EBIOS RM example
use case : Medical Imaging Center
Discover how EBIOS Risk Manager can be used in a concrete case, with the risk analysis of a medical imaging center. Workshop by workshop, results are presented to understand the expectations at each step.
Why EBIOS Risk manager ?
The risk analysis with EBIOS Risk Manager method allows to establish an iterative and sustainable risk management strategy. This method provides a complete vision of the risks for IT security managers whatever the field of application.
To help in the realization of these analyses, ALL4TEC develops and deploys the Agile Risk Manager tool, labeled by the ANSSI. It allows to easily conduct relevant risk analyses based on the EBIOS Risk Manager method.
Indeed, based on graphical representations, Agile Risk Manager presents the different results of the workshops to be conducted during the analysis.
An analysis risks tool
Throughout the analysis process, the tool helps the user to understand the EBIOS Risk Manager approach in a simple and efficient way by guiding him on form and content.
This results in a flexible combination of respecting the succession of steps of the method and getting closer to the business reality.
In addition, to facilitate the handling of the software and the method, Agile Risk Manager integrates several knowledge bases and example projects. As part of this pedagogical support, we have built and integrated a new example with the complete risk analysis of a medical imaging and radiology center.
Why a radiology medical center ?
The health sector is a critical area, as it is closely linked to human safety. This is particularly true for radiology services, which, due to their interdisciplinary and nodal nature, constitute a central element in the health sector. Their protection is therefore a major imperative.
Moreover, these services are totally dependent on Information and Communication Technologies (ICT) as they rely on multiple devices and systems. They include in particular:
- Medical equipment (MRIs, Scanners, etc.) required for patient data acquisition,
- Data processing, reproduction and storage systems
- Interconnection and communication interfaces.
Finally, recent cyber attacks, particularly those of the “Ransomware” or “DDoS” type, are increasingly targeting medical treatment entities. In this regard, we will mention “Wannacry” which targeted certain hospitals in Great Britain, but also the attacks perpetrated against the University Hospital of Rouen as well as the Public Assistance Hospitals of Paris (AP-HP).
Protecting material and informational radiological assets is therefore crucial. It is absolutely necessary to anticipate and adopt a preventive approach, through a risk analysis.
The EBIOS Risk Manager method is based on an iterative and agile approach, built around workshops. Each workshop chooses a particular point of view and a specific issue.
The passage through all these workshops will lead to build, step by step, a relevant and complete risk analysis, focused on the most significant risks.
Workshop 1 - Scope & security baseline
Workshop 1 helps to define the general perimeter of the analysis, identify what we want to protect, what we fear, and what measures have already been implemented. The point of view is that of the defendant, in this case the radiology practice or center.
We have opted for a complete risk analysis with strategic and operational cycles of 3 years and 12 months respectively. We have defined the Roles and Responsibilities Matrix (RACI) which allows us to plan the steps of our analysis as well as the people involved in each workshop.
Next, we determined the business values (BV) that represent the business processes and information of the radiology department: MRI, CT, standard radiography, ultrasound, patient administration and management, and quality control.
For each Business Value (BV), as described in the method, we associate the appropriate support assets and managers. Depending on security needs in terms of availability, integrity, confidentiality or traceability, each BV may be confronted with one or more dreaded events (FEs) that it is essential to explain.
For example, the system for transmitting and archiving images between modalities (PACS – not to be confused with the Continuous Security Improvement Plan proposed in Workshop 5) is a critical element for any radiology site.
This is why the “sabotage of the MRI-PACS interface” constitutes in our analysis a critical FE for the “MRI” BV. It is important to classify the FEs in order of severity. This is measured based on their respective impacts (financial, legal, on image, on the safety or health of people, etc.).
During the definition of the security base, in addition to the standards already available in Agile Risk Manager, such as the ANSSI hygiene guide, we introduced two new standards:
- A repository of customized internal measures that defines a set of rules and best practices that can be developed internally for each entity. This will include measures such as video-surveillance or access control, etc…
- A qualitative referential, based on IT security measures standardized in the “LABELIX” Label. This is the official tool for recognizing the quality of services provided by medical imaging practices and services (http://www.labelix.org).
Workshop 2 - Risk sources
Workshop 2 is characterized, unlike Workshop 1, by an attacker-centric approach, referred to in EBIOS Risk Manager as “risk source”.
