Cybersecurity and Privacy Risk Assessment of Point-of-Care Systems in Healthcare—A Use Case Approach

: Point-of-care systems are generally used in healthcare to respond rapidly and prevent critical health conditions. Hence, POC systems often handle personal health information; and consequently, their cybersecurity and privacy requirements are of crucial importance. While, assessing these requirements is a signiﬁcant task. In this work, we propose a use case approach to assess speciﬁ-cations of cybersecurity and privacy requirements of POC systems in a structured and self-contained form. Such an approach is appropriate since use cases are one of the most common means adopted by developers to derive requirements. As a result, we detail a use case approach in the framework of a real-based healthcare IT infrastructure that includes a health information system, integration engines, application servers, web services, medical devices, smartphone apps and medical modalities (all data simulated) together with the interaction with participants. Since our use case also sustains the analysis of cybersecurity and privacy risks in different threat scenarios, it also supports decision making and the analysis of compliance considerations.


Introduction
Cybersecurity and privacy incidents are a growing threat to the healthcare industry in general, and hospitals in particular [1]. The healthcare industry has lagged behind other industries in protecting its main stakeholders (e.g., care staff and patients), and now hospitals must invest considerable capital and effort in protecting their IT systems [2]. However, moving to more protected and resilient digital infrastructures in healthcare is a challenge because hospitals are extraordinary technology-saturated, complex organizations with high end-point complexity, internal politics, and regulatory pressures. Therefore, healthcare organizations of all types looking to grow and achieve their financial, quality, service and compliance performance objectives must understand and account for the capabilities, drivers, strategies, and challenges of other ecosystems such as cybersecurity and information privacy. Hence, as cybersecurity and privacy become more of a priority for hospitals, it is essential a holistically integration in the different processes, components and stages influencing the healthcare ecosystem.
One relevant aspect to consider regarding cybersecurity and privacy risks are healthcare point-of-care (POC) systems which have been widely used in hospitals in order to provide innovative solutions to medical professionals. Where, POC systems provide an overview of the patients' conditions in a way that makes it easier for professionals to respond on time and prevent critical situations. POC systems are platforms that incorporate devices and applications in order to collect, process and visualize data. Using large amounts of data, which contain personal health information and sensitive medical data, communicated across various POC systems, backend analytical platforms, user workstations and smartphones, it becomes evident that there are multiple threats that may cause data leakages or breach incidents. Naturally, these platforms create and expanded attack surface, which may be challenging to identify and address. Hospitals and care centers need to address these threats by efficiently assessing the associated risks and mitigate them with the proper cybersecurity and privacy safeguards.
Namely, POC systems can be categorized in three classes according to their usage model [3] (i) for testing and diagnostic applications (e.g., medical devices), (ii) for patient monitoring (e.g., smartphone apps) and (iii) for as interfacing with other devices (e.g., webbased services and integration servers). Hence, considering the latter classes, some common associated threats to POC systems encompass legacy operating systems and software, lack of timely software updates and patches, medical devices not having basic security features, insecure implementation of web-services, lack of awareness of cybersecurity and privacy issues and limited power and resources [4], among others. Typically, these threats can be exploited by several common attacks (e.g., cross-site scripting, Structured Query Language (SQL) or Extensible Markup Language (XML) injection, client-side attacks, malware and denial-of-service).
Generally, risk is defined as the combined probability of an unwanted event and its level of impact. It is described as a function of the probability that a given source of threat exerts a potential vulnerability and the consequent impact of this adverse event on the organization [5]. Cybersecurity risk, also known as information technology risk, is the new management challenge of the third millennium; it affects the information and technology assets of organizations. On one hand, cybersecurity risk is defined in [6] as "operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems". In particular, a cybersecurity threat is a potential attack that exploits a vulnerability of the system to cause damage, whilst a threat scenario is a flow of events or attacks containing interactions between a malicious actor and a system to cause damage. On the other hand, privacy risk assessment as indicated in [7] aims to "analyze and quantify the privacy risks associated with new systems". Accordingly, considerable research has been devoted to eliciting and analyzing cybersecurity and privacy risk assessment [6][7][8][9][10]. However, the applicability of these approaches in the context of cybersecurity and privacy risk assessment modeling for POC systems in healthcare ecosystems shows limitations with respect to (i) their support for explicitly specifying various types of cybersecurity threats, (ii) the definition of threat scenarios and (iii) the specification of mitigation and preventing actions (e.g., cyber hygiene) for these threats.
Moreover, the above risks have to be properly communicated and accounted in the overall operational structure of organizations. For instance, in business, financial value may be acceptable as the ultimate unit, which is used to quantify direct cost-even reputation and human lives. However, certainly the healthcare sector does not only operate on a competitive or financial basis, and may prefer units that more closely relate to the concept of privacy risk. Therefore, to assess the cybersecurity requirements of POC systems, it is necessary to take into consideration the characteristics of the specific service being developed and of the device types on which the service is going to be deployed.
Accordingly, use cases are one of the most common means adopted by software engineers and end-users to elicit requirements because they ease the communication between stakeholders to assess specific requirements [11]. Additionally, to achieve widespread applicability, the need for integrating cybersecurity and privacy requirements with use case modeling warrants the development of reusable templates in different applications, and in particular for healthcare applications. Systematic approaches to eliciting cybersecurity requirements based on use cases, with emphasis on description and methods guidelines have been proposed [12]. However, existing approaches lack reusable templates for misuse cases, as opposed to only well behaving use cases [12][13][14][15]. However, with slight modifications, use cases can aid the integration of misuse case scenarios, with functional and non-functional requirements, when considering cybersecurity and privacy risk [16].
In the direction to remediate the limitations described above, we propose a use case approach, including misuse cases, in the framework of a real-based healthcare IT infrastructure for POC cybersecurity and privacy risk assessment. In particular, the objectives of this work are to (i) detail a use case that sustains the specifications of cybersecurity and privacy requirements, (ii) address the above challenges by including the modelling based on risk management capability model (RMCM), and (iii) produce an approach tailored to accounting POC in healthcare ecosystems. In this regard, the paper is organized as follows. Section 2 introduces the context of our use case approach and proposed scenarios, compared to the state-of-the-art, to provide the motivations behind POC systems in healthcare. Sections 3 and 4 describe the technical developments, proposed pilot plan and risk assessment capability for POC use cases in healthcare environments, respectively. This is followed by Section 5, which discusses the results connected with the outcomes in several dimensions of cybersecurity and privacy risks. Finally, Section 6 summarizes the work, provides conclusions, and proposes future research.

