Journal:Cybersecurity and privacy risk assessment of point-of-care systems in healthcare: A use case approach

From LIMSWiki
Revision as of 17:52, 1 September 2021 by Shawndouglas (talk | contribs) (Saving and adding more.)
Jump to navigationJump to search
Full article title Cybersecurity and privacy risk assessment of point-of-care systems in healthcare: A use case approach
Journal Applied Sciences
Author(s) Jofre, Marc; Navarro-Llobet, Diana; Agulló, Ramon; Puig, Jordi; Gonzalez-Granadillo, Gustavo; Zamorano, Juan M.; Romeu, Ramon
Author affiliation(s) Fundació Privada Hospital Asil de Granollers, Atos Research & Innovation, Servicio Madrileño de Salud
Primary contact Email: diananavarro at fphag dot org
Editors Chizari, Hassan
Year published 2021
Volume and issue 11(15)
Article # 6699
DOI 10.3390/app11156699
ISSN 2076-3417
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/2076-3417/11/15/6699/htm
Download https://www.mdpi.com/2076-3417/11/15/6699/pdf (PDF)
Emblem-important-yellow.svg This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Point-of-care (POC) systems are generally used in healthcare to respond rapidly and prevent critical health conditions. Hence, POC systems often handle personal health information, and, consequently, their cybersecurity and privacy requirements are of crucial importance. However, assessing these requirements is a significant task.

In this work, we propose a use-case approach to assess specifications of cybersecurity and privacy requirements of POC systems in a structured and self-contained form. Such an approach is appropriate since use cases are one of the most common means adopted by developers to derive requirements. As a result, we detail a use case approach in the framework of a real-based healthcare IT infrastructure that includes a health information system, integration engines, application servers, web services, medical devices, smartphone apps, and medical modalities (all data simulated) together with the interaction with participants. Since our use case also sustains the analysis of cybersecurity and privacy risks in different threat scenarios, it also supports decision making and the analysis of compliance considerations.

Keywords: cybersecurity, healthcare, incidents, information privacy, IT infrastructure, point-of-care, risk assessment, sensitive medical data, threats, use case

Introduction

Cybersecurity and privacy incidents are a growing threat to the healthcare industry in general, and hospitals in particular.[1] The healthcare industry has lagged behind other industries in protecting its main stakeholders (e.g., care staff and patients), and now hospitals must invest considerable capital and effort in protecting their IT systems.[2] However, moving to more protected and resilient digital infrastructures in healthcare is a challenge because hospitals are technology-saturated, complex organizations with high end-point complexity, internal politics, and regulatory pressures. Therefore, healthcare organizations of all types looking to grow and achieve their financial, quality, service, and compliance performance objectives must understand and account for the capabilities, drivers, strategies, and challenges of other ecosystems such as cybersecurity and information privacy. Hence, as cybersecurity and privacy become more of a priority for hospitals, it is essential they holistically integrate the different processes, components, and stages influencing the healthcare ecosystem.

One relevant aspect to consider regarding cybersecurity and privacy risks are healthcare point-of-care (POC) systems which have been widely used in hospitals in order to provide innovative solutions to medical professionals. POC systems provide an overview of patients’ conditions in a way that makes it easier for professionals to respond in a timely fashion and prevent critical situations. POC platforms also incorporate medical devices and applications in order to collect, process, and visualize data. As such, large amounts of data move through POC systems, including personal health information and sensitive medical data. This data is communicated across various POC systems, backend analytical platforms, user workstations, and smartphones, demonstrating that there are multiple touch points that may cause data leakages or breaches. Naturally, these platforms create and expand attack surface, which may be challenging to fully identify and address. Hospitals and care centers need to address these threats by efficiently assessing the associated risks and mitigate them with the proper cybersecurity and privacy safeguards.

POC systems can be categorized in three classes according to their usage model: (i) testing and diagnostic applications (e.g., medical devices), (ii) patient monitoring (e.g., smartphone apps), and (iii) interfacing with other devices (e.g., web-based services and integration servers).[3] Hence, considering the latter classes, some common associated threats to POC systems encompass legacy operating systems and software, lack of timely software updates and patches, medical devices not having basic security features, insecure implementation of web-services, lack of awareness of cybersecurity and privacy issues, and limited power and resources, among others.[4] Typically, these threats and risks can be exploited by several common attack methods, including cross-site scripting, Structured Query Language (SQL) or Extensible Markup Language (XML) injection, client-side attacks, malware, and denial-of-service.