This is why in this workshop, we have first identified the risk sources (RS) that can harm the radiology center: competitor, cyber-mercenaries, malicious external staff, disgruntled internal staff, avenger, etc.
Once the RS/TO match is established, it is possible to proceed with its evaluation based on the motivation, resources and activity of the RS. In Agile Risk Manager, this evaluation is carried out graphically and provides a visual representation of the relevance of RS/TO pairs from several angles.
Workshop 3 - Strategic scenarios
The radiology center is an entity that interacts with several internal and external stakeholders. All of these stakeholders make up the radiology center’s ecosystem.
For example, we can mention maintenance providers, auditors, HDSAHP (Health Data Services Accredited Hosting Providers), etc.
Agile Risk Manager enables you to assess each stakeholder’s cyber exposure and reliability levels based on cyber dependency/penetration and cyber trust/maturity, respectively. Once assessed, the tool allows them to be mapped graphically, in the form of a radar.
Subsequently, we seek to define the stakeholders who can serve as relays, without wanting to, to the hostile approach of a source of risk.
This is what we call strategic scenarios, associated with the RS/TO pairs. Strategic scenarios are made up of one or more paths of attack. For example, a cyber-mercenary whose objective is to steal medical information from the “Administration – Patient Management” BV (Business Value) could achieve its goal by creating channels for the exfiltration of sensitive data either to the CHU, or to the ISD, which is an internal stakeholder, or directly to the HDSAHP.
The graphical representation allows the different strategic scenarios and their respective attack paths to be visualized.
This workshop includes a preliminary treatment of risks according to the EBIOS Risk Manager method. This preliminary treatment leads to the definition of security measures that apply directly or indirectly to the stakeholders and thus allow by their application a reassessment of the stakeholders’ cyber exposure and maturity.
In our example, the application of stakeholder measures has reduced the initial threat level of IT service providers and enabled them to be moved from the control zone to the monitoring zone.
Workshop 4 - Operational scenarios
In this workshop, we build operational scenarios that are similar to the RS/TO pairs and their strategic scenarios predefined in the previous workshop.
The paths of attack of the operational scenarios are built from elementary actions on the support assets to reach the previously identified TOs. It is also a question of attributing a likelihood to each scenario obtained. This will be used to calculate, according to several approaches, the most likely path of attack.
In our case study, we have identified different operating modes allowing to reach the TOs by using elementary actions from the MITRE-ATT&CK reference frame. This world-renowned and referenced database is directly integrated into Agile Risk Manager, thus increasing the power of operational scenario construction.
Let’s take the example of the cyber-mercenary, the aim of which is to steal sensitive medical information. The latter could choose as its modus operandi to exfiltrate sensitive data from a partner hospital. To do so, the hacker can create an illegal channel that will connect him to the CHU.
This scenario consists of three different attack paths. We detail below the one concerning an exfiltration by corruption of a public website (blue path on the schema).
- After a reconnaissance, the attacker identifies a website that is regularly accessed by staff with privileged rights at the CHU. Then, the attacker infects the website in question.
- During the visit of the CHU element to the infected site, the attacker corrupts the target’s browser by exploiting a vulnerability and recovers the stored passwords.
- The attacker uses these elements to authenticate on a session from the target to an instance at the HDSAHP where the data from the radiology center is hosted.
- The cyber-mercenary then attempts to access a metadata API instance of the Cloud instance, trying to recover the privileges associated with it.
- Then, the attacker sets up a channel and a custom “command and control” type protocol.
- Finally, the cyber-mercenary fraudulently exfilters medical data from the radiology center, hosted in the HDSAHP Cloud platform.
At the end of this workshop, Agile Risk Manager positions all of the analysis risks in the risk matrix based on their severity and likelihood. This is the initial risk mapping.
Workshop 5 - Risk treatment
At the end of an analysis cycle, workshop 5 allows the participants to recall all the results obtained previously.
These results are exploited in a staggered manner over time and give rise to a continuous security improvement plan (CSIP) according to the means and constraints (time, budget, complexity) of the object of the study.
The implementation of the CSIP allows a gradual reduction (3 months, 6 months, etc.) of risks, until a satisfactory level is reached that is aligned with the organization’s risk treatment strategy.