Healthcare Example - Complete PASTA Walkthrough
This case study provides a complete, realistic walkthrough of threat modeling a healthcare patient portal using the PASTA methodology. You’ll see all seven stages applied with over fifty documented attack paths, two detailed attack trees, and a prioritized remediation plan.
The System: VitalCare Portal Patient Portal
VitalCare Portal is a patient portal for a mid-sized healthcare network. Here’s the system at a glance:
| Attribute | Detail |
|---|---|
| Organization | Mid-sized healthcare network |
| Providers | 200 physicians across 15 clinics |
| Patient Base | ~500,000 patients |
| Key Functions | Schedule appointments, view test results, message providers, manage prescriptions, access medical records |
| Hosting | AWS (cloud-native architecture) |
| Regulatory Context | HIPAA (Protected Health Information) |
The portal handles protected health information (PHI) subject to HIPAA regulations. A breach could expose sensitive medical data, result in significant fines, and damage patient trust irreparably.
Let’s threat model it.
Stage 1: Define Business Objectives
The first PASTA stage establishes what we’re protecting and why. Without business context, threat modeling becomes a technical exercise disconnected from organizational reality.
Business Drivers
VitalCare Portal exists to improve patient experience and operational efficiency. Patients expect digital access to their healthcare information. Staff spend less time on phone calls when patients can self-serve. The portal differentiates the practice from competitors still using paper-based processes.
Revenue implications are significant. Patient satisfaction scores affect reimbursement rates. A competing health system launched their portal two years ago and has seen patient retention improve by 15%. The organization can’t afford to be left behind.
Security Objectives
| Priority | Objective | Rationale |
|---|---|---|
| Primary | Protect patient health information (PHI) | HIPAA requirement; patient trust; breach affects real people |
| Secondary | Ensure availability | Patients need access for urgent appointments and critical results |
| Tertiary | Maintain integrity | Medical records must be accurate; errors could affect treatment |
Consequence of Failure
HIPAA fines range from $100 to $50,000 per record depending on negligence level, with annual caps of $1.5 million per violation category. With 500,000 patient records, theoretical exposure is enormous, though practical enforcement rarely reaches maximum levels.
| Impact Type | Estimated Cost |
|---|---|
| HIPAA Fines | Up to $1.5M per violation category annually |
| Breach Notification | ~$5 per patient × 500K = $2.5M |
| Legal Fees | $10-50M |
| Class Action | $50-200M |
| Operational Downtime | $16.8M (2-4 week outage) |
| Customer Churn | $50M+ annual revenue loss (30-50% leave) |
| Total Potential Exposure | $50M-$200M + potential business closure |
Patient harm is harder to quantify but more important. Medical identity theft can follow victims for years. Sensitive diagnoses (HIV, mental health, substance abuse) being exposed can destroy lives.
Risk Appetite
| Risk Type | Tolerance | Justification |
|---|---|---|
| PHI Breaches | Zero | Regulatory, ethical, and business-critical |
| Availability (maintenance) | Up to 1 hour | Acceptable with advance notice |
| Extended outages (business hours) | Zero | Affects patient care |
| Clinical data integrity | Zero | Errors could harm patients |
| Administrative data integrity | Low | Inconvenient but not dangerous |
The organization has zero tolerance for PHI breaches. This doesn’t mean zero risk exists (that’s impossible), but it means no known, unmitigated risks that could reasonably lead to PHI exposure are acceptable. Budget will be found for any control necessary to address credible PHI threats.
Key Stakeholders
| Role | Responsibility |
|---|---|
| CISO | Ultimate security accountability; sponsors threat modeling |
| CIO | Technical platform ownership; team provides details |
| Chief Medical Officer | Clinical concerns representation |
| Compliance Officer | HIPAA obligations; validates regulatory coverage |
| General Counsel | Legal risk management |
| CFO | Security spending approval |
| Practice Manager | Day-to-day operations |
Stage 2: Define Technical Scope
With business context established, Stage 2 maps the technical attack surface.
