/standard/44373.html (accessed on 25 August 2022).
- Cyber. EN 303 645-V2.1.1-CYBER. Cyber Security for Consumer Internet of Things: Baseline Requirements. 2020. Available online: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf (accessed on 22 August 2022).
- GSMA. GSMA IoT Security Guidelines and Assessment. Internet of Things. Available online: https://www.gsma.com/iot/iot-security/iot-security-guidelines/ (accessed on 25 August 2022).
- Health Information Privacy: Summary of the HIPAA Security Rule. Available online: https://www.hhs.gov/hipaa/newsroom/index.html (accessed on 24 August 2022).
- Security in Iomt Communications: A Survey. Sensors 2020, 20, 4828. [CrossRef]
- ISO. IEC 81001-5-1:2021—Health Software and Health IT Systems Safety, Effectiveness and Security—Part 5-1: Security—Activities in the Product Life Cycle. Available online: https://www.iso.org/standard/76097.html (accessed on 28 August 2022).
- ISO. IEC 82304-1:2016—Health Software—Part 1: General Requirements for Product Safety. Available online: https://www.iso.org/standard/59543.html (accessed on 28 August 2022).
- ISO. ISO/IEC 9798-1:2010—Information Technology—Security Techniques—Entity Authentication—Part 1: General. Available online: https://www.iso.org/standard/53634.html (accessed on 22 August 2022).
- ISO. ISO/IEC 9798-2:2019—IT Security Techniques—Entity Authentication—Part 2: Mechanisms Using Authenticated Encryption. Available online: https://www.iso.org/standard/67114.html (accessed on 22 August 2022).
- ISO. ISO/IEC 29115:2013—Information Technology—Security Techniques—Entity Authentication Assurance Framework. Available online: https://www.iso.org/standard/45138.html (accessed on 22 August 2022).
- Grassi, P.; Fenton, J. NIST SP800-63-2: Electronic Authentication Guideline; Technical Report; NIST: Reston, VA, USA, 2013. Available online: http://nvlpubs.nist.gov/nistpubs (accessed on 2 September 2022).
- eIDAS. The Ecosystem. Available online: https://www.eid.as/ (accessed on 5 September 2022).
- IEEE, SA. IEEE 2410-2021; IEEE Standard for Biometric Privacy. Available online: https://standards.ieee.org/ieee/2410/7746/ (accessed on 22 August 2022).
- ISO. ISO/IEC 24760-1:2019. IT Security and Privacy—A Framework for Identity Management—Part 1: Terminology and Concepts. Available online: https://www.iso.org/standard/77582.html (accessed on 23 August 2022).
- Blockchain and the GDPR. EUBlockchain. 2018. Available online: https://www.eublockchainforum.eu/reports/blockchain-and-gdpr (accessed on 7 September 2022).
- Workshop Report— Legal and Regulatory Framework of Blockchains and Smart Contracts. EUBlockchain. 2018. Available online: https://www.eublockchainforum.eu/reports/workshop-report-legal-and-regulatory-framework-blockchains-and-smart-contracts-december-12 (accessed on 6 September 2022).
- Blockchain for Government and Public Services. EUBlockchain. 2018. Available online: https://www.eublockchainforum.eu/reports/blockchain-government-and-public-services (accessed on 5 September 2022).
- Blockchain and Digital Identity. EUBlockchain. 2019. Available online: https://www.eublockchainforum.eu/reports/blockchain-and-digital-identity (accessed on 7 September 2022).
- ESAM Asia. The Distributed Ledger Technology Applied to Securities Markets; European Securities and Markets Authority: Paris, France, 2017. [Google Scholar]
- ISO. ISO 23257:2022. Blockchain and Distributed Ledger Technologies—Reference Architecture. Available online: https://www.iso.org/standard/75093.html (accessed on 8 September 2022).
- Hu, V.C. Blockchain for Access Control Systems; Technical Report; Computer Security Resource Center: Gaithersburg, MD, USA, 2022. [CrossRef]
- Reed, D.; Sporny, M.; Longley, D.; Allen, C.; Grant, R.; Sabadello, M.; Holt, J. Decentralized Identifiers (Dids) v1. 0: Core Architecture, Data Model, and Representations; W3C Working Draft; World Wide Web Consortium (W3C): Cambridge, MA, USA, 2022. [Google Scholar]
- Grüner, A.; Mühle, A.; Meinel, C. Analyzing Interoperability and Portability Concepts for Self-Sovereign Identity. In Proceedings of the 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Shenyang, China, 20–22 October 2021; pp. 587–597. [Google Scholar] [CrossRef]
- DIF—Decentralized Identity Foundation. Available online: https://identity.foundation/ (accessed on 8 September 2022).
- Decentralized Identity-ethereum.org. Available online: https://ethereum.org/en/decentralized-identity/ (accessed on 11 September 2022).
- Schlatt, V.; Guggenberger, T.; Schmid, J.; Urbach, N. Attacking the trust machine: Developing an information systems research agenda for blockchain cybersecurity. Int. J. Inf. Manag. 2022, 68, 102470. [Google Scholar] [CrossRef]
- EIP-721: Non-Fungible Token Standard. Available online: https://eips.ethereum.org/EIPS/eip-721 (accessed on 11 September 2022).
- Decentralized Key Management System. Available online: https://github.com/WebOfTrustInfo/rwot4-paris/blob/master/topics-and-advance-readings/dkms-decentralized-key-mgmt-system.md (accessed on 11 September 2022).