Proposed Use Case Overview
The work presented in this article has been develop as part of a European Union (EU) project Secure and Private Health Data Exchange (CUREX) [17][18][19], which is developing a software platform aimed at delivering trust-enhancing, secure, and private-by-design systems and applications for the healthcare domain. In general, CUREX delivers specific cybersecurity and privacy risk solutions based on the following set of measurable objectives: (i) to deliver tools for assessing cybersecurity and privacy risks associated with health data exchange, (ii) to deliver a decision support tool for devising optimal cybersecurity and privacy safeguards, (iii) to deliver a Blockchain-based platform for enhancing trust in health data exchange, (iv) to enhance cyber hygiene in healthcare organizations, (v) to demonstrate the value of the CUREX platform through proof-of-concept use cases, and (vi) to conduct techno-economic, market and legal analysis and propose business and application models. In order to accomplish these objectives, the project brings academic institutions, healthcare end-users and software development companies together in a consortium to enhance the pool of available resources with partners and competitors to leverage technology development with high impact. Therefore, in conjunction with optimal recommended safeguards, CUREX delivers targeted measures for raising the cyber hygiene of healthcare organizations through the recommendation of strategies and methodologies for training and raising awareness activities, targeted towards healthcare employees (administration, medical, and IT personnel) on cybersecurity and privacy risks incurred during data exchange [20]. Training will involve the development of cybersecurity defending skills, e.g., empowering social engineering defenses [21]. In this way, healthcare employees will feel more confident in handling and exchanging sensitive data and improve their capabilities to perform their daily professional tasks effectively and in a secure fashion.
Particularly, as elucidated in the previous section, we will center this work in the development of a use case (also with misuse case extensions) to assess the cybersecurity and privacy risks in POC systems, together with remediation actions based on cyber hygiene recommendations, for different target groups of healthcare professionals at Fundació Privada Hospital Asil de Granollers (FPHAG) hospital. Contextualizing, FPHAG is a health and healthcare provider center of the public integral health system of Catalonia (SISCAT) of the Catalan health system, shown in Figure 1a. The hospital provides healthcare assistance both for acute and non-acute patients and it is the reference hospital of the territories comprising the area known as Vallès Oriental (Barcelona), covering a population of around 400,000 people and with a total number of 340 beds.
In the described context, considering data from August 2019, FPHAG's information network infrastructure was subject to more than 6000 different malware and intrusion attacks during a period of a year. Malware attack incidents were classified as: 205 viruses, 500 spywares, 189 adware and 2490 botnet attacks. Where these intrusion attack incidents' risk levels were classified as: 19 critical, 8 severe, 1876 average and 718 as low intensity level; and all the attacks were blocked or handled by the firewall. The latter statistics, all with positive outcome, are of relevance and point that correct infrastructure protection and IT-best-practices are in place at FPHAG. Nevertheless, still these are external attacks (blocked by the firewall), while instead internal attacks are very valuable to assess in a use case approach. First, because they are less frequent, and secondly because they can produce a catastrophic outcome. Therefore, a complete independent infrastructure similar to the real IT infrastructure of the hospital has been designed and develop at FPHAG, to work with these potential attacks in a use case approach, to assess requirements for testing and improving the CUREX platform solution, as shown in Figure 1b. Accordingly, the develop experimental IT infrastructure is composed of (i) a health information system (HIS) framework, containing file systems, a database and an image server; (ii) web integration server and services; and (iii) three different groups of POC systems: files of clinical history stored in the HIS as pdf, doc and structured data files; a patient smartphone app; and medical devices consisting of an electrocardiogram (EC), a ultrasound machine (US) and a CT-scan modality simulator (emulated medical device). All the personal and health data generated and stored with the different components is simulated, hence no real data from patients has been used. With the above-described points, the scope of the proposed use case in this work assumes the situation that "the hospital IT department has raised concerns about the cybersecurity issues that may emerge from the operation and the communication of the clinical data handled with POC systems. Indeed, since the data contains highly sensitive personal information, it must be ensured that the hospitals' information systems are properly maintained, and any vulnerabilities are identified and timely patched. In addition, since the hospital has the technical capability of generating data reports and exchanging them with third parties, the platform must ensure that proper cybersecurity and privacy safeguards are in place in order to protect the integrity of the data and most importantlypatient safety. Consequently, the hospital decides to adopt the CUREX platform in order to address these issues immediately. In conjunction with optimal recommended safeguards, CUREX delivers targeted measures for raising the cyber hygiene of healthcare organizations through the recommendation of strategies and methodologies for training and raising awareness activities, targeted towards healthcare employees (administration, medical, and IT personnel) on cybersecurity and privacy risks incurred during data exchange. Training involves the development of cybersecurity defending skills, e.g., empowering social engineering defenses. In this way, healthcare employees will feel more confident in handling and exchanging sensitive data and improve their capabilities to perform their daily professional tasks effectively and in a secure fashion." Generally, the use case approach scope presented in this work is always with respect POC systems cybersecurity and privacy management that help hospitals and care centers mitigate these risks, which becomes even more crucial when POCs' data needs to be exchanged within the different services of the hospital. Therefore, the use case does not explore the contents of the HIS system, but it manages the concepts of cybersecurity and privacy risk assessment. Together with trust, which is achieved with a shareable, verifiable, unmodifiable log in the blockchain; and cyber hygiene, which are the set of strategies and associated measures in the form of human-centric controls for raising cybersecurity and data privacy awareness of different employee groups in healthcare organizations. For this aim, three validation scenarios in the use case approach have been planned for assessing different cybersecurity and privacy situations of interest, and described in the following subsection.

