| dc.description.abstract | Cybersecurity has become a hot topic lately because of its importance in almost every industry. However, it has not been given the same relevancy everywhere and healthcare is an example. Millions of new devices have been added to medical networks all over the world and the industry does not have the capacity to assess the risk for all of them, as computer networks are not one of their specialties.
In this thesis, a survey of the different vulnerabilities that these medical networks can have, along with the different attacks that aim especially at them, has been carried out to understand the level of danger they are into. Furthermore, the recommended countermeasures for avoiding these breaches from happening are also studied.
In the next step, both the different standards that are mandatory to comply in healthcare networks as well as the different risk assessment methods that currently exist for healthcare and other industries are studied (quantitative and qualitative), achieving a general view of the possible solutions.
It is then proposed how a good automated risk assessment methodology could be done by mixing the information of the standards, the attacks, the countermeasures and classifying the devices according to their criticality. With all this data, it is possible to create an algorithm that calculates the total risk of each attack in a numerical way for each asset and suggests different ways to face it.
This algorithm is coded in Python, generating different results for three different scenarios in which the criticality of the medical device changes. These three scenarios were also given to an expert in cybersecurity in healthcare networks, who proceeded to perform his own risk assessment in order to be compared with the created tool.
The results were satisfactory as both the tool and the expert coincided in the main attacks and their countermeasures. However, given environments were too small to be considered realistic yet and further development must be done to be able to assess the risk of a whole hospital network. | |