- Lesavre, L.; Varin, P.; Yaga, D. Blockchain Networks: Token Design and Management Overview; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2021. [CrossRef]
- Sun, Y.; Lo, F.P.; Lo, B. Security and Privacy for the Internet of Medical Things Enabled Healthcare Systems: A Survey. IEEE Access 2019, 7, 183339–183355. [Google Scholar] [CrossRef]
- Butpheng, C.; Yeh, K.H.; Xiong, H. Security and Privacy in IoT-Cloud-Based e-Health Systems—A Comprehensive Review. Symmetry 2020, 12, 1191. [Google Scholar] [CrossRef]
- Skierka, I. The governance of safety and security risks in connected healthcare. In Proceedings of the Living in the Internet of Things: Cybersecurity of the IoT 2018, London, UK, 28–29 March 2018; pp. 1–12. [Google Scholar] [CrossRef]
- Alzahrani, S.; Daim, T.; Choo, K.K.R. Assessment of the Blockchain Technology Adoption for the Management of the Electronic Health Record Systems. IEEE Trans. Eng. Manag. 2022, 1–18. [Google Scholar] [CrossRef]
- Paintsil, E.; Fritsch, L. A Taxonomy of Privacy and Security Risks Contributing Factors. In Privacy and Identity Management for Life; Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 52–63. [Google Scholar]
- Indu, I.; Anand, P.R.; Bhaskar, V. Identity and access management in cloud environment: Mechanisms and challenges. Eng. Sci. Technol. Int. J. 2018, 21, 574–588. [Google Scholar] [CrossRef]
- Fritsch, L. Identity Management as a target in cyberwar. In Open Identity Summit 2020; Gesellschaft fur Informatik e.V.: Bonn, Germany, 2020. [Google Scholar]
- Werner, J.; Westphall, C.M.; Westphall, C.B. Cloud identity management: A survey on privacy strategies. Comput. Netw. 2017, 122, 29–42. [Google Scholar] [CrossRef]
- Arias-Cabarcos, P.; Almenárez-Mendoza, F.; Marín-López, A.; Díaz-Sánchez, D.; Sánchez-Guerrero, R. A metric-based approach to assess risk for “on cloud” federated identity management. J. Netw. Syst. Manag. 2012, 20, 513–533. [Google Scholar] [CrossRef] [Green Version]
- Islam, S.M.R.; Kwak, D.; Kabir, M.H.; Hossain, M.; Kwak, K.S. The Internet of Things for Health Care: A Comprehensive Survey. IEEE Access 2015, 3, 678–708. [Google Scholar] [CrossRef]
- Kim, B.G.; Cho, Y.S.; Kim, S.H.; Kim, H.; Woo, S.S. A Security Analysis of Blockchain-Based Did Services. IEEE Access 2021, 9, 22894–22913. [Google Scholar] [CrossRef]
- Ianculescu, M.; Coardoș, D.; Bica, O.; Vevera, V. Security and Privacy Risks for Remote Healthcare Monitoring Systems. In Proceedings of the 2020 International Conference on e-Health and Bioengineering (EHB), Iasi, Romania, 29–30 October 2020; pp. 1–4. [Google Scholar] [CrossRef]
- Psychoula, I.; Chen, L.; Amft, O. Privacy Risk Awareness in Wearables and the Internet of Things. IEEE Pervasive Comput. 2020, 19, 60–66. [Google Scholar] [CrossRef]
- Tseng, T.W.; Wu, C.T.; Lai, F. Threat Analysis for Wearable Health Devices and Environment Monitoring Internet of Things Integration System. IEEE Access 2019, 7, 144983–144994. [Google Scholar] [CrossRef]
- Cagnazzo, M.; Hertlein, M.; Holz, T.; Pohlmann, N. Threat modeling for mobile health systems. In Proceedings of the 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), Barcelona, Spain, 15–18 April 2018; pp. 314–319. [Google Scholar] [CrossRef]
- Paul, P.C.; Loane, J.; McCaffery, F.; Regan, G. Towards Design and Development of a Data Security and Privacy Risk Management Framework for WBAN Based Healthcare Applications. Appl. Syst. Innov. 2021, 4, 76. [Google Scholar] [CrossRef]
- Sheik, A.T.; Maple, C.; Epiphaniou, G.; Atmaca, U.I. A Comparative Study of Cyber Threats on Evolving Digital Identity Systems. In Proceedings of the Competitive Advantage in the Digital Economy (CADE 2021), Online, 2–3 June 2021; pp. 62–69. [Google Scholar] [CrossRef]
- Mamdouh, M.; Awad, A.I.; Khalaf, A.A.; Hamed, H.F. Authentication and Identity Management of IoHT Devices: Achievements, Challenges, and Future Directions. Comput. Secur. 2021, 111, 102491. [Google Scholar] [CrossRef]
- Fabiano, N. The Internet of Things ecosystem: The blockchain and privacy issues. The challenge for a global privacy standard. In Proceedings of the 2017 International Conference on Internet of Things for the Global Community (IoTGC), Funchal, Portugal, 10–13 July 2017; pp. 1–7. [Google Scholar] [CrossRef]
- Gómez Tello, V.; Álvarez Rodríguez, J.; Núñez Reiz, A.; González Sánchez, J.; Hernández Abadía de Barbará, A.; Martínez Fresneda, M.; Morrondo Valdeolmillos, P.; Nicolás Arfelis, J.; Pujol Varela, I.; Calvete Chicharro, M. Technical and functional standards and implementation of a clinical information system in intensive care units. Med. Intensiv. 2011, 35, 484–496. [Google Scholar] [CrossRef] [Green Version]
- Guo, H.; Yu, X. A survey on blockchain technology and its security. Blockchain Res. Appl. 2022, 3, 100067. [Google Scholar] [CrossRef]
- Louassef, B.R.; Chikouche, N. Privacy preservation in healthcare systems. In Proceedings of the 2021 International Conference on Artificial Intelligence for Cyber Security Systems and Privacy (AI-CSP), El Oued, Algeria, 20–21 November 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Shostack, A. Threat Modeling: Designing for Security; John Widley & Sons, Inc.: Hoboken, NJ, USA, 2014. [Google Scholar]
- Hörbe, R.; Hötzendorfer, W. Privacy by Design in Federated Identity Management. In Proceedings of the 2015 IEEE Security and Privacy Workshops, San Jose, CA, USA, 21–22 May 2015; pp. 167–174. [Google Scholar] [CrossRef]
- Nasiri, S.; Sadoughi, F.; Tadayon, M.H.; Dehnad, A. Security requirements of internet of things-based healthcare system: A survey study. Acta Inform. Medica 2019, 27, 253–258. [Google Scholar] [CrossRef] [PubMed]
- Jøsang, A.; Fabre, J.; Hay, B.; Dalziel, J.; Pope, S. Trust requirements in identity management. In Proceedings of the 2005 Australasian Workshop on Grid Computing and E-Research, Newcastle, NSW, Australia, 1 January 2005; pp. 99–108. [Google Scholar]
