The healthcare sector is becoming increasingly susceptible to cyber-attacks, threatening day-to-day activities and compromising confidential healthcare data. Unfortunately, even though healthcare organisations have highly benefited from technological advancements, they are still plagued by several cybersecurity-related issues. These issues range from ransomware attacks that compromise the integrity of the IT systems to phishing attacks and distributed denial-of-services .
There are several explanations for this. First of all, hospitals deal with a vast amount of patient data. Such data is worth a lot of money to attackers who can sell them quickly. For instance, patient data is estimated to be worth 10-20 times the value of credit card data on the Dark Web. Secondly, medical devices are an easy entry point for attackers as security is not a primary concern in design. Lastly, due to the coronavirus pandemic, there was a rapid shift to entirely remote work, resulting in a broader threat attack surface.
The H2020 HEIR project aims to provide a thorough threat identification and cybersecurity knowledge base system addressing both local (in the hospital/ medical centre) and global (including different stakeholders) levels. The focus of this blog post is to present the Risk Assessment for Medical Applications (RAMA) score, a score that will allow both the IT security of a hospital and external stakeholders to understand the security posture of their organisation.
The Risk Assessment for Medical Applications (RAMA) Score
The RAMA score is responsible for estimating the attack surface and resilience of the medical devices by incorporating several critical issues in a live manner. To address the need to calculate the score both in a local and a global environment, we have introduced the Local and the Global RAMA Score. The former will incorporate several critical issues reported by the HEIR client, and it will estimate the attack surface as well as the resilience of the underlying medical devices per healthcare organization, whereas the latter will act as a global benchmark against which the local RAMA scores will be compared.
The Local RAMA Score
As aforementioned, the Local RAMA score represents the security level of a specific sector clinic by aggregating the respective results as reported through the HEIR Client. The targeted users are the IT personnel and the security experts of the healthcare organization.
More specifically, the local RAMA Score calculator, a tool responsible to calculate and report the local RAMA score, incorporates all the different modules of the HEIR client, namely, (a) the HEIR Exploit Tester (HET), (b) the Vulnerability assessment (VA), (c) the HEIR Network Module (HNM), and (d) the HEIR Cryptographic Checker (HCC). A detailed deployment diagram is depicted in Figure 1.
Figure 1 Local RAMA Score calculator deployment diagram
This allows the RAMA Score calculator to consider issues identified in different layers of a computing system, e.g., network, presentation and application layer, and, subsequently, provides a score (and the corresponding metadata) that would allow the end user to have a better understanding of the security posture of its organisation.
Figure 2 The Local RAMA Score
Moreover, the local RAMA Score is calculated based on the creation of two different sub-scores (see Figure 2). The first sub-score, namely, the base score, is an aggregation of the HET, HCC and VA sub-scores. The rationale behind this is that the tools will not be continually triggered by the HEIR client, as they are used for the “static” analysis part of a computing system. On the other hand, the second sub-score, namely, the temporal score, is based on the HNM component. Since attacks on the network layer are more frequent, the temporal score will also be calculated in a more frequent way than the base one. That being said, the final, aggregated Local RAMA Score is a weighted sum of the two sub-scores as depicted in the equation below. More information about the algorithm for the calculation of the Local RAMA score is available in “D3.2 - The HEIR 1st layer of services package: 1st complete version”.
The Global RAMA Score
The Global one will act as a means of comparison between the final, aggregated local RAMA Score. The target users for the Global RAMA score are either external stakeholders or healthcare experts that wish to understand how their organization is compared to other, similar, healthcare organizations. Just like the local score, the global one is calculated and exposed through the Global RAMA Score Calculator. The main differences with the local score, are (a) the global RAMA score only contains anonymized data, (b) it receives input from the local HEIR aggregators, and provides its output to the HEIR Observatory, and (c) it is installed in an environment outside the healthcare organization (see Figure 3).
Figure 3 Global RAMA Score calculator deployment diagram
On the calculation side, the global RAMA Score follows the same pattern as the local one. The rationale for this is that we need to have two different scores that could be compared to each other. More information about the Global RAMA score, and the planned next steps, is available in “D4.2 - The HEIR 2nd layer of services package: 1st complete version”.
Both the local and global RAMA score are considered one of HEIR’s innovation. During the demonstration and validation phase of the HEIR project, these scores will be evaluated in real-world use case scenarios and will be showcased in its interaction with the rest modules of the HEIR framework. Responsible for providing and deploying the RAMA scores in the project is Sphynx Technology Solutions AG which acts as T3.2, T4.1 and WP7 Leaders, and is the Dissemination Manager of the project