Tools for the Assessment of Cyber Risk in Healthcare Facilities

Nowadays, because of the spreading of healthcare technologies new apprehensions arise, especially concerns cyber-security within healthcare. As a result, engineers and regulators need to expand pre-existing risk management frameworks tailored to safety to also encompass cybersecurity. As the European Data Protection Regulation (GDPR 679/2016) comes into force, organizations and in particular healthcare companies are enforced to adopt advanced measures to address cyber-risks. The idea of a risk-based approach is highly recommended by the Regulation and is inspired by ISO 31000 (Risk management). The pre-existing risk management frameworks are classified into quantitative, qualitative, and semi-quantitative approaches; the choice is strictly related to the model or experiment purpose. A Risk Management framework aims to enable every organization to identify, prevent and manage all the impending risks within its business and fully illustrate the delicate and fundamental process of risk management through a structured approach. In 2015 the National Framework for Cybersecurity was presented, inspired by the Cybersecurity Framework created by NIST (National Institute of Standards and Technology) as an adequate support tool for organizations that need strategies and processes aimed at protecting personal data and cyber-security. The aim is principally the reduction of risks linked to the cyber-threats. One of the mandatory requirements of the Regulation is the formation of the data processing activities, as one of the main tools to accomplish accountability. The Data Controller, through the records of data processing activities, should demonstrate compliance with GDPR in a proportional way to the risk associated to protect personal data. To create a new tool, we collaborated with Azienda Ospedaliero Universitaria Ospedali Riuniti for the assessment of cyber-risk. The current study aims to accomplish the complex requirements of the Regulation thanks to a new tool proposed in electronic format and to perform a risk assessment for any data processing activities. After proper evaluation, the most critical part of the data processing activities has been the analysis of technological context and IT Infrastructure. As a result, a risk index assessment could not be evaluated because of the limitations possessed. Therefore, we proposed a new approach to overcome the assessment methodologist problems previously pointed out, combining the evaluation of the maturity index of the processes inherent to firms along with the evaluation of the complexity index of the desired firms with chosen infrastructure concluding with the attractiveness of the organization. Unfortunately, due to the poorness of information and case studies present in the literature, this goal has not been achieved, even though a parameterization has been implemented.