- Papaioannou, M.; Karageorgou, M.; Mantas, G.; Sucasas, V.; Essop, I.; Rodriguez, J.; Lymberopoulos, D. A survey on security threats and countermeasures in internet of medical things (IoMT). Trans. Emerg. Telecommun. Technol. 2022, 33, e4049. [Google Scholar] [CrossRef]
- Aponte-Novoa, F.A.; Orozco, A.L.S.; Villanueva-Polanco, R.; Wightman, P. The 51 Attack on Blockchains: A Mining Behavior Study. IEEE Access 2021, 9, 140549–140564. [Google Scholar] [CrossRef]
- Balduf, L.; Henningsen, S.; Florian, M.; Rust, S.; Scheuermann, B. Monitoring data requests in decentralized data storage systems: A case study of IPFS. arXiv 2021, arXiv:2104.09202. [Google Scholar]
- Bhardwaj, A.; Shah, S.B.H.; Shankar, A.; Alazab, M.; Kumar, M.; Gadekallu, T.R. Penetration testing framework for smart contract blockchain. Peer-Peer Netw. Appl. 2021, 14, 2635–2650. [Google Scholar] [CrossRef]
- Kushwaha, S.S.; Joshi, S.; Singh, D.; Kaur, M.; Lee, H.N. Systematic Review of Security Vulnerabilities in Ethereum Blockchain Smart Contract. IEEE Access 2022, 10, 6605–6621. [Google Scholar] [CrossRef]
- Huang, Y.; Bian, Y.; Li, R.; Zhao, J.L.; Shi, P. Smart Contract Security: A Software Lifecycle Perspective. IEEE Access 2019, 7, 150184–150202. [Google Scholar] [CrossRef]
- Peng, K.; Li, M.; Huang, H.; Wang, C.; Wan, S.; Choo, K.K.R. Security Challenges and Opportunities for Smart Contracts in Internet of Things: A Survey. IEEE Internet Things J. 2021, 8, 12004–12020. [Google Scholar] [CrossRef]
- Lv, P.; Wang, Y.; Wang, Y.; Zhou, Q. Potential Risk Detection System of Hyperledger Fabric Smart Contract based on Static Analysis. In Proceedings of the 2021 IEEE Symposium on Computers and Communications (ISCC), Athens, Greece, 5–8 September 2021; pp. 1–7. [Google Scholar] [CrossRef]
- Li, Z.; Wang, Y.; Wen, S.; Ding, Y. Evil chaincode: Apt attacks based on smart contract. In Proceedings of the International Conference on Frontiers in Cyber Security, Tianjin, China, 15–17 November 2020; pp. 178–196. [Google Scholar]
- Alsunbul, A.; Elmedany, W.; Al-Ammal, H. Blockchain Application in Healthcare Industry: Attacks and Countermeasures. In Proceedings of the 2021 International Conference on Data Analytics for Business and Industry (ICDABI), Sakheer, Bahrain, 25–26 October 2021; pp. 621–629. [Google Scholar] [CrossRef]
- Hedayati, A.; Hosseini, H.A. A survey on Blockchain: Challenges, Attacks, Security, and Privacy. Int. J. Smart Electr. Eng. 2021, 10, 141–168. [Google Scholar]
- Wen, Y.; Lu, F.; Liu, Y.; Huang, X. Attacks and countermeasures on blockchains: A survey from layering perspective. Comput. Netw. 2021, 191, 107978. [Google Scholar] [CrossRef]
- Naik, N.; Grace, P.; Jenkins, P. An Attack Tree Based Risk Analysis Method for Investigating Attacks and Facilitating Their Mitigations in Self-Sovereign Identity. In Proceedings of the 2021 IEEE Symposium Series on Computational Intelligence (SSCI), Virtual, 5–7 December 2021; pp. 1–8. [Google Scholar] [CrossRef]
- Konig, L.; Unger, S.; Kieseberg, P.; Tjoa, S.; Blockchains, J.R.C. The Risks of the Blockchain A Review on Current Vulnerabilities and Attacks. J. Internet Serv. Inf. Secur. 2020, 10, 110–127. [Google Scholar]
- Alsubaei, F.; Abuhussein, A.; Shandilya, V.; Shiva, S. IoMT-SAF: Internet of Medical Things Security Assessment Framework. Internet Things 2019, 8, 100123. [Google Scholar] [CrossRef]
- Charla, G.B.; Karen, J.; Miller, H.; Chun, M. The Human-side of Emerging Technologies and Cyber Risk: A case analysis of blockchain across different verticals. In Proceedings of the 2021 IEEE Technology & Engineering Management Conference—Europe (TEMSCON-EUR), Virtual, 17–20 May 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Abouzakhar, N.S.; Jones, A.; Angelopoulou, O. Internet of Things Security: A Review of Risks and Threats to Healthcare Sector. In Proceedings of the 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Exeter, UK, 21–23 June 2017; pp. 373–378. [Google Scholar] [CrossRef]
- Peterson, G. Introduction to identity management risk metrics. IEEE Secur. Priv. 2006, 4, 88–91. [Google Scholar] [CrossRef]
- Kakavand, H.; Kost De Sevres, N.; Chilton, B. The blockchain revolution: An analysis of regulation and technology related to distributed ledger technologies. SSRN 2017. [Google Scholar] [CrossRef] [Green Version]
- Lee, H.; Jeun, I.; Jung, H. Criteria for Evaluating the Privacy Protection Level of Identity Management Services. In Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, Athens/Glyfada, Greece, 18–23 June 2009; pp. 155–160. [Google Scholar] [CrossRef]
- Wang, L.; Ali, Y.; Nazir, S.; Niazi, M. ISA Evaluation Framework for Security of Internet of Health Things System Using AHP-TOPSIS Methods. IEEE Access 2020, 8, 152316–152332. [Google Scholar] [CrossRef]
- Kuperberg, M. Blockchain-Based Identity Management: A Survey From the Enterprise and Ecosystem Perspective. IEEE Trans. Eng. Manag. 2020, 67, 1008–1027. [Google Scholar] [CrossRef]
- Putta, S.R.; Abuhussein, A.; Alsubaei, F.; Shiva, S.; Atiewi, S. Security benchmarks for wearable medical things: Stakeholders-centric approach. In Proceedings of the Fourth International Congress on Information and Communication Technology, London, UK, 27–28 February 2020; pp. 405–418. [Google Scholar]
- Ji, S.; Kim, D.; Im, H. Evaluating Countermeasures for Verifying the Integrity of Ethereum Smart Contract Applications. IEEE Access 2021, 9, 90029–90042. [Google Scholar] [CrossRef]
- White, B.S.; King, C.G.; Holladay, J. Blockchain security risk assessment and the auditor. J. Corp. Account. Financ. 2020, 31, 47–53. [Google Scholar] [CrossRef]
- Iqbal, M.; Matulevičius, R. Exploring Sybil and Double-Spending Risks in Blockchain Systems. IEEE Access 2021, 9, 76153–76177. [Google Scholar] [CrossRef]
- Somasundaram, R.; Thirugnanam, M. Review of security challenges in healthcare internet of things. Wirel. Netw. 2021, 27, 5503–5509. [Google Scholar] [CrossRef]
- Halpin, H. Vision: A critique of immunity passports and w3c decentralized identifiers. In Proceedings of the International Conference on Research in Security Standardisation, London, UK, 30 November–1 December 2020; pp. 148–168. [Google Scholar]