Generally, risk is defined as the combined probability of an unwanted event and its level of impact. It is described as a function of the probability that a given source of threat exerts a potential vulnerability and the consequent impact of this adverse event on the organization.[5] Cybersecurity risk, also known as information technology risk, is the new management challenge of the third millennium; it affects the information and technology assets of organizations. Sardi et al. define cybersecurity risk as “operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.”[6] In particular, a cybersecurity threat is a potential attack that exploits a vulnerability of the system to cause damage, whilst a threat scenario is a flow of events or attacks containing interactions between a malicious actor and a system to cause damage. On the other hand, privacy risk assessment, as indicated by Wagner and Boiten[7], aims to “analyze and quantify the privacy risks associated with new systems.”

Accordingly, considerable research has been devoted to eliciting and analyzing cybersecurity and privacy risk assessment.[6][7][8][9][10] However, the applicability of these approaches in the context of cybersecurity and privacy risk assessment modeling for POC systems in healthcare ecosystems shows limitations with respect to (i) their support for explicitly specifying various types of cybersecurity threats, (ii) the definition of threat scenarios, and (iii) the specification of mitigation and preventing actions (e.g., cyber hygiene) for these threats.

Moreover, the above risks have to be properly communicated and accounted in the overall operational structure of organizations. For instance, in business, financial value may be acceptable as the ultimate unit, which is used to quantify direct cost, or even reputation and human lives. However, the healthcare sector certainly does not only operate on a competitive or financial basis, and may it prefer units that more closely relate to the concept of privacy risk. Therefore, to assess the cybersecurity requirements of POC systems, it is necessary to take into consideration the characteristics of the specific service being developed and of the device types on which the service is going to be deployed.

Accordingly, use cases are one of the most common means adopted by software engineers and end-users to elicit requirements because they ease the communication between stakeholders to assess specific requirements.[11] Additionally, to achieve widespread applicability, the need for integrating cybersecurity and privacy requirements with use case modeling warrants the development of reusable templates in different applications, and in particular for healthcare applications. Systematic approaches to eliciting cybersecurity requirements based on use cases, with emphasis on description and methods guidelines have been proposed.[12] However, existing approaches lack reusable templates for misuse cases, as opposed to only well-behaving use cases.[12][13][14][15] However, with slight modifications, use cases can aid the integration of misuse case scenarios, with functional and non-functional requirements, when considering cybersecurity and privacy risk.[16]

