STRIDE Threat Model — MedTrack Patient Portal

System Overview

MedTrack is a web-based patient portal allowing patients to view lab results, message clinicians, and manage appointments. A React SPA communicates with a REST API Gateway, which routes requests to three backend microservices (Auth Service, Records Service, Messaging Service). Backend services read/write a shared PostgreSQL database and a Redis cache. An internal Notification Worker polls the database and dispatches emails via a third-party SMTP relay (SendGrid). Staff access an Admin Console that calls the same API Gateway with elevated scopes.

Trust Boundary Table

| Boundary ID | Boundary Name | Crosses Between | |---|---|---| | TB-1 | Public Internet → DMZ | Patient browser / Admin Console → API Gateway | | TB-2 | DMZ → Internal Network | API Gateway → Auth / Records / Messaging Services | | TB-3 | Internal Network → Data Tier | Microservices → PostgreSQL, Redis | | TB-4 | Internal Network → External SaaS | Notification Worker → SendGrid SMTP relay |

Data-Flow Diagram

flowchart TD
    Patient([Patient Browser]) -->|HTTPS REST| GW[API Gateway]
    Admin([Admin Console]) -->|HTTPS REST| GW

    GW -->|JWT-authed RPC| Auth[Auth Service]
    GW -->|JWT-authed RPC| Records[Records Service]
    GW -->|JWT-authed RPC| Msg[Messaging Service]

    Auth -->|SQL| DB[(PostgreSQL)]
    Records -->|SQL| DB
    Msg -->|SQL| DB

    Records -->|GET/SET| Cache[(Redis Cache)]
    Msg -->|GET/SET| Cache

    Worker[Notification Worker] -->|Poll SQL| DB
    Worker -->|SMTP/TLS| SendGrid([SendGrid Relay])

    subgraph TB1["TB-1: Public Internet → DMZ"]
        GW
    end
    subgraph TB2["TB-2: DMZ → Internal"]
        Auth
        Records
        Msg
    end
    subgraph TB3["TB-3: Data Tier"]
        DB
        Cache
    end
    subgraph TB4["TB-4: External SaaS"]
        SendGrid
    end

STRIDE Threat Table

| ID | Component / Flow | Category | Threat Description | Mitigations | |---|---|---|---|---| | T-01 | Patient Browser → API Gateway (TB-1) | S Spoofing | Attacker submits forged or stolen JWT to impersonate patient | Validate JWT signature + expiry; short-lived tokens (15 min); refresh-token rotation | | T-02 | Patient Browser → API Gateway (TB-1) | T Tampering | Attacker modifies request body in transit (e.g., alters appointmentId) | TLS 1.2+ enforced; HTTPS-only with HSTS | | T-03 | API Gateway | R Repudiation | No audit trail links API calls to authenticated identity | Structured access logs with userId, IP, timestamp forwarded to immutable SIEM | | T-04 | API Gateway → Records Service (TB-2) | I Info Disclosure | Internal RPC lacks mTLS; compromised gateway can read all patient records in transit | ⚠️ UNMITIGATED — mTLS between gateway and services not yet implemented | | T-05 | API Gateway | D Denial of Service | Unauthenticated endpoints flooded; gateway overwhelmed | Rate limiting per IP; WAF in front of gateway; autoscaling group with circuit breaker | | T-06 | Admin Console → API Gateway (TB-1) | E Elevation of Privilege | Admin JWT scope not re-validated per request; stolen admin token grants full access | Per-request scope check; admin sessions require step-up MFA; separate admin subdomain | | T-07 | Auth Service | S Spoofing | Credential stuffing against /login endpoint | Adaptive rate limiting; CAPTCHA after 3 failures; breach-password detection (HaveIBeenPwned API) | | T-08 | PostgreSQL (TB-3) | T Tampering | Service account with excessive privileges can modify records outside its domain | Least-privilege DB roles per service; Records Service cannot write to messaging schema | | T-09 | PostgreSQL (TB-3) | I Info Disclosure | SQL injection via unsanitized filter parameters in Records Service | Parameterized queries enforced; ORM used throughout; SAST rule in CI pipeline | | T-10 | Redis Cache (TB-3) | I Info Disclosure | Cache stores PHI in plaintext; Redis port reachable from all internal services | Encrypt PHI values before caching; restrict Redis access to Records + Messaging Services via network policy | | T-11 | Redis Cache (TB-3) | D Denial of Service | Cache poisoning or memory exhaustion evicts valid sessions, causing cascading auth failures | Set maxmemory-policy allkeys-lru; separate cache instances for sessions vs. data | | T-12 | Notification Worker → SendGrid (TB-4) | I Info Disclosure | SMTP credentials hardcoded in Worker config; leaked credentials expose all outbound email | Secrets manager (Vault/AWS Secrets Manager); rotate credentials quarterly | | T-13 | Notification Worker → SendGrid (TB-4) | S Spoofing | Attacker injects forged notification by writing directly to polling table | Notification Worker should only READ a notifications_queue view; write access removed | | T-14 | Messaging Service | R Repudiation | Clinician can deny sending a message — no tamper-evident log | Append-only message audit table with hash chaining; logs exported to WORM storage | | T-15 | API Gateway → Auth Service (TB-2) | E Elevation of Privilege | Auth Service trusts X-Internal-Role header forwarded from gateway; header injectable by external caller | Strip all X-Internal-* headers at gateway ingress before forwarding |