- Alsubaei, F.; Abuhussein, A.; Shiva, S. Security and Privacy in the Internet of Medical Things: Taxonomy and Risk Assessment. In Proceedings of the 2017 IEEE 42nd Conference on Local Computer Networks Workshops (LCN Workshops), Singapore, 9 October 2017; pp. 112–120. [Google Scholar] [CrossRef]
- Mallah, R.A.; Farooq, B. Actor-based risk analysis for blockchains in smart mobility. In Proceedings of the 3rd Workshop on Cryptocurrencies and Blockchains for Distributed Systems, London, UK, 25 September 2020; pp. 29–34. [Google Scholar]
- Paintsil, E. Evaluation of Privacy and Security Risks Analysis Construct for Identity Management Systems. IEEE Syst. J. 2013, 7, 189–198. [Google Scholar] [CrossRef]
- Dhamija, R.; Dusseault, L. The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Secur. Priv. Mag. 2008, 6, 24–29. [Google Scholar] [CrossRef]
- Jackson, G.W., Jr.; Rahman, S. Exploring Challenges and Opportunities in Cybersecurity Risk and Threat Communications Related To The Medical Internet Of Things (MIoT). arXiv 2019, arXiv:1908.00666. [Google Scholar] [CrossRef]
- Lopatina, K.; Dokuchaev, V.A.; Maklachkova, V.V. Data Risks Identification in Healthcare Sensor Networks. In Proceedings of the 2021 International Conference on Engineering Management of Communication and Technology (EMCTECH), Vienna, Austria, 20–22 October 2021; pp. 1–7. [Google Scholar] [CrossRef]
- Mallah, R.A.; López, D.; Farooq, B. Cyber-Security Risk Assessment Framework for Blockchains in Smart Mobility. IEEE Open J. Intell. Transp. Syst. 2021, 2, 294–311. [Google Scholar] [CrossRef]
- Ruf, P.; Stodt, J.; Reich, C. Security Threats of a Blockchain-Based Platform for Industry Ecosystems in the Cloud. In Proceedings of the 2021 Fifth World Conference on Smart Trends in Systems Security and Sustainability (WorldS4), London, UK, 29–30 July 2021; pp. 192–199. [Google Scholar] [CrossRef]
- Cha, S.C.; Shiung, C.M.; Lin, G.Y.; Hung, Y.H. A Security Risk Management Framework for Permissioned Blockchain Applications. In Proceedings of the 2021 IEEE International Conference on Smart Internet of Things (SmartIoT), Jeju, Republic of Korea, 13–15 August 2021; pp. 301–310. [Google Scholar] [CrossRef]
- Morganti, G.; Schiavone, E.; Bondavalli, A. Risk Assessment of Blockchain Technology. In Proceedings of the 2018 Eighth Latin-American Symposium on Dependable Computing (LADC), Foz do Iguaçu, Brazil, 8–10 October 2018; pp. 87–96. [Google Scholar] [CrossRef]
- Homoliak, I.; Venugopalan, S.; Reijsbergen, D.; Hum, Q.; Schumi, R.; Szalachowski, P. The Security Reference Architecture for Blockchains: Toward a Standardized Model for Studying Vulnerabilities, Threats, and Defenses. IEEE Commun. Surv. Tutor. 2021, 23, 341–390. [Google Scholar] [CrossRef]
- Putz, B.; Pernul, G. Detecting Blockchain Security Threats. In Proceedings of the 2020 IEEE International Conference on Blockchain (Blockchain), Virtual, 2–6 November 2020; pp. 313–320. [Google Scholar] [CrossRef]
- Zhao, H.; Zhang, M.; Wang, S.; Li, E.; Guo, Z.; Sun, D. Security risk and response analysis of typical application architecture of information and communication blockchain. Neural Comput. Appl. 2021, 33, 7661–7671. [Google Scholar] [CrossRef]
- Wilson, S.; Moustafa, N.; Sitnikova, E. A digital identity stack to improve privacy in the IoT. In Proceedings of the 2018 IEEE 4th World Forum on Internet of Things (WF-IoT), Singapore, 5–8 February 2018; pp. 25–29. [Google Scholar] [CrossRef]
- Arias-Cabarcos, P.; Almenárez, F.; Trapero, R.; Díaz-Sánchez, D.; Marín, A. Blended Identity: Pervasive IdM for Continuous Authentication. IEEE Secur. Priv. 2015, 13, 32–39. [Google Scholar] [CrossRef] [Green Version]
- Attaallah, A.; Ahmad, M.; Ansari, M.T.J.; Pandey, A.K.; Kumar, R.; Khan, R.A. Device security assessment of Internet of healthcare things. Intell. Autom. Soft Comput. 2020, 27, 593–603. [Google Scholar] [CrossRef]
- Yin, Y.; Zeng, Y.; Chen, X.; Fan, Y. The internet of things in healthcare: An overview. J. Ind. Inf. Integr. 2016, 1, 3–13. [Google Scholar] [CrossRef]
- Hasan, M.K.; Ghazal, T.M.; Saeed, R.A.; Pandey, B.; Gohel, H.; Eshmawi, A.; Abdel-Khalek, S.; Alkhassawneh, H.M. A review on security threats, vulnerabilities, and counter measures of 5G enabled Internet-of-Medical-Things. IET Commun. 2022, 16, 421–432. [Google Scholar] [CrossRef]
- Vithanwattana, N.; Mapp, G.; George, C. Developing a comprehensive information security framework for mHealth: A detailed analysis. J. Reliab. Intell. Environ. 2017, 3, 21–39. [Google Scholar] [CrossRef]
- Markakis, E.; Nikoloudakis, Y.; Pallis, E.; Manso, M. Security Assessment as a Service Cross-Layered System for the Adoption of Digital, Personalised and Trusted Healthcare. In Proceedings of the 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), Limerick, Ireland, 15–18 April 2019; pp. 91–94. [Google Scholar] [CrossRef]
- Paintsil, E. A Model for Privacy and Security Risks Analysis. In Proceedings of the 2012 5th International Conference on New Technologies, Mobility and Security (NTMS), Istanbul, Turkey, 7–10 May 2012; pp. 1–8. [Google Scholar] [CrossRef]
- Dib, O.; Toumi, K. Decentralized identity systems: Architecture, challenges, solutions and future directions. Ann. Emerg. Technol. Comput. (AETiC) 2020, 4, 19–40. [Google Scholar] [CrossRef]
- Gilani, K.; Bertin, E.; Hatin, J.; Crespi, N. A Survey on Blockchain-based Identity Management and Decentralized Privacy for Personal Data. In Proceedings of the 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS), Paris, France, 28–30 September 2020; pp. 97–101. [Google Scholar] [CrossRef]
- Habiba, U.; Masood, R.; Shibli, M.A.; Niazi, M.A. Cloud identity management security issues & solutions: A taxonomy. Complex Adapt. Syst. Model. 2014, 2, 1–37. [Google Scholar]