References

  1. Jalali, Mohammad S; Kaiser, Jessica P (28 May 2018). "Cybersecurity in Hospitals: A Systematic, Organizational Perspective" (in en). Journal of Medical Internet Research 20 (5): e10059. doi:10.2196/10059. ISSN 1438-8871. PMC PMC5996174. PMID 29807882. http://www.jmir.org/2018/5/e10059/. 
  2. Jofre, M. (July 2020). "Holistic View Of Healthcare Cybersecurity Ecosystem". ResearchGate. doi:10.13140/RG.2.2.14306.96962. https://www.researchgate.net/publication/343722649_Holistic_View_Of_Healthcare_Cybersecurity_Ecosystem. Retrieved 21 July 2021. 
  3. Tulasidas, Sivanesan; Mackay, Ruth; Hudson, Chris; Balachandran, Wamadeva (2017). "Security Framework for Managing Data Security within Point of Care Tests". Journal of Software Engineering and Applications 10 (02): 174–193. doi:10.4236/jsea.2017.102011. ISSN 1945-3116. http://www.scirp.org/journal/doi.aspx?DOI=10.4236/jsea.2017.102011. 
  4. Williams, Patricia; Woodward, Andrew (1 July 2015). "Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem" (in en). Medical Devices: Evidence and Research 8: 305-316. doi:10.2147/MDER.S50048. ISSN 1179-1470. PMC PMC4516335. PMID 26229513. http://www.dovepress.com/cybersecurity-vulnerabilities-in-medical-devices-a-complex-environment-peer-reviewed-article-MDER. 
  5. Reason, J. (18 March 2000). "Human error: models and management". BMJ 320 (7237): 768–770. doi:10.1136/bmj.320.7237.768. PMC PMC1117770. PMID 10720363. https://www.bmj.com/lookup/doi/10.1136/bmj.320.7237.768. 
  6. 6.0 6.1 Sardi, Alberto; Rizzi, Alessandro; Sorano, Enrico; Guerrieri, Anna (27 August 2020). "Cyber Risk in Health Facilities: A Systematic Literature Review" (in en). Sustainability 12 (17): 7002. doi:10.3390/su12177002. ISSN 2071-1050. https://www.mdpi.com/2071-1050/12/17/7002. 
  7. 7.0 7.1 Wagner, Isabel; Boiten, Eerke (2018), Garcia-Alfaro, Joaquin; Herrera-Joancomartí, Jordi; Livraga, Giovanni et al.., eds., "Privacy Risk Assessment: From Art to Science, by Metrics" (in en), Data Privacy Management, Cryptocurrencies and Blockchain Technology (Cham: Springer International Publishing) 11025: 225–241, doi:10.1007/978-3-030-00305-0_17, ISBN 978-3-030-00304-3, http://link.springer.com/10.1007/978-3-030-00305-0_17 
  8. Hameed, Shilan S.; Hassan, Wan Haslina; Latiff, Liza Abdul; Ghabban, Fahad (23 March 2021). "A systematic review of security and privacy issues in the internet of medical things; the role of machine learning approaches" (in en). PeerJ Computer Science 7: e414. doi:10.7717/peerj-cs.414. ISSN 2376-5992. PMC PMC8022640. PMID 33834100. https://peerj.com/articles/cs-414. 
  9. Coronado, Anthony J.; Wong, Timothy L. (1 January 2014). "Healthcare Cybersecurity Risk Management: Keys To an Effective Plan". Biomedical Instrumentation & Technology 48 (s1): 26–30. doi:10.2345/0899-8205-48.s1.26. ISSN 0899-8205. https://doi.org/10.2345/0899-8205-48.s1.26. 
  10. Kandasamy, Kamalanathan; Srinivas, Sethuraman; Achuthan, Krishnashree; Rangan, Venkat P. (26 May 2020). "IoT cyber risk: a holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process". EURASIP Journal on Information Security 2020 (1): 8. doi:10.1186/s13635-020-00111-0. ISSN 2510-523X. https://doi.org/10.1186/s13635-020-00111-0. 
  11. Larman, Craig. Applying UML and patterns: an introduction to object-oriented analysis and design and iterative development (3rd ed ed.). Upper Saddle River, N.J: Prentice Hall PTR, c2005. ISBN 978-0-13-148906-6. 
  12. 12.0 12.1 Sindre, Guttorm; Opdahl, Andreas L. (24 June 2004). "Eliciting security requirements with misuse cases" (in en). Requirements Engineering 10 (1): 34–44. doi:10.1007/s00766-004-0194-4. ISSN 0947-3602. https://doi.org/10.1007/s00766-004-0194-4. 
  13. Cockburn, Alistair (2001). Writing effective use cases. The Crystal series for software development. Boston: Addison-Wesley. ISBN 978-0-201-70225-5. 
  14. Constantine, L.L.; Lockwood, L.A.D. (1999). Software for Use: A Practical Guide to the Models and Methods of Usage-Centered Design (1st ed.). Addison-Wesley. ISBN 9780768685305. 
  15. Jacobson, Ivar (1992). Object-oriented software engineering: a use case driven approach. [New York] : Wokingham, Eng. ; Reading, Mass: ACM Press ; Addison-Wesley Pub. ISBN 978-0-201-54435-0. 
  16. Yue, Tao; Briand, Lionel C.; Labiche, Yvan (4 March 2013). "Facilitating the transition from use case models to analysis models: Approach and experiments". ACM Transactions on Software Engineering and Methodology 22 (1): 5:1–5:38. doi:10.1145/2430536.2430539. ISSN 1049-331X. https://doi.org/10.1145/2430536.2430539. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:Cybersecurity_and_privacy_risk_assessment_of_point-of-care_systems_in_healthcare:_A_use_case_approach&oldid=43847"