Threat Modeling in Healthcare: An Analysis of Trends, Gaps, and Emerging Challenges
Resumo
This study analyzes trends and gaps in the application of threat modeling approaches to healthcare systems. We examined recent works to identify how frameworks, such as STRIDE, PASTA, and LINDDUN, have been adopted and adapted across domains. The results show that their use in healthcare remains limited and largely generic, overlooking patient safety, clinical workflows, and vulnerabilities related to the Internet of Medical Things (IoMT). The findings underscore the necessity for context-aware frameworks that integrate technical, organizational, and human factors to enhance cybersecurity and risk assessment in healthcare.Referências
Adesokan-Imran, T. O., Popoola, A. D., Ejiofor, V. O., Salako, A. O., and Onyenaucheya, O. S. (2025). Predictive cybersecurity risk modeling in healthcare by leveraging ai and machine learning for proactive threat detection. Journal of Engineering Research and Reports, 27(4):144–165.
Al-Fuqaha, A. et al. (2023). Secure access control for healthcare information systems: A body area network perspective. IEEE Access, 11:45621–45637.
Ali, T. E., Ali, F. I., Eyvazov, F., and Zoltán, A. D. (2025). Integrating ai models for enhanced real-time cybersecurity in healthcare: A multimodal approach to threat detection and response. Procedia Computer Science, 259:108–119.
Apell, P. and Eriksson, H. (2023). Artificial intelligence (ai) healthcare technology innovations: the current state and challenges from a life science industry perspective. Technology Analysis & Strategic Management, 35(2):179–193.
Cartwright, A. J. (2023). The Elephant in the Room: Cybersecurity in Healthcare. Journal of Clinical Monitoring and Computing, 37(5):1123–1132.
Franco, M. F., Granville, L. Z., and Stiller, B. (2023). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Soares, L. R., and Nobre, J. C. (2025). Saúde Sob Ataque: Da Avaliação de Riscos ao Desenvolvimento de Estratégias de Investimentos em Cibersegurança na Área da Saúde. XXV Simpósio Brasileiro de Computação Aplicada à Saúde (SBCAS 2025), 36:1–44.
Hossain, M. I. and Hasan, R. (2023). Improving security practices in health information systems with stride threat modeling. In 2023 IEEE 9th World Forum on Internet of Things (WF-IoT), pages 1–6.
International Organization for Standardization (ISO-14971) (2019). Iso 14971:2019: Medical devices - application of risk management to medical devices. Genève, Switzerland.
Li, X., Zhang, H., et al. (2025). Adversarially-aware architecture design for robust medical ai systems. arXiv preprint arXiv:2510.23622.
Mauri, L. and Damiani, E. (2021). Stride-ai: An approach to identifying vulnerabilities of machine learning assets. In 2021 IEEE International Conference on Cyber Security and Resilience (CSR), pages 147–154.
Mauri, L. and Damiani, E. (2022). Modeling threats to ai-ml systems using stride. Sensors, 22(17):6662.
Mehrtak, M., Alieyan, M. S., Ngwum, N., et al. (2021). Security challenges and solutions using healthcare cloud computing. Journal of Medicine and Life, 14(4):448–453.
Mohammed, A. (2023). The paradox of ai in cybersecurity: Protector and potential exploiter. Baltic Journal of Engineering and Technology, 2(1):70–76.
Nadifi, Z. et al. (2025). Stride-based threat modeling and risk assessment framework for iot-enabled smart healthcare systems. International Journal of Online & Biomedical Engineering, 21(9).
Oster, C. A. and Braaten, J. S. (2025). High reliability organizations: A healthcare handbook for patient safety & quality. Sigma Theta Tau.
Sarkis-Onofre, R., Catalá-López, F., Aromataris, E., and Lockwood, C. (2021). How to properly use the PRISMA Statement. Systematic reviews, 10(1):117.
Silvestri, S., Islam, S., Amelin, D., Weiler, G., Papastergiou, S., and Ciampi, M. (2023). Cyber threat assessment and management for securing healthcare ecosystems using natural language processing. International Journal of Information Security, 23(1):31–50.
Sobahi, N. and Bamabad, A. (2024). Cyber-attacks risk analysis of a connected pulse oximeter device: A threat modeling using stride and dread models. International Journal for Scientific Research, 3(5):280–315.
Vakhter, V., Soysal, B., Schaumont, P., and Guler, U. (2022). Threat modeling and risk analysis for miniaturized wireless biomedical devices. IEEE Internet of Things Journal, 9(15):13338–13352.
Vallabhaneni et al. (2024). Threat modeling for enhanced security in the healthcare industry with a focus on mobile health and iot. Engineering and Technology Journal, 9(10):5329–5331.
von der Assen, J., Franco, M. F., Killer, C., Scheid, E. J., and Stiller, B. (2022). CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling. In IEEE International Conference on Cyber Security and Resilience (CSR 2022), pages 1–8, Rhodes, Greece.