- Hummer, M.; Groll, S.; Kunz, M.; Fuchs, L.; Pernul, G. Measuring Identity and Access Management Performance-An Expert Survey on Possible Performance Indicators. In Proceedings of the 4th International Conference on Information Systems Security and Privacy, Funchal, Portugal, 22–24 January 2018; pp. 233–240. [Google Scholar]
- Kylau, U.; Thomas, I.; Menzel, M.; Meinel, C. Trust Requirements in Identity Federation Topologies. In Proceedings of the 2009 International Conference on Advanced Information Networking and Applications, Bradford, UK, 26–29 May 2009; pp. 137–145. [Google Scholar] [CrossRef]
- Iqbal, M.; Matulevičius, R. Blockchain-based application security risks: A systematic literature review. In Proceedings of the International Conference on Advanced Information Systems Engineering, Rome, Italy, 3–7 June 2019; pp. 176–188. [Google Scholar]
- Fedorov, A.K.; Kiktenko, E.O.; Lvovsky, A.I. Quantum Computers Put Blockchain Security at Risk. 2018. Available online: https://www.nature.com/articles/d41586-018-07449-z (accessed on 10 September 2022).
- Davenport, A.; Shetty, S. Air Gapped Wallet Schemes and Private Key Leakage in Permissioned Blockchain Platforms. In Proceedings of the 2019 IEEE International Conference on Blockchain (Blockchain), Atlanta, GA, USA, 14–17 July 2019; pp. 541–545. [Google Scholar] [CrossRef]
- Zhang, R.; Xue, R.; Liu, L. Security and Privacy for Healthcare Blockchains. IEEE Trans. Serv. Comput. 2021, 15, 3668–3686. [Google Scholar] [CrossRef]
- Bhutta, M.N.M.; Khwaja, A.A.; Nadeem, A.; Ahmad, H.F.; Khan, M.K.; Hanif, M.A.; Song, H.; Alshamari, M.; Cao, Y. A Survey on Blockchain Technology: Evolution, Architecture and Security. IEEE Access 2021, 9, 61048–61073. [Google Scholar] [CrossRef]
- Keenan, T.P. Alice in Blockchains: Surprising Security Pitfalls in PoW and PoS Blockchain Systems. In Proceedings of the 2017 15th Annual Conference on Privacy, Security and Trust (PST), Calgary, AB, Canada, 28–30 August 2017; pp. 400–4002. [Google Scholar] [CrossRef]
- Alghamdi, S.; Almuhammadi, S. The Future of Cryptocurrency Blockchains in the Quantum Era. In Proceedings of the 2021 IEEE International Conference on Blockchain (Blockchain), Melbourne, Australia, 6–8 December 2021; pp. 544–551. [Google Scholar] [CrossRef]
- Shah, R.; Sridaran, R. A Study on Security and Privacy related Issues in Blockchain Based Applications. In Proceedings of the 2019 6th International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 13–15 March 2019; pp. 1240–1244. [Google Scholar]
- Zhao, Y.; Duncan, B. The Impact of Crypto-Currency Risks on the Use of Blockchain for Cloud Security and Privacy. In Proceedings of the 2018 International Conference on High Performance Computing & Simulation (HPCS), Orleans, France, 16–20 July 2018; pp. 677–684. [Google Scholar] [CrossRef]
- Yamashita, K.; Nomura, Y.; Zhou, E.; Pi, B.; Jun, S. Potential Risks of Hyperledger Fabric Smart Contracts. In Proceedings of the 2019 IEEE International Workshop on Blockchain Oriented Software Engineering (IWBOSE), Hangzhou, China, 24 February 2019; pp. 1–10. [Google Scholar] [CrossRef]
- Brotsis, S.; Kolokotronis, N.; Limniotis, K.; Bendiab, G.; Shiaeles, S. On the Security and Privacy of Hyperledger Fabric: Challenges and Open Issues. In Proceedings of the 2020 IEEE World Congress on Services (SERVICES), Beijing, China, 18–24 October 2020; pp. 197–204. [Google Scholar] [CrossRef]
- Liu, T.; Chen, X.; Li, J.; Wu, S.; Sun, W.; Lu, Y. Research on Progress of Blockchain Access Control. In Proceedings of the 2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC), Shenzhen, China, 9–11 October 2021; pp. 516–522. [Google Scholar] [CrossRef]
- Alkhalifah, A.; Ng, A.; Chowdhury, M.J.M.; Kayes, A.S.M.; Watters, P.A. An Empirical Analysis of Blockchain Cybersecurity Incidents. In Proceedings of the 2019 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Melbourne, Australia, 9–11 December 2019; pp. 1–8. [Google Scholar] [CrossRef]
Layers | Description |
---|---|
Blockchain | BC technologies are IdM-specific, such as Indy Hyperledger- or Smart Contract-supported platforms, such as Ethereum and Hyperledger Fabric, which are are used to facilitate Public Key Infrastructure (PKI) to ensure data integrity in the IAM system. |
Second-layer protocol | Offload solutions for scalability by proposing a top layer, where Smart Contracts and other technologies are used in the IdM system. |
Smart Contracts | The majority of BC-based IAM build their logic based on Smart Contracts. |
Credential storage methods | Off-chain storage where credentials are stored, as not all BC-based IdM systems provide on-chain storage for credentials. |
User-controlled identity wallet | Applications with APIs are used by users to store identifiers, credentials, and their corresponding private keys and allow entities to exchange credentials and presentations with each other. |
User-profile data management protocols | An external protocol is used for storing user profile data, such as browsing data, user settings, and transaction history. |
Data exchange models | Data exchange models, such as JSON, SAML, XDI, and JWT are used to initiate, verify, and disclose data, such as credentials and representations. |
Application libraries and interfaces | APIs and applications allow communication between IdM roles (i.e., requester, issuer, relying party, and verifier). |
Standards | Description |
---|---|
Decentralized Identifiers | W3C develops Decentralized Identifiers (DIDs) to facilitate private channels between entities, eliminating the need for a central registration authority. |
Verifiable Credentials and Verifiable Presentations | Verifiable Credentials (VC) and Verifiable Presentations (VP) are standards developed by W3C used to format credentials. |
Universal Resolver | It is developed by the Decentralized Identity Foundation (DIF) to retrieve DID documents. |
Identity Hubs | Off-chain storage developed by DIF. |
DID Auth–RWOT | Authentication framework to unsure DID ownership. |
Object | Description and Role |
---|---|