Use Case Validation Scenarios
In this work three scenarios are defined as in [12] for the presented use case (and also accounting for misuse cases): "network configuration" where the use case scenario is not threatened by cybersecurity nor privacy risks, in order to perform an assessment in a normal operation of the use case; "outpatient appointment check" where the misuse case scenario is threatened by a denial-of-service attack, that prevents legitimate users from accessing internet services, including patient access to outpatient information; and "visualization of clinical information" where the misuse case scenario proposes and inside URL attack to retrieve clinical information, causing also a privacy risk. These three scenarios presented, focused on POC systems and dealing with cybersecurity and privacy risks in a healthcare, are depicted in Figure 2, and described below.
• Scenario 1: network configuration (POC) In this scenario, no cybersecurity attack nor information privacy leakage is simulated, but still new configurations to the IT infrastructure are simulated. In particular, it is simulated that the IT department has been requested to re-arrange IT infrastructure of the hospital, including medical devices, due to a health crisis situation, as occurred in 2020 due to the COVID-19 pandemic. For such a request, the IP/MAC address links of the medical devices pointing the servers are modified. In this situation, CUREX platform detects that the IP/MAC address links have been modified but no cybersecurity nor privacy risk has occurred. Therefore, the overall combined cybersecurity and privacy risk score obtained through the CUREX platform should be low.

