Journal:Cybersecurity and privacy risk assessment of point-of-care systems in healthcare: A use case approach
| Full article title | Cybersecurity and privacy risk assessment of point-of-care systems in healthcare: A use case approach |
|---|---|
| Journal | Applied Sciences |
| Author(s) | Jofre, Marc; Navarro-Llobet, Diana; Agulló, Ramon; Puig, Jordi; Gonzalez-Granadillo, Gustavo; Zamorano, Juan M.; Romeu, Ramon |
| Author affiliation(s) | Fundació Privada Hospital Asil de Granollers, Atos Research & Innovation, Servicio Madrileño de Salud |
| Primary contact | Email: diananavarro at fphag dot org |
| Editors | Chizari, Hassan |
| Year published | 2021 |
| Volume and issue | 11(15) |
| Article # | 6699 |
| DOI | 10.3390/app11156699 |
| ISSN | 2076-3417 |
| Distribution license | Creative Commons Attribution 4.0 International |
| Website | https://www.mdpi.com/2076-3417/11/15/6699/htm |
| Download | https://www.mdpi.com/2076-3417/11/15/6699/pdf (PDF) |
 |
This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed. |
Abstract
Point-of-care (POC) systems are generally used in healthcare to respond rapidly and prevent critical health conditions. Hence, POC systems often handle personal health information, and, consequently, their cybersecurity and privacy requirements are of crucial importance. However, assessing these requirements is a significant task.
In this work, we propose a use-case approach to assess specifications of cybersecurity and privacy requirements of POC systems in a structured and self-contained form. Such an approach is appropriate since use cases are one of the most common means adopted by developers to derive requirements. As a result, we detail a use case approach in the framework of a real-based healthcare IT infrastructure that includes a health information system, integration engines, application servers, web services, medical devices, smartphone apps, and medical modalities (all data simulated) together with the interaction with participants. Since our use case also sustains the analysis of cybersecurity and privacy risks in different threat scenarios, it also supports decision making and the analysis of compliance considerations.
Keywords: cybersecurity, healthcare, incidents, information privacy, IT infrastructure, point-of-care, risk assessment, sensitive medical data, threats, use case
Introduction
Cybersecurity and privacy incidents are a growing threat to the healthcare industry in general, and hospitals in particular.[1] The healthcare industry has lagged behind other industries in protecting its main stakeholders (e.g., care staff and patients), and now hospitals must invest considerable capital and effort in protecting their IT systems.[2] However, moving to more protected and resilient digital infrastructures in healthcare is a challenge because hospitals are technology-saturated, complex organizations with high end-point complexity, internal politics, and regulatory pressures. Therefore, healthcare organizations of all types looking to grow and achieve their financial, quality, service, and compliance performance objectives must understand and account for the capabilities, drivers, strategies, and challenges of other ecosystems such as cybersecurity and information privacy. Hence, as cybersecurity and privacy become more of a priority for hospitals, it is essential they holistically integrate the different processes, components, and stages influencing the healthcare ecosystem.
One relevant aspect to consider regarding cybersecurity and privacy risks are healthcare point-of-care (POC) systems which have been widely used in hospitals in order to provide innovative solutions to medical professionals. POC systems provide an overview of patients’ conditions in a way that makes it easier for professionals to respond in a timely fashion and prevent critical situations. POC platforms also incorporate medical devices and applications in order to collect, process, and visualize data. As such, large amounts of data move through POC systems, including personal health information and sensitive medical data. This data is communicated across various POC systems, backend analytical platforms, user workstations, and smartphones, demonstrating that there are multiple touch points that may cause data leakages or breaches. Naturally, these platforms create and expand attack surface, which may be challenging to fully identify and address. Hospitals and care centers need to address these threats by efficiently assessing the associated risks and mitigate them with the proper cybersecurity and privacy safeguards.
POC systems can be categorized in three classes according to their usage model: (i) testing and diagnostic applications (e.g., medical devices), (ii) patient monitoring (e.g., smartphone apps), and (iii) interfacing with other devices (e.g., web-based services and integration servers).[3] Hence, considering the latter classes, some common associated threats to POC systems encompass legacy operating systems and software, lack of timely software updates and patches, medical devices not having basic security features, insecure implementation of web-services, lack of awareness of cybersecurity and privacy issues, and limited power and resources, among others.[4] Typically, these threats can be exploited by several common attack methods, including cross-site scripting, Structured Query Language (SQL) or Extensible Markup Language (XML) injection, client-side attacks, malware, and denial-of-service.
References
- ↑ Jalali, Mohammad S; Kaiser, Jessica P (28 May 2018). "Cybersecurity in Hospitals: A Systematic, Organizational Perspective" (in en). Journal of Medical Internet Research 20 (5): e10059. doi:10.2196/10059. ISSN 1438-8871. PMC PMC5996174. PMID 29807882. http://www.jmir.org/2018/5/e10059/.
- ↑ Jofre, M. (July 2020). "Holistic View Of Healthcare Cybersecurity Ecosystem". ResearchGate. doi:10.13140/RG.2.2.14306.96962. https://www.researchgate.net/publication/343722649_Holistic_View_Of_Healthcare_Cybersecurity_Ecosystem. Retrieved 21 July 2021.
- ↑ Tulasidas, Sivanesan; Mackay, Ruth; Hudson, Chris; Balachandran, Wamadeva (2017). "Security Framework for Managing Data Security within Point of Care Tests". Journal of Software Engineering and Applications 10 (02): 174–193. doi:10.4236/jsea.2017.102011. ISSN 1945-3116. http://www.scirp.org/journal/doi.aspx?DOI=10.4236/jsea.2017.102011.
- ↑ Williams, Patricia; Woodward, Andrew (1 July 2015). "Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem" (in en). Medical Devices: Evidence and Research 8: 305-316. doi:10.2147/MDER.S50048. ISSN 1179-1470. PMC PMC4516335. PMID 26229513. http://www.dovepress.com/cybersecurity-vulnerabilities-in-medical-devices-a-complex-environment-peer-reviewed-article-MDER.
Notes
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.