Prioritized Risk Register

| ID | Threat Summary | Severity | Effort to Fix | Priority | Status | |---|---|---|---|---|---| | T-04 | No mTLS on internal RPC — PHI in cleartext on internal network | Critical | Medium | P1 | Unmitigated | | T-15 | Injectable role-escalation header on Auth Service | Critical | Low | P1 | Unmitigated | | T-06 | Admin token scope bypass + no step-up MFA | High | Medium | P1 | Partial | | T-10 | PHI cached in plaintext in Redis | High | Low | P1 | Unmitigated | | T-09 | SQL injection risk in Records Service filters | High | Low | P2 | Partially mitigated (ORM used, SAST not yet in CI) | | T-12 | Hardcoded SendGrid credentials | High | Low | P2 | Unmitigated | | T-13 | Forged notification via direct DB write | Medium | Low | P2 | Unmitigated | | T-07 | Credential stuffing on /login | Medium | Low | P2 | Partial | | T-01 | Stolen/forged JWT — patient impersonation | Medium | Low | P3 | Mitigated | | T-08 | Overprivileged DB service accounts | Medium | Medium | P3 | Unmitigated | | T-03 | No audit trail for API calls | Medium | Medium | P3 | Unmitigated | | T-14 | Repudiable clinician messages | Low | High | P4 | Unmitigated | | T-05 | Gateway DDoS | Low | Medium | P4 | Mitigated | | T-11 | Redis memory exhaustion / cache poisoning | Low | Low | P4 | Partial | | T-02 | In-transit tampering | Low | Low | P4 | Mitigated |

Open Questions

The following components or behaviors were underspecified. Threats touching these areas may be incomplete. Do not close this model without resolving these items.

| OQ-ID | Component | Question | Impact on Model | |---|---|---|---| | OQ-1 | API Gateway | What product/vendor is used (Kong, AWS API GW, custom Nginx)? | Determines available auth plugins, rate-limiting primitives, and header-stripping behavior (T-05, T-15) | | OQ-2 | Auth Service | Does the Auth Service support OAuth 2.0 device flow or SSO federation (SAML/OIDC)? | Federation introduces IdP-spoofing threats not currently modeled | | OQ-3 | Notification Worker | How is the Worker deployed — container, VM, Lambda? What executes it on a schedule? | Affects attack surface for T-13; a Lambda with an IAM role has different privilege escalation paths than a long-running container | | OQ-4 | PostgreSQL | Is the database a managed service (RDS) or self-hosted? | Determines patch cadence ownership and whether encryption-at-rest is provider-managed or must be explicitly configured | | OQ-5 | Redis Cache | Is Redis deployed in cluster mode with AUTH enabled? | AUTH disabled is a separate T (S-category) not modeled here | | OQ-6 | Admin Console | Is the Admin Console deployed on the same domain as the patient portal? | Same-origin deployment risks CSRF cross-contamination between patient and admin sessions |

Mitigation Roadmap

Quick Wins (Low Effort, High Impact — complete within 1 sprint)

| Action | Addresses | Owner Hint | |---|---|---| | Strip X-Internal-* headers at gateway ingress | T-15 | Platform/API team | | Move SendGrid credentials to secrets manager | T-12 | DevOps | | Encrypt PHI values before writing to Redis | T-10 | Records + Messaging teams | | Remove Notification Worker write access to DB; use read-only view | T-13 | Backend team | | Add SAST parameterized-query rule to CI pipeline | T-09 | DevSecOps |

Architectural Changes (Higher Effort — schedule in next quarter)

| Action | Addresses | Notes | |---|---|---| | Implement mTLS between API Gateway and all microservices | T-04 | Requires service mesh (Istio/Linkerd) or mutual cert provisioning; coordinate with TB-2 network policy | | Introduce per-service PostgreSQL roles with schema-level GRANT restrictions | T-08 | Schema migration required; test in staging first | | Deploy structured immutable audit logging to SIEM | T-03, T-14 | Evaluate Datadog, Splunk, or CloudWatch Logs with S3 WORM; define retention policy | | Enforce step-up MFA for all Admin Console sessions | T-06 | Requires OIDC ACR claims or session re-authentication flow in Auth Service | | Separate Redis instances: one for session tokens, one for application cache | T-11 | Prevents session DoS from cache thrash; enables tighter memory policies per instance |