•
Scenario 2: outpatient appointment check (smartphone app) In this scenario, a distributed denial-of-service (DDOS) attack is simulated which is considered as high risk for cybersecurity and low risk for privacy. A participant is registered as a new simulated patient to access the simulated patient's information through the test smartphone app, but a DDOS attack happens resulting with the smartphone app functionality breaking down. Therefore, the participant is not able to access to the information due to an out-of-service notice. In this situation, the CUREX platform has to provide a high score for cybersecurity risk, while a low privacy risk score, which both values combined results with the overall value of medium risk score reported by CUREX.

• Scenario 3: visualization of clinical information (HIS)
In this scenario, a URL hacking cybersecurity attack with leakage of privacy information is simulated. The simulated scenario is that a participant, simulating to be a medical doctor, wants to have access to a medical image and to a report of a simulated patient, but intentionally accesses another patient's data instead of the originally planned patient's data. Therefore, the simulated cybersecurity attack causes also a privacy leakage of information, implying that both the cybersecurity and privacy information risks scores of CUREX platform should be high. In particular, it is of high interest to at least pilot with Scenario 1 and either Scenario 2 or Scenario 3. Scenario 1 does not involve a cybersecurity attack but allows CUREX toolkit to compute the cybersecurity and privacy risk when no attacks are detected. For Scenario 1, results should provide low risks to the organization and therefore, they can continue sharing the data being requested. While the rationale behind Scenarios 2 and 3 involves simulating a cybersecurity attack and/or privacy leakage. The latter allows to assess the CUREX platform in terms of how scores change and analyze the quality of the suggested mitigation measures.

Develop Technical Infrastructure and CUREX Tools
The technical developments for the use case proposed is a recreation of part of the IT infrastructure of the hospital, also representative of many healthcare centers, in a pre-production environment. It is relevant that it is a parallel develop infrastructure since it is not possible to apply cybersecurity and privacy attacks and threats in a real infrastructure with real patient data and in-use equipment. Here resides one of the main points to apply use case approaches. In particular, as shown in Figure 3, the use case environment is firewall-disconnected, in any means of access, from the main infrastructure of the hospital. Therefore, the entire piloting environment is simulated but at the same time is highly representative of a real infrastructure. In particular, in Figure 3a, it is depicted the different entities composing the IT infrastructure develop together with elucidating its logical connections to the different components. Moreover, Figure 3b shows the logical arrangement of virtual local area networks (VLANs) that consistently sectorize the different entities through the firewall hardware device. Consisting of three VLANs: (i) for users to operate the workstations, (ii) for the POC medical devices, and (iii) the different servers and client applications to support the available services. Furthermore, the smartphone is connected to the use case environment through regular Wi-Fi or other internet access routes, but through a specific dedicated parallel connection channel to avoid any interference to the real infrastructure. In the created environment for the use case, the workstations or PCs run under Windows 10 operating system. The servers are placed in VMware machines and the medical devices have different versions of Windows, (e.g., Windows 7 and 10) and Linux distribution operating systems. The smartphone application to be assessed in the use case runs on a smartphone (android v9). Furthermore, several servers exist to have available integration engines, HIS, image server, and service integrators. In detail in Table 1, the following entities take part of the develop infrastructure.
Furthermore, the dedicated hardware for the use case is 8 vCPU and 48 GB RAM (servers and services installed in the infrastructure do not modify the indicated capacity values because they are accounted for aside of these values). The infrastructure is sized for 10 concurrent virtual private network (VPN) connections to allow different technical tool owners access to the use case infrastructure. Finally, different specific versions of operating systems are considered for the servers, working stations, virtual stations, smartphones, medical devices and emulators (Windows 7, Windows 10, Linux, etc.). Principally, the HIS is a replica of the original HIS (implemented with the collaboration of the normal provider of the HIS maintenance and development works) but with all information cleared and only simulated images, reports and information have been included, generated by the IT department. The networks details of the use case infrastructure are detailed in Table 2. Notice that all IPs and ports' information is safe in terms of cybersecurity and information privacy because they are not used and isolated from the real hospital's infrastructure. Moreover, the operating systems of the workstations and PCs are selectable between Windows 7 and Windows 10, which are commonly used operating systems among health providers. Windows XP is no longer in use at the hospital facilities.
Lastly, in Table 3 is described the different information that has been created or generated considering the different POC systems in the IT infrastructure, together with the technical addressable information from the smartphone application. When the smartphone is connected to the infrastructure: the connection is via Wi-Fi (or other internet access proxies). It is relevant to monitor the app server, and less relevant the app terminal itself. The app server is configured to support a test app. The app server is a regular server, but also configured for the test app for the use case. The app server provides simulated data to the SAVAC_CUREX (HIS).
In particular, Medical Devices 1 and 2 are not updated for clinical practice, but they operate correctly and are valid for the demonstrations. The emulated Medical Device 1 is based on protocol DICOM (Digital Imaging and Communication in Medicine) and it is an image viewer for biomedical imaging that was developed by the Biomedical Digital Imaging Center of UDIAT-CD S.A [22]. This emulator was developed with Java technology and can therefore be used in almost any computer and graphic operative system. Finally, the different available information from the POC systems allows to assess the cybersecurity and privacy risk at different levels in the develop use case infrastructure, which as described below, will be captured, processed and analyzed by the different CUREX platform technical tools.

