Threat analysis as a tool for IT security in the healthcare sector

Initial situation and project objective

Connext Communication supports institutions and organizations in the social and healthcare sector with innovative IT solutions. Vivendi, its in-house software suite, provides tools for the management of outpatient, inpatient and semi-residential nursing and care facilities. They are continuously being developed to meet new customer and market requirements.

Connext's 'Vivendi Mobil' is a comprehensive documentation solution for nursing staff that uses various smartphone services to make everyday nursing care easier. In particular, the mobile use of the Android-based app and access to confidential data such as medication plans and patient images place high demands on the security of the software. Complicating matters further is the fact that nursing staff use a variety of devices and different versions of Android. To meet these challenges, Connext wanted to explore innovative approaches to threat analysis to expose previously undiscovered vulnerabilities, if any, and take appropriate protective measures.

Holztisch mit Tablet und ausgeschnittenen Icons aus Papier, nach denen eine Hand greift.
© Connext Communication GmbH
Model-based methods for the development of secure software.

Solution and customer benefit

The first step was to systematically analyze and assess the IT security threats for the Vivendi Mobil app. In moderated workshops, the app developers worked with experts from Fraunhofer IEM to devise a comprehensive threat model. This involved taking software interfaces, protection goals, and assets worth protecting into consideration. The focus was on questions such as: What data is transferred to the smartphone and how is it stored? What information is particularly critical and how must it be safeguarded? Based on this information, the STRIDE method was employed to identify potential security vulnerabilities and develop effective protective measures, such as time-limited passwords. The risk of each threat was then assessed in order to prioritize the subsequent steps for making the app more secure.

Through collaboration with Fraunhofer IEM, the developers learned a new method for systematic, tool-supported threat analysis and risk assessment. The insights gained have heightened the security awareness of the developers and further increased the security level of the software. In a follow-up project, Connext plans to incorporate the secure by design approach in-house and integrate tailor-made security measures throughout the entire development process.

Is this topic also of interest to you? Then feel free to contact us!

Matthias Meyer

Contact Press / Media

Dr. Matthias Meyer

Head of Department Software Engineering and IT Security

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-122

Matthias Becker

Contact Press / Media

Dr. Matthias Becker

Head of Department Secure Services & Apps

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-158

Markus Fockel

Contact Press / Media

Dr. Markus Fockel

Group Manager Requirements Analysis and Design

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-120