System Architecture
VitalCare Portal uses a modern cloud-native architecture hosted on AWS. The frontend is a React single-page application served from CloudFront CDN. The backend consists of Node.js microservices running in ECS containers. Data lives in PostgreSQL on RDS with Redis for caching and session storage. Documents and images are stored in S3.
Component Inventory
| Layer | Components |
|---|---|
| Application | Patient web portal, Provider admin interface, Mobile apps (iOS/Android), API Gateway (AWS) |
| Backend Services | Authentication, Patient management, Appointment scheduling, Messaging, Prescriptions, Documents, Notifications, Audit logging |
| Data Stores | PostgreSQL (RDS), Redis (cache/sessions), S3 (documents), CloudWatch (logs) |
| Infrastructure | AWS VPC, Application Load Balancer, ECS Fargate, RDS Multi-AZ, WAF |
Third-Party Dependencies
| Service | Function | Risk Consideration |
|---|---|---|
| Auth0 | Authentication/identity | Critical; if compromised, attackers gain access to everything |
| Twilio | SMS (2FA codes, reminders) | Could enable 2FA bypass or social engineering |
| SendGrid | Email (notifications, password resets) | Common attack vector for credential theft |
| Epic EHR | Clinical data sync (HL7 FHIR) | Bidirectional; could propagate attacks either direction |
Data Classification
| Classification | Data Types | Protection Level |
|---|---|---|
| PHI (Critical) | Medical records, diagnoses, medications, lab results, clinical notes, provider messages | Highest (HIPAA-mandated) |
| PII (High) | Demographics, contact info, SSN, insurance | High (enables identity theft) |
| Authentication (High) | Password hashes, 2FA seeds, session tokens, API keys | High (enables account takeover) |
| Operational (Medium) | Appointment history, logs, analytics | Standard |
| Public (Low) | Provider names, office locations | None required |
Network Boundaries
| Boundary | Location | Concern |
|---|---|---|
| Internet-facing | CloudFront, API Gateway | Where external attackers first interact |
| VPC boundary | AWS-internal vs public internet | Services in private subnets shouldn’t be directly accessible |
| Database boundary | Application services vs data stores | Database access only from authorized services |
| EHR boundary | VitalCare Portal vs Epic | Highly sensitive clinical data crossing systems |
| Third-party boundary | Auth0, Twilio, SendGrid | Trust in external organizations’ security |
Stage 3: Application Decomposition
Stage 3 creates detailed data flow diagrams and identifies every trust boundary where security assumptions change.
Primary Data Flows
| Flow | Path | Trust Boundaries Crossed |
|---|---|---|
| Patient views records | App → CloudFront → API Gateway → Auth Service → Records Service → PostgreSQL/S3 | Internet→CloudFront, Gateway→Services, Services→Data, Internal→Auth0 |
| Patient messages provider | App → API Gateway → Messaging Service → PostgreSQL → Notification Service → Twilio | Same as above, plus Internal→Twilio |
| Clinical data sync | Epic ↔ Sync Service ↔ Secrets Manager ↔ PostgreSQL | Organization→EHR vendor, Credentials→Application |
Trust Boundary Analysis
Seven critical trust boundaries exist in this system:
| # | Boundary | Key Assumptions | Validation Required |
|---|---|---|---|
| 1 | Internet → CloudFront | Nothing is trusted | Input validation, authentication |
| 2 | CloudFront → API Gateway | Some protection exists | Request validation still needed |
| 3 | API Gateway → Services | User is authenticated | Authorization must be verified |
| 4 | Services → PostgreSQL | Queries are safe | Parameterized queries, least privilege |
| 5 | Services → S3 | Access is controlled | Bucket policies, presigned URL expiration |
| 6 | Services → Redis | Sessions are secure | Session protection, encryption |
| 7 | VitalCare Portal → External Services | Third parties are secure | Credential protection, vendor monitoring |
Asset Inventory
| Priority | Assets |
|---|---|
| Critical | PHI database (500K records), Epic integration credentials, Auth0 configuration, Database encryption keys, Backup encryption keys |
| High | Session tokens (Redis), Third-party API keys, SSL/TLS private keys, AWS IAM credentials |
| Medium | Audit logs, Aggregated analytics, System configuration |
Stage 4: Threat Analysis
Stage 4 identifies threats at multiple levels using STRIDE, industry intelligence, and attacker personas.