Entities | It can be a thing, a person, or an organization with one or more identifiers. |
Identifiers | An entity pseudonym or BC address can be associated with one or more credentials. |
Credentials | One or more claims are associated with an identifier used to build presentations. |
Presentations | Information extracted from credentials. |
Document | Metadata about an identifier. |
Claim | Subject characteristics are used as part of the credentials. |
Custodian | An entity acts as another entity in the BC-based IAM system. |
Holder | An entity is holding credentials on behalf of another one. |
Issuer | An entity is issuing credentials. |
Relying party | An entity is responsible for receiving derived information from the verifier. |
Requester | An entity requests subject credentials from the issuer. |
Subject | An entity obtains credentials from the issuer. |
System owner | System owner. |
Verifier | An entity in charge of the presentation verification and validation processes on behalf of the relying party. |
Targeted Literature | String |
---|---|
Health IoT systems | (Security OR Privacy) AND Risk AND (Health OR Medical) AND (IoT OR Internet of Things) |
IdM systems | (Security OR Privacy) AND Risk AND Identity Management |
Blockchain technology | (Security OR Privacy) AND Risk AND (Blockchain OR Distributed Ledger) |
Inclusion Criteria | Exclusion Criteria |
---|---|
English-written studies | Studies are written in languages other than English. |
Without time-frame restriction | Concept papers. |
Open access peer-reviewed studies | Previous work (with no added valuable contributions), when a work has been extended. |
Secondary and primary studies conducting/proposing risk analysis management, assessment, or threat modelling. | Primary studies that only propose security solutions other than risk analysis, management, assessment, or threat modelling. |
Secondary and primary studies identifying security/privacy risks, standards, requirements and controls. | |
HIoT-, IdM-, and BC-focused studies | Studies that cover HIoT as a part of comprehensive health/medical information applications. |
Targeted Literature | Keywords |
---|---|
Health IoT systems | Health IoT, Medical IoT, Security, Privacy, Risk Assessment, Risk Management, Standards, and Regulations. |
IdM systems | Digital Identity, Identity Management, Security, Privacy, Risk Assessment, Risk Management, Standards, and Regulations. |
Blockchain technology | Blockchain, Distributed Ledger, Security, Privacy, Risk Assessment, Risk Management, Standards, and Regulations. |
Inclusion Criteria | Exclusion Criteria |
---|---|
English-written studies. | Studies are written in languages other than English. |
Without time-frame restriction. | |
International and national regulations, standards, and reports about the targeted literature. | Superseded regulations, standards, and reports. |
Standards | Type | Assets/Scope | Considerations |
---|---|---|---|
NIST BC-based IdM [6] | Guide | BC (IdM) | Overview, guidelines, and issues about the Blockchain-based identity management systems. |
NIST800-30 [10] | Standards | General | Conducting risk assessment. |
NIST800-39 [11] | Standards | General | Managing information security risks. |
OWASP [12] | Standards | HIoT (Medical Device) | Security controls include privacy impact assessment, security audit, perimeter defences, network controls, device security controls, and end-user interface controls. |
TGA [12] | Guide | HIoT (Medical Device) | The Australian medical device cybersecurity guide, which includes cybersecurity principles and threat and risk assessment processes. |
ISO27005 [13] | Standards | General | Information security risk management. |
ISO27002 ISO 27002/27001 [14] | Best Practice | General | Information security, cybersecurity, and privacy protection—information security controls. |
NIST800-37 [15] | Guide | General | Risk Management Framework for Information Systems and Organizations: A System Life-Cycle Approach for Security and Privacy. |
NIST 800-53 [16] | Best Practice | General | NIST security and privacy controls. |
NIST 800-53A [17] | Standards | General | Assessing security and privacy controls in information systems and organizations. |
CIS controls [23] | Best Practice | General | A total of 18 security controls to mitigate security attacks. |
PCI-DSS: Payment Card Industry Data Security [24] | Standards | General | It includes a set of requirements, such as maintaining a secure network, customer data protection, vulnerability management, access control, network monitoring, and information security policy. |
EU Network and Information Security (NIS) directive [25] | Directive | General | Objectives to ensure security among EU countries. |
ISO/IEC 29100 [26] | Standards | General | Privacy framework provides privacy terminologies, defines the actors and their roles in processing personally identifiable information (PII), identifies and describes privacy safeguarding considerations and principles. |
ISO/IEC 15408-1 [26] | Standards | General | Evaluation criteria for IT security. |
ISO 27018 [26] | Standards | HIoT (Cloud) | International standard for protecting personal identifiable information (PII) in cloud storage. |
GDPR [27] and GDPR-DPIA [28] | Regulation | General (Data Protection) | The EU general data protection regulations that emphasize data-subject protection rights. Articles 76, 77, and 35 in GDPR mandate the conducting of a data protection impact assessment (DPIA)(i.e., privacy impact assessment (PIA)) within the security risk assessment. |
PIPEDA and SHIEP [29] | Regulation | General (Data Protection) | The Canadian Personal Information Protection Electronic Document Act (PIPEDA) and the Saudi Health Information Exchange Policies (SHIEP). They emphasize data-subject privacy. |
IEEE 802.15 [29] | Standards | HIoT (IoT) | Wireless Personal Area Network (WPAN) standards cover security and access control of low-range IoT devices. |
ENISA [30] | Report | HIoT (general) | Smart hospitals security and resilience for smart health service and infrastructures. |
