Protecting critical business processes of smart hospitals from cyber attacks

The work presented in this paper aims to improve the security of Smart Hospitals, by proposing a practical approach and developing effective protection mechanisms and tools for cyber protection, with respect to the most critical asset categories in Smart Hospitals and focusing on the cyber-related issues most relevant for Smart Hospitals, and for the health care domain in general: system failures and human errors, insecurity of medical devices (including IoT) and their communications, employee-owned mobile devices (BYOD), and identity theft. The approach aims at mitigating threats against both active and passive medical devices, both large (e.g. radiotherapy and imagery) and small (wearable devices and sensors). The approach is presented with respect to a challenging use case, contributed by one of the major public hospitals of a European country. By relying on continuous monitoring of security relevant events, the proposed risk-containment approach supports Smart Hospitals in understanding the risks they are up against and in prioritizing them based on detailed context information. This results in an increased level of security across valuable assets as well as with respect to data exchange. It further supports Smart Hospitals in the management of the residual risk, by enabling them to estimate it and thus to negotiate with insurance companies additional coverage for it.