Industry Threat Intelligence
Healthcare is the most targeted industry for data breaches. The numbers are stark:
| Metric | Value |
|---|---|
| Healthcare organizations hit by ransomware (2023) | 67% |
| Average healthcare breach cost | $10.9M (highest of any industry) |
| PHI value on dark markets | $250-$1,000 per record |
Common attack vectors include phishing (still the primary initial access method), exploitation of unpatched software, credential theft and reuse, insider threats (intentional and accidental), and third-party vendor compromises.
STRIDE Analysis: Authentication Service
Spoofing threats: An attacker could obtain valid credentials through phishing, credential stuffing (using passwords from other breaches), or brute force. Session tokens could be stolen through XSS attacks or insecure transmission. Auth0 itself could be compromised, though this is lower probability given their security focus.
Tampering threats: An attacker with access could modify authentication logic to bypass checks. JWT tokens without proper validation could be tampered with. OAuth flows could be manipulated if redirect URIs aren’t strictly validated.
Repudiation threats: Without adequate logging, users could deny login attempts. Attackers could cover tracks by manipulating or deleting audit logs. Legitimate users might not be able to prove they didn’t authorize certain actions.
Information disclosure threats: Authentication errors might reveal valid usernames. Failed login attempts might indicate valid accounts. Debug information might expose internal details. Password reset flows might confirm email addresses exist.
Denial of service threats: Account lockout mechanisms could be weaponized (locking out legitimate users). Excessive login attempts could exhaust resources. Auth0 rate limits could be triggered, affecting all users.
Elevation of privilege threats: Horizontal escalation where a user accesses another patient’s data. Vertical escalation where a patient gains provider privileges. Privilege escalation within Auth0 configuration giving users unintended roles.
STRIDE Analysis: Records Service
Spoofing: Requests might not have their user identity verified after passing the gateway. Service-to-service calls might lack proper authentication.
Tampering: SQL injection could modify database records. API parameter manipulation could alter what data is requested or modified. File uploads could contain malicious content.
Repudiation: Insufficient audit logging of record access. Bulk exports without adequate tracking.
Information disclosure: IDOR (Insecure Direct Object Reference) allowing access to other patients’ records. Excessive data in API responses. Error messages revealing system information. Logging sensitive data.
Denial of service: Expensive queries exhausting database resources. Large file operations consuming memory. Malformed requests causing service crashes.
Elevation of privilege: Provider impersonation to access restricted records. Administrative function access through parameter manipulation.
Attacker Persona Analysis
| Persona | Approach | Key Question |
|---|---|---|
| Opportunistic External | Automated scans, credential stuffing, known CVEs | Will they find easy wins? |
| Targeted External | Recon on employees, spearphishing, weeks/months of effort | What if someone really wants our data? |
| Malicious Insider | Abuse legitimate access, avoid detection, export data | What can a disgruntled employee do? |
| Compromised Insider | Stolen credentials, legitimate access patterns | What if a laptop is infected with malware? |
Threat Summary (Top 20 by Risk Score)
| ID | Threat | Category | L | I | Risk |
|---|---|---|---|---|---|
| THR-001 | Credential Stuffing Attack | Spoofing | 5 | 4 | 20 |
| THR-006 | Ransomware Attack | DoS/Tampering | 4 | 5 | 20 |
| THR-004 | IDOR in Records API | Info Disclosure | 4 | 4 | 16 |
| THR-021 | Mass Data Exfiltration via API | Info Disclosure | 4 | 4 | 16 |
| THR-026 | Database Backup Exposure | Info Disclosure | 4 | 4 | 16 |