CPC [31], PIPA [32], PDPA, PA1988 and FIA [33], | Regulation | General (Data Protection) | Chinese Classified Protection of Cybersecurity, Personal Information Protection Act of Korea, Malaysian Personal Data Protection, Australian Privacy Act 1988, and American Freedom of Information Act. They emphasize data-subject privacy. |
ISO14971 [34] | Standards | HIoT (Medical Device) | Application of risk management to medical devices. |
ISO24971 [35] | Standards | HIoT (Medical Device) | Guidance on the application of ISO 14971 risk management. |
ISO80001 [36] | Standards | HIoT (Medical Device) | Application of risk management for IT networks incorporating medical devices. |
FDA Cybersecurity in Medical Device [37] | Guide | HIoT (Medical Device) | FDA Pre- and Post-market considerations of cybersecurity in medical devices, threat modelling, and risk management. |
IEC 62304 [38] | Best Practice | HIoT (Medical Device) | Medical device software—software life-cycle processes show the security requirements. |
AAMI TIR57 [39] | Guide | HIoT (Medical Device) | Principles for medical device security and risk management. Provides guidance on methods to perform information security risk management for a medical device in the context of the safety risk management process required by ISO 14971. |
IMDRF [40] | Guide | HIoT–Medical Device | Principles and best practices for medical device cybersecurity. |
MITRE rubric [41] | Report | HIoT (Medical Device) | Rubric for applying Common Vulnerability Scoring System (CVSS) to medical devices. |
EU Directive 2017/745 and 2017/746 [42] | Regulation | HIoT (Medical Device) | The European Medical Device Regulation (EU MDR): standards of safety, security, and quality of medical devices within the EU. |
ICE60601 [43] | Standards | HIoT (Medical Device) | Assessment to guarantee the compliance to EU MDR. |
NISTIR 8228 [44] | Standards | HIoT (IoT) | Covers IoT device capabilities, security, privacy considerations, and challenges, as well as recommendations on how to mitigate security risks. Covers three main aspects: device security protection, data security protection, and individual privacy protection. |
NIST SP 800-213 [45] | Standards | HIoT (IoT) | IoT device cybersecurity guidance identifies the IoT device cybersecurity requirements. |
NIST8200 [46] | Standards | HIoT (IoT) | Interagency report on the status of international cybersecurity standardization for the Internet of Things (IoT). It covers IoT applications, including Health IoT, cybersecurity risks and threats, cybersecurity areas, and standard landscape for IoT cybersecurity. |
NISTIR8259 [47] | Standards | HIoT (IoT) | Foundational cybersecurity activities for IoT device manufacturers. Cybersecurity risks related to IoT. |
NISTIR8259A [48] | Standards | HIoT (IoT) | Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices, as well as device data, systems, and ecosystems. |
ISO/IEC 27400 [49] | Standards | HIoT (IoT) | Cybersecurity–IoT security and privacy guidelines. This guide provides guidelines on the risks, principles, and controls for the security and privacy of Internet of Things (IoT) solutions. |
ETSI EN 303645:European Standards [50] | Standards | HIoT (IoT) | Cybersecurity for Consumer Internet of Things: Baseline Requirements. It shows the baseline requirements in order to protect IoT user security. |
GSMA [51] | Standards | HIoT (IoT) | IoT security guidelines show the IoT models, challenges, privacy considerations, and IoT risks assessment. |
HIPAA [52] | Regulations | HIoT (Health Data) | Privacy rules for health data and identifiable health information. |
HL7 [53] | Standards | HIoT (Health Data) | Standards to exchange health data in electronic health records. |
IEC 81001-5-1 [54] | Best Practice | HIoT (Health Software) | Guidelines on the product life cycle of health software and health IT systems safety, effectiveness, and security. |
IEC 82304-1 [55] | Standards | HIoT (Health Software) | ISO standards concerning the safety and security of health software products. |
ISO/IEC 9798 part 1 and part 2 [56,57] | Standards | IdM | Entity authentication standards and specifications for mechanisms using authenticated encryption algorithms. |
ISO/IEC 29115 [58] | Standards | IdM | Security techniques–entity authentication assurance framework. |
NIST800-63-3 [59] | Standards | IdM | Digital identity guidelines. Shows models and digital identity risk management. |
EIDAS [60] | Regulation | IdM | EU regulation on electronic identification. eIDAS (electronic identification, authentication and trust services) was legislated to ensure secure cross-border transactions within the EU. |
IEEE 2410 SBP [61] | Standards | IdM | Standard for Biometric Privacy (SBP) provides private identity assertion. |
ISO/IEC 24760 part 1 and part 2 [62] | Standards | IdM | A framework for identity management. |
EU Blockchain Observatory and Forum [63,64,65,66] | Report | BC | Several reports about BC applications and regulations in the healthcare and public services. |
ESMA [67] | Report | BC | Report titled “The Distributed Ledger Technology Applied to Securities Markets.” It discusses risks, benefits, and DLT issues. |
ISO/TR 23455 [68] | Standards | BC | Blockchain and Distributed Ledger technologies—overview of interactions between Smart Contracts in Blockchain and Distributed Ledger technology systems. It covers different platforms, such as Ethereum, Bitcoin, and Hyperledger Fabric. |
NIST IR 8403 [69] | Guide | BC (IdM) | Guidelines of access-control part of BC-IdM systems. |
W3C [70] | Standards | BC (IdM) | Decentralized Identifier (DID), Verifiable Credentials (VC), and Verifiable Presentations technical standards by W3C, which facilitate the connection between entities without a central party. |
DIDAuth [71] | Standards | BC (IdM) | Authentication framework to unsure the DID ownership. |