Yeng, P. K., Wolthusen, S. D., and Yang, B. (2020). Comparative analysis of threat modeling methods for cloud computing towards healthcare security practice. International Journal of Advanced Computer Science and Applications (IJACSA), 11(11):772–784.
Al-Fuqaha, A. et al. (2023). Secure access control for healthcare information systems: A body area network perspective. IEEE Access, 11:45621–45637.
Ali, T. E., Ali, F. I., Eyvazov, F., and Zoltán, A. D. (2025). Integrating ai models for enhanced real-time cybersecurity in healthcare: A multimodal approach to threat detection and response. Procedia Computer Science, 259:108–119.
Apell, P. and Eriksson, H. (2023). Artificial intelligence (ai) healthcare technology innovations: the current state and challenges from a life science industry perspective. Technology Analysis & Strategic Management, 35(2):179–193.
Cartwright, A. J. (2023). The Elephant in the Room: Cybersecurity in Healthcare. Journal of Clinical Monitoring and Computing, 37(5):1123–1132.
Franco, M. F., Granville, L. Z., and Stiller, B. (2023). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Soares, L. R., and Nobre, J. C. (2025). Saúde Sob Ataque: Da Avaliação de Riscos ao Desenvolvimento de Estratégias de Investimentos em Cibersegurança na Área da Saúde. XXV Simpósio Brasileiro de Computação Aplicada à Saúde (SBCAS 2025), 36:1–44.
Hossain, M. I. and Hasan, R. (2023). Improving security practices in health information systems with stride threat modeling. In 2023 IEEE 9th World Forum on Internet of Things (WF-IoT), pages 1–6.
International Organization for Standardization (ISO-14971) (2019). Iso 14971:2019: Medical devices - application of risk management to medical devices. Genève, Switzerland.
Li, X., Zhang, H., et al. (2025). Adversarially-aware architecture design for robust medical ai systems. arXiv preprint arXiv:2510.23622.
Mauri, L. and Damiani, E. (2021). Stride-ai: An approach to identifying vulnerabilities of machine learning assets. In 2021 IEEE International Conference on Cyber Security and Resilience (CSR), pages 147–154.
Mauri, L. and Damiani, E. (2022). Modeling threats to ai-ml systems using stride. Sensors, 22(17):6662.
Mehrtak, M., Alieyan, M. S., Ngwum, N., et al. (2021). Security challenges and solutions using healthcare cloud computing. Journal of Medicine and Life, 14(4):448–453.
Mohammed, A. (2023). The paradox of ai in cybersecurity: Protector and potential exploiter. Baltic Journal of Engineering and Technology, 2(1):70–76.
Nadifi, Z. et al. (2025). Stride-based threat modeling and risk assessment framework for iot-enabled smart healthcare systems. International Journal of Online & Biomedical Engineering, 21(9).
Oster, C. A. and Braaten, J. S. (2025). High reliability organizations: A healthcare handbook for patient safety & quality. Sigma Theta Tau.
Sarkis-Onofre, R., Catalá-López, F., Aromataris, E., and Lockwood, C. (2021). How to properly use the PRISMA Statement. Systematic reviews, 10(1):117.
Silvestri, S., Islam, S., Amelin, D., Weiler, G., Papastergiou, S., and Ciampi, M. (2023). Cyber threat assessment and management for securing healthcare ecosystems using natural language processing. International Journal of Information Security, 23(1):31–50.
Sobahi, N. and Bamabad, A. (2024). Cyber-attacks risk analysis of a connected pulse oximeter device: A threat modeling using stride and dread models. International Journal for Scientific Research, 3(5):280–315.
Vakhter, V., Soysal, B., Schaumont, P., and Guler, U. (2022). Threat modeling and risk analysis for miniaturized wireless biomedical devices. IEEE Internet of Things Journal, 9(15):13338–13352.
Vallabhaneni et al. (2024). Threat modeling for enhanced security in the healthcare industry with a focus on mobile health and iot. Engineering and Technology Journal, 9(10):5329–5331.
von der Assen, J., Franco, M. F., Killer, C., Scheid, E. J., and Stiller, B. (2022). CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling. In IEEE International Conference on Cyber Security and Resilience (CSR 2022), pages 1–8, Rhodes, Greece.
Yeng, P. K., Wolthusen, S. D., and Yang, B. (2020). Comparative analysis of threat modeling methods for cloud computing towards healthcare security practice. International Journal of Advanced Computer Science and Applications (IJACSA), 11(11):772–784.
Publicado
08/12/2025
Como Citar
SEVERO, Juliana Mello; HERBERT, Juliana Silva; FRANCO, Muriel Figueredo.
Threat Modeling in Healthcare: An Analysis of Trends, Gaps, and Emerging Challenges. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 22. , 2025, Porto Alegre/RS.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 158-164.
DOI: https://doi.org/10.5753/errc.2025.17725.