| THR-046 | Dev Database with Production Data | Info Disclosure | 4 | 4 | 16 |
| THR-009 | AWS Key Compromise | Elevation | 3 | 5 | 15 |
| THR-010 | Phishing Attack on Staff | Spoofing | 5 | 3 | 15 |
| THR-022 | S3 Bucket Misconfiguration | Info Disclosure | 3 | 5 | 15 |
| THR-047 | CI/CD Pipeline Compromise | Tampering | 3 | 5 | 15 |
| THR-048 | Dependency Vulnerability | Various | 3 | 5 | 15 |
| THR-002 | Session Hijacking via XSS | Spoofing | 3 | 4 | 12 |
| THR-007 | Insider PHI Snooping | Info Disclosure | 4 | 3 | 12 |
| THR-008 | Third-Party Credential Theft | Spoofing | 3 | 4 | 12 |
| THR-011 | Brute Force Attack | Spoofing | 3 | 4 | 12 |
| THR-012 | Password Reset Token Prediction | Spoofing | 3 | 4 | 12 |
| THR-027 | Debug Endpoint Exposure | Info Disclosure | 3 | 4 | 12 |
| THR-031 | Security Group Overpermission | Various | 3 | 4 | 12 |
| THR-032 | CloudWatch Logs Containing PHI | Info Disclosure | 3 | 4 | 12 |
| THR-041 | Incomplete Audit Logging | Repudiation | 3 | 4 | 12 |
Additional Threats (THR-011 through THR-050):
The complete threat model documents 50 significant threats across four categories:
| Category | Threat Range | Examples |
|---|---|---|
| Authentication | THR-011 to THR-020 | Brute force, JWT bypass, OAuth manipulation, 2FA bypass, session fixation |
| Data Access | THR-021 to THR-030 | Mass exfiltration, S3 misconfiguration, cache poisoning, path traversal |
| Infrastructure | THR-031 to THR-040 | Container escape, RDS exposure, security group issues, metadata exploitation |
| Operational | THR-041 to THR-050 | Logging gaps, backup failures, staff termination delays, dependency CVEs |
Stage 5: Vulnerability and Weakness Analysis
Stage 5 maps concrete weaknesses to the threats identified. This is where theoretical threats meet actual system state.
Code Review Findings
| Finding | Weakness | Related Threat |
|---|---|---|
| SQL string concatenation in legacy search | Parameterized queries not used | THR-003 |
| Authorization relies on session data only | No database revalidation | THR-004 |
| Error handlers return stack traces | Environment detection bug | Multiple (recon) |
| Missing per-endpoint rate limiting | Only global limits exist | THR-001, THR-011 |
Configuration Issues
| Issue | Risk | Severity |
|---|---|---|
| Temporary S3 bucket lacks standard policy | Overpermissive IAM access | Medium |
| RDS backups retain only 7 days (policy requires 30) | Recovery gap | Medium |
| Security groups overly permissive | Increased blast radius | Medium |
| CloudWatch logs unencrypted | PHI in error messages possible | Medium |
| IAM roles use AWS managed policies | Broader permissions than needed | Medium |
Dependency Scan Results
| Category | Finding |
|---|---|
| npm vulnerabilities | 37 total (8 high severity) |
| High severity detail | Prototype pollution in JSON parsing library |
| Node.js version | Two minor versions behind |
| Redis version | One major version behind (session storage affected) |
| PostgreSQL version | Current (good) |
Penetration Testing Results
| Status | Findings |
|---|---|
| Remediated | Reflected XSS in error pages, missing security headers |
| Partially Fixed | Verbose error messages |
| Pending (Medium) | Missing rate limiting on password reset |
| Pending (High) | IDOR vulnerability in appointment API |
Weakness-to-Threat Mapping
| Threat | Root Weakness | Fix Approach |
|---|---|---|
| THR-003 (SQL Injection) | Legacy search module string concatenation | Convert to parameterized queries |
| THR-004 (IDOR) | Session-based authorization without DB revalidation | Add database revalidation |
| THR-006 (Ransomware) | Missing intrusion detection, backup gaps, overpermissive IAM | Defense in depth |
| THR-009 (AWS Keys) | Some keys in environment variables | Migrate to Secrets Manager |
| THR-026 (Backup Exposure) | Retention misconfiguration, encryption gaps | Fix policies, verify encryption |
Stage 6: Attack Modeling
Stage 6 creates detailed attack trees showing how attackers could achieve high-value goals. This connects individual threats into complete attack paths.
