A Privacy Threat Modeling Method for Healthcare Systems under the Brazilian LGPD
Resumo
The digitalization of healthcare increases privacy risks associated with sensitive data processing. Although the Brazilian General Data Protection Law (LGPD) mandates data protection, healthcare organizations often focus on generic security controls and lack structured privacy engineering to address threats such as linkability and identifiability. This paper proposes a privacy threat modeling method for healthcare systems under the LGPD. The method was evaluated through a case study involving the Nursing Process Application System (SisAPEC), a system deployed within the Brazilian Unified Health System (SUS). The method includes system modeling and systematic threat elicitation steps, which in the case study were implemented using Data Flow Diagrams and the LINDDUN framework. The application of the method identified 14 privacy threats, which were mapped to Privacy-Enhancing Requirements (PERs), establishing traceability between regulatory and technical requirements. The results indicate that the method operationalizes Privacy by Design by establishing traceability between legal requirements and architectural privacy requirements.
Referências
Azam, N. et al. (2023). Data privacy threat modelling for autonomous systems: A survey from the gdpr’s perspective. IEEE Transactions on Big Data, 9(2):388–414.
Brasil (2018). Lei nº 13.709, de 14 de agosto de 2018. Lei Geral de Proteção de Dados Pessoais (LGPD). Presidência da República. [link]. Accessed: November 25, 2024.
Cavoukian, A. (2009). Privacy by design: The 7 foundational principles. Technical report, Information and Privacy Commissioner of Ontario.
Corrêa, H. and Franco, M. F. (2025). Lei geral de proteção de dados (lgpd) na saúde: Tendências, desafios e oportunidades. In Anais da XXII Escola Regional de Redes de Computadores (ERRC), pages 123–129. SBC.
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16:3–32.
Faulconbridge, R. I. and Ryan, M. J. (2018). Systems Engineering Practice. Argos Press.
Gürses, S., Troncoso, C., and Diaz, C. (2011). Engineering privacy by design. In Conference on Computing and Communication Workshop.
Hoepman, G. (2014). Privacy design strategies. In Proc. IFIP Int. Inf. Secur. Conf., pages 446–459.
Obaid, O. I. and Salman, S. A. (2022). Security and privacy in iot-based healthcare systems: A review. Mesopotamian Journal of Computer Science, 2022:29–39.
OWASP Foundation (2026). Threat modeling cheat sheet. [link]. Accessed: January 24, 2026.
Paim, J. et al. (2011). The brazilian health system: history, advances, and challenges. The Lancet, 377(9779):1778–1797.
Quincozes, V. E., Quincozes, S. E., Kreutz, D., Mansilha, R. B., and Kazienko, J. F. (2023). Information system for scheduling 4.0: Characterization, ux and lgpd. iSys - Journal of Information Systems, 16(1):5:1–5:31.
Sahi, M. et al. (2017). Privacy preservation in e-healthcare environments: A review. IEEE Access, 6:464–478.
Semantha, F. H., Azam, S., Yeo, K. C., and Shanmugam, B. (2020). A systematic literature review on privacy by design in the healthcare sector. Electronics, 9(3):452.
Severo, J. M., Herbert, J. S., and Franco, M. F. (2025). Threat modeling in healthcare: An analysis of trends, gaps, and emerging challenges. In Anais da ERRC 2025: Artigos Completos do WRSeg, pages 1–7.
Sion, L., Wuyts, K., Yskout, K., Scandariato, R., and Joosen, W. (2018). Interaction-based privacy threat elicitation. In Proc. IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 79–86.
Wuyts, K., Sion, L., and Joosen, W. (2020). Linddun go: A lightweight approach to privacy threat modeling. In Proc. IEEE European Symposium on Security and Privacy Workshops (EuroSPW), pages 302–309.
