The CORAS approach for model-based risk management applied to a telemedicine service

The CORAS risk management process is based on the Australian standard for risk management and aims at improved methodology for precise, unambiguous, and efficient risk assessment of security critical systems. CORAS addresses security critical systems in general, but places particular emphasis on IT security. For CORAS, a system is not just technology, but also the humans interacting with the technology and all relevant aspects of the surrounding organisation and society. The use of graphical models in CORAS furthers communication between the different stakeholders of a risk assessment, and makes it easier for non-technicians to take part. Telemedicine services and electronic applications used in the health sector have a high demand for security. The medical developers, providers and users of such services and systems are important contributors in the risk assessment of these services and systems. CORAS has successfully been used to involve medical professionals in the model-based risk assessment of a telemedicine system called Tele-cardiology in Crete. This paper presents the use of the CORAS framework to assess this telemedicine system giving some conclusions on the experience gained.