Attack Tree 1: Steal PHI Database
Goal: Exfiltrate complete PHI database (500,000 records)
| Path | Description | Difficulty | Prerequisites | Detection |
|---|---|---|---|---|
| A | SQL Injection (THR-003) → Extract schema → Exfiltrate tables | Medium | None (public endpoint) | WAF, query monitoring |
| B | AWS Credential Theft (THR-009) → Access RDS directly → Export | Medium-High | Credential exposure | CloudTrail, GuardDuty |
| C | Phish Developer (THR-010) → Dev environment access → Exfiltrate or backdoor | Medium | Target identification | VPN monitoring, access logs |
| D | Credential Stuffing (THR-001) → IDOR (THR-004) → Script extraction | Low-Medium | Leaked credentials | Rate limiting, access patterns |
| E | Backup Theft (THR-026) → Download backups → Decrypt | Medium | Backup infrastructure knowledge | Access logs |
Critical Chokepoint Analysis: Database access controls appear in multiple paths. Strengthening database authentication, implementing query monitoring, and eliminating direct database access from non-essential systems would disrupt several attack paths simultaneously.
Credential hygiene affects multiple paths. Proper secrets management, phishing resistance, and credential monitoring provide cross-cutting protection.
Attack Tree 2: Ransomware Attack
Goal: Encrypt systems and demand ransom for recovery
| Phase | Activities | Detection Points |
|---|---|---|
| 1. Initial Access | Phishing email, vulnerable service, or compromised vendor | Email filtering, vulnerability scans, vendor monitoring |
| 2. Establish Foothold | Deploy backdoor, disable EDR, establish C2 | EDR alerts, C2 traffic detection |
| 3. Lateral Movement | Map network, identify backups/DCs, harvest creds | Network scanning alerts, unusual auth |
| 4. Preparation | Disable backups, stage ransomware, exfiltrate data | Backup failure alerts, mass file staging |
| 5. Execution | Simultaneous encryption, ransom demand | Too late for prevention; containment critical |
Kill Chain Disruption Points
| Phase | Disruption Controls |
|---|---|
| Initial Access | Email filtering, phishing training, patch management, vendor security requirements |
| Foothold | Endpoint detection and response (EDR), application whitelisting |
| Lateral Movement | Network segmentation, privileged access management, credential hygiene |
| Preparation | Backup monitoring, isolated/immutable backups, deletion detection |
| Execution | Rapid detection and isolation, incident response readiness |
Stage 7: Risk and Impact Analysis
Stage 7 prioritizes threats and creates an actionable remediation plan.
Risk Priority Summary
| Priority | Score Range | Count | Timeline | Threats |
|---|---|---|---|---|
| Critical | 20-25 | 2 | Immediate | THR-001, THR-006 |
| High | 15-19 | 9 | 30 days | THR-004, THR-009, THR-010, THR-021, THR-022, THR-026, THR-046, THR-047, THR-048 |
| Medium | 10-14 | 18 | 90 days | Session hijacking, auth weaknesses, config issues, operational gaps |
| Low | <10 | 22 | Monitor | Various lower-priority threats |
Business Impact Quantification
For THR-001 (Credential Stuffing), assume successful attacks compromise 0.1% of accounts monthly (500 accounts). Each compromised account potentially exposes that patient’s PHI. Breach notification costs run approximately $5 per affected patient. HIPAA fines for willful neglect not corrected could reach $50,000 per violation. With 6,000 compromises annually, potential exposure is $300,000 to $300M depending on severity classification and enforcement approach.
For THR-006 (Ransomware), the healthcare average ransom demand is $1.27M. Downtime costs run approximately $7,900 per minute for healthcare organizations. A two-week recovery (typical for healthcare ransomware) costs $159M in downtime alone. Add remediation costs, legal fees, notification, and reputation damage.
