Overview

The field of healthcare faces severe threats to its security, despite the fact that healthcare organizations have been equipped with technologically advanced systems. In addition, hospitals and similar organizations are managing confidential data, such as patient’s medical histories or diagnostic test results. In order to tackle the hazard of cyber-attacks and security threats, the H2020 HEIR project developed a threat identification and cybersecurity system.

The HEIR system uses the RAMA (Risk Assessment for Medical Applications) score, in particular the Local RAMA score and the Global RAMA Score, so as to inform the IT personnel and the security experts of a healthcare organization about its security status. There are different levels of services that are running inside a health organization environment. The 1st level of security services generates information that is visualised via the 1st Layer GUI  (Graphical User Interface).

The focus of this blog post is to present the 1st Layer GUI, a tool which uses visualisations of information that have been extracted from the hospitals inside the HEIR system. Furthermore, the aim is to provide a description of this information and analyze its significance in relation to estimating the security posture of hospitals, both individually and in total.

1^st Layer GUI

The 1st Layer GUI displays aggregated RAMA scores of the hospital, along with information about the hospital and its security status. Moreover, it fetches information from the HEIR Observatory[1] to be used as a ‘comparison’ of the local aggregated RAMA score and the global one, thus providing users with an idea of how their hospital stands with regard to other infrastructures. This information includes detected vulnerabilities, network events, and event analysis results, with a chart showing the percentage of malicious findings. Users can view connected departments of the hospital at the bottom of the page, with a summary of information and the option to further investigate a selected client. The complete page is presented in figure 1 below.

Figure 1: Complete HCG page

By opening a specific client/department, the user will access the Forensics Visualisation Toolkit’s (FVT) home page. The Forensics Visualization Toolkit (FVT) demonstrates security information for a selected department of the organization and provides users with a timeline-based representation of the captured security events. It is accessed through the 1st layer of visualizations and is meant to represent the captured events in a more detailed way. Authorised users who belong to the hospital/ Healthcare staff groups/ domains and have access to the 1st Layer GUI, can further investigate any of the connected HEIR Clients of the hospital through the FVT. They can monitor every data request that has been made and if access has been granted to that request. On the other hand, none authorized users are granted restricted access, in other words, access to redacted data. On the landing page of FVT (Figure 2), users can observe department-specific insights.

Figure 2: FVT - Overview & Devices

The main analysis dashboard (Figure 3) allows authorised users to choose from a set of widgets containing different types of visualisations, that refer to different system metrics and network-related information. Users are also able to request historical data.   
 

Figure 3: Analysis Dashboard

“Temporal Representation” of incoming logged events is available through the Timeline widget. In addition, “Detailed Information” about the incoming events will be presented in the Details widget. A variety of different device-related metrics can also be analysed through the available Line Chart widgets. Furthermore, an ‘Events Analysis’ screen has been developed. The "Events Analysis" (top of figure 3) screen allows authorised users to investigate possible anomalies across all monitored devices in the selected department. The screen has key features such as historical data requests, filtering capabilities, colour-coded events, additional tabular data representations, resizable timelines and zooms interaction synchronization to facilitate the investigation.

Hospital auditors are able to access the “Audit History” page so as to monitor the access requests of the users. Users with limited clearance can also monitor the access requests, but the derived information is redacted in terms of user ids and similar sensitive kinds of identifiers (Figure 5).

Figure 5: Audit History Page

Conclusion

The 1st Layer GUI includes visualisations of information generated by the 1st level services running inside a hospital environment. The aim is to provide IT security to the hospital with innovative tools to detect and prevent cybersecurity-related incidents. Also, the 1st Layer GUI is being tested and evaluated in hospitals of the HEIR project across Europe. Aegis IT Research Gbmh is responsible for the creation and continuous development of 1st Layer GUO. Moreover, Aegis IT Research Gbmh contributed to the HEIR project with its own developed toolkit FVT (Forensics Visualisation Toolkit).