Decentralized Identity Foundation (DIF) standards. [72] | Standards | BC (IdM) | Identifiers, DID authentication, claims and credentials technical standards for decentralized identity management systems. |
Ethereum DID [73] | Standards | BC (IdM) | Ethereum decentralized digital identity technical standards. |
ERC-721 [74,75] | Standards | BC (IdM) | Ethereum non-fungible token standards. |
DKMS [76] | Standards | BC (IdM) | Decentralized cryptographic key management systems standards. |
NISTIR 8301 [77] | Guide | BC (IdM) | Guidelines of tokens in BC-IdM systems. |
Users | |
Assets/Components | Issuers, verifiers, holder custodian, data subject, system owner, holder, relying party, and orderers. |
Requirements | Integrity, availability, confidentiality, non-repudiation, anonymity of users, patient-control, fine-grained access control, and authentication of users. |
Threats | User device impersonation (spoofing), patient data tampering (tampering), and malicious input (tampering). |
Vulnerabilities | Weak password and insider-threat vulnerabilities. |
Control and Countermeasures | Authentication/ multi-factor authentication, authorization, and auditing ABE key management. |
Application | |
Assets/Components | Remote monitoring system, personal wallets, and Application Programming Interface (APIs). |
Requirements | Integrity, availability, confidentiality, and non-repudiation. |
Threats | Insecure APIs (elevation of privilege), unsecured software components (spoofing, tampering, information disclosure, and elevation of privilege), lack of input/output filtering in HIoT and APIs (tampering and information disclosure). |
Vulnerabilities | Unsecured interfaces, lack of authentication and authorization, lack of privacy mechanisms, and lacking/weak encryption. |
Control and Countermeasures | Logging and access control. |
Blockchain | |
Assets/Components | Peer-to-Peer (P2P) Network, consensus mechanisms, validation nodes, incentives, punishment mechanisms, IdM system, Oracles (a type of software), Smart Contracts (SCs), DID, and VC. |
Requirements | integrity, availability, confidentiality, accountability, non-repudiation, privacy, intervenability, unlinkability, transparency, identity data locality, trust, and consistency of transactions. |
Threats | Consensus mechanism vulnerabilities, Sybil attack, double-spending threat, Smart Contract/Chaincode threats, replay attack (tampering), quantum threats, 51 attacks (majority attack), Decentralized Identifier (DID) defects, insider threats, and advance persistent threat (APT). |
Vulnerabilities | Centralization of control, shared untrusted networks, P2P protocols vulnerabilities, Domain Name System (DNS) and routing protocol vulnerabilities, Ethereum virtual machine vulnerabilities, SC programming language vulnerabilities, dataveillance problems in the DIDs, and forgery attacks on BC network. |
Control and Countermeasures | Authentication, input validation, session management, encryption, using quantum-safe cartographic mechanisms, using one of 51 attack prevention techniques, using SC analysis tools, using SC countermeasure analysis tools, secure Membership Service Provider (MSP), strict access, and infeasible service endpoint attributes. |
Off-chain | |
Assets/Components | External DBs and storage, such as IPFS, CouchDB, and LevelDB. |
Requirements | Integrity, availability, and confidentiality. |
Threats | Log deletion (repudiation), data delivery issues (repudiation), medical information disclosure (information disclosure), transaction privacy leakage, and wallet theft. |
Vulnerabilities | Lack of privacy mechanisms. |
Control and Countermeasures | Use privacy techniques, such as zero-knowledge proof; restrict access; and data encryption techniques. |
Connectivity | |
Assets/Components | Cloud and communication technologies. |
Requirements | Access control, key management, trust management, and device/user authentication. |
Threats | Data eavesdropping (information disclosure), side-channel attack (information disclosure), third-parties failures, communication modification (tampering), replay attack (tampering), and lack of input/output filtering in HIoT and APIs (tampering and information disclosure). |
Vulnerabilities | Lack of encryption mechanisms in storage and all layers, insecure ecosystem interfaces, and unsecured network services. |
Control and Countermeasures | Third-Party data distribution policy and monitoring and review of third-party services. |
HIoT | |
Assets/Components | HIoT devices, such MIoT and wearable. |
Requirements | Localization, self-healing rearward and backward compatibility over the air programming/updating, and tamper-proof hardware. |
Threats | HIoT type determination (information disclosure), HIoT tracking (information disclosure), battery-drain attack (denial of service), signal-jamming flooding (denial of service), maintenance compromise (elevation of privilege), device failure (tampering), and device tampering (tampering). |
Vulnerabilities | Weak passwords, lack of HIoT device management, lack of physical protection measures, HIoT default settings, lack of HIoT device update mechanisms, lack of privacy mechanisms, unsecured interfaces, lack of authentication and authorization, and lack of/weak encryption. |
Control and Countermeasures | Protect host and device security, authentication, and authorization. |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alamri, B.; Crowley, K.; Richardson, I. Cybersecurity Risk Management Framework for Blockchain Identity Management Systems in Health IoT. Sensors 2023, 23, 218. https://doi.org/10.3390/s23010218
Alamri B, Crowley K, Richardson I. Cybersecurity Risk Management Framework for Blockchain Identity Management Systems in Health IoT. Sensors. 2023; 23(1):218. https://doi.org/10.3390/s23010218
Chicago/Turabian StyleAlamri, Bandar, Katie Crowley, and Ita Richardson. 2023. "Cybersecurity Risk Management Framework for Blockchain Identity Management Systems in Health IoT" Sensors 23, no. 1: 218. https://doi.org/10.3390/s23010218