For THR-004 (IDOR), a single researcher discovering this publicly could lead to disclosure, regulatory investigation, mandatory remediation, and potential fines. Mass exploitation before discovery could affect thousands of patients.
Mitigation Plan
Immediate Actions (Week 1-2)
| Threat | Mitigation | Owner | Cost |
|---|---|---|---|
| THR-001 (Credential Stuffing) | Breach detection API, mandatory 2FA, CAPTCHA, IP rate limiting | Security | $15,000 |
| THR-004 (IDOR) | Patch authorization checks, add IDOR testing to CI/CD, API review | Development | $12,000 |
| THR-003 (SQL Injection) | Rewrite legacy search with parameterized queries, deploy WAF rules | Development | $3,000 |
30-Day Actions
| Threat | Mitigation | Owner | Cost |
|---|---|---|---|
| THR-006 (Ransomware) | Deploy EDR, network segmentation, immutable backups, tabletop exercise | Security + IT | $200,000 |
| THR-009 (AWS Keys) | Migrate to Secrets Manager, automated rotation, GuardDuty, IAM review | DevOps | $18,000 |
| THR-046 (Dev Data) | Data masking implementation, policy prohibiting prod data in dev | Development | $30,000 |
90-Day Actions
Address remaining medium-priority threats through systematic remediation. Implement comprehensive logging and monitoring improvements. Conduct security awareness training focused on phishing. Complete dependency vulnerability remediation. Establish regular penetration testing schedule.
Ongoing Activities
Monthly vulnerability scanning and remediation. Quarterly access reviews. Annual penetration testing. Continuous security awareness training. Regular threat model updates.
Risk Treatment Decisions
| Decision | Threat | Rationale |
|---|---|---|
| Accept | THR-022 (GraphQL introspection) | Info exposed not sensitive enough to justify disabling useful debugging; review annually |
| Transfer | General breach liability | Cyber insurance ($10M coverage); doesn’t eliminate need for controls |
| Mitigate | All critical and high risks | Per mitigation plan above |
| Eliminate | THR-046 (Dev Database with Production Data) | Data masking ensures no production PHI in dev environments |
Residual Risk Assessment
| Threat | Before | After | Justification |
|---|---|---|---|
| THR-001 (Credential Stuffing) | 20 | 8 | Breach detection + 2FA dramatically reduces successful attacks |
| THR-004 (IDOR) | 16 | 4 | Proper authorization eliminates the vulnerability |
| THR-006 (Ransomware) | 20 | 12 | Defense in depth and recovery capability reduce impact |
| THR-009 (AWS Keys) | 15 | 6 | Proper secrets management and monitoring |
Summary: Critical risk count drops from 2 to 0. High risk count drops from 9 to 3.
Budget Summary
| Phase | Cost |
|---|---|
| Immediate Actions (Week 1-2) | $30,000 |
| 30-Day Actions | $248,000 |
| 90-Day Actions | $150,000 |
| Ongoing Annual | $200,000 |
| First-Year Total | $628,000 |
Compared to potential breach cost of $50M to $200M, this represents strong ROI. The 30-day actions alone address threats with combined potential impact exceeding $500M.
Summary
This healthcare threat model identifies 50 threats across authentication, data access, infrastructure, and operational domains. Three critical threats require immediate action, and the prioritized remediation plan addresses them within two weeks. The 30-day plan tackles high-priority threats including ransomware preparedness and credential management.
Key Findings
| Finding | Implication |
|---|---|
| Credential-based attacks pose highest immediate risk | Password reuse prevalence and ease of attack make this low-hanging fruit for attackers |
| Ransomware requires defense-in-depth | No single control provides adequate protection; layered defenses essential |
| IDOR vulnerabilities enable unauthorized PHI access | Urgent remediation needed; common and easily exploited |
| Third-party dependencies are significant trust boundaries | Vendor security posture directly affects VitalCare Portal security |
The attack tree analysis reveals that database access controls and credential hygiene are critical chokepoints where investments disrupt multiple attack paths.
Total recommended first-year security investment: $628,000 against potential breach exposure of $50M to $200M plus business continuity impact.
Part 3 Complete | Continue to Part 4 →