CUREX Platform Solution
The CUREX solution analyzes information coming from the monitoring infrastructure to compute cybersecurity and privacy risk scores associated to the data exchange in a health domain. CUREX has five discrete areas: (i) asset and vulnerability discovery, whose goal is to discover the system's assets and any information related to their associated vulnerabilities; (ii) threat intelligence, aiming at detecting real time abnormal behaviors on users, and devices, as well as anomalies in the data in order to identify new and unknown threats; (iii) risk management, aiming at producing risk scores and optimal safeguards towards a cyber-strategy of the healthcare organization; (iv) trust enhancing, which will make use of a decentralized platform based on blockchain technology to store and share private and sensitive data, as described in [17,18]. Particularly, the interactions between the different tools of CUREX are depicted in Figure 4. An example considering Scenario 3, defined in Section 2, CUREX platform's enumerated actions are defined in the following ordered list below, once the CUREX solution has been deployed in the infrastructure: 1.
ADT scans the infrastructure and identifies the entities and resources that have direct connection with the HIS [18]. A list of assets (including IP addresses, open ports, services and/or operating systems running in each asset) is generated by the ADT and shared accordingly with other CUREX tools. It is worth noting that for this particular scenario, the ADT has discovered that some workstations are running outdated versions of the operating system (OS).

2.
Upon reception of the asset list, VDM performs a vulnerability scanning, using as input the list of IP addresses discovered by the ADT. As a result, VDM generates a report containing a list of security vulnerabilities associated to all the hospital's resources (assets) detected in the network's hospital infrastructure [23]. In particular, the VDM report contains a list of critical exploitable vulnerabilities against the outdated OS, and it is initially shared with KEA for further analysis.

3.
Upon reception of the vulnerability report, KEA performs a machine learning analysis using the log events generated in the infrastructure in order to detect new threat patterns that could potentially harm the system [24]. New threat patterns are added to the VDM, which enriches the vulnerability report to be shared with other CUREX tools. 4.
TIE receives the enriched vulnerability report by the VDM and in parallel, receives logs from events originated in the end-user's infrastructure. In particular, TIE employs anomaly detection and analytics to detect intrusion and malicious activities using a variety of tools and techniques. As a result, TIE is able to generate correlated alarms indicating potential threat incidents detected in the monitored infrastructure. The generated alarms are then shared with other CUREX tools for further processing and analysis. In this example, a URL-attack is detected against one of the resources, which can potentially give uncontemplated access to the HIS database. The generated alarms are then shared with other CUREX tools for further processing and analysis. 5.
CAT receives a list of vulnerabilities from the VDM, and a list of events and alarms from TIE, which along with the risk pattern models and configuration configured by the infrastructure IT managers, provides the required input to perform a cybersecurity analysis. As a result, global and individual scores are generated, making it possible to identify critical events to assign priorities for their treatment. For each score, a set of mitigation measures is proposed by CAT. The generated CAT scores are stored in the PrB, and the list of mitigation measures is shared with OST [20] for its analysis and optimization. Regarded the considered example, one of the provided mitigations provided in the generated list and selected by the IT user could be "map inputs values to actual filenames/URLs, etc., and reject all other inputs", which is highly efficient and with medium associated cost of implementation. 6.
In parallel, PAT also receives the vulnerability report from VDM and performs a privacy risk assessment of the organization and the platform by evaluating GDPR compliance [25]. Similar to CAT, a set of mitigation measures is proposed by PAT [26]. The generated PAT scores are stored in the PrB, and the list of mitigation measures is shared with OST for its analysis and optimization. 7.
OST receives in real time the CAT and PAT mitigation measures and performs an optimal safeguard analysis based on values of costs and efficacy provided by the end-user. As a result, the OST displays in its dashboard the list of mitigation measures ranked by priority. This output is also stored in the PrB. 8.
PrB receives on the one hand the CAT and PAT scores, and on the other hand, the mitigation measures from OST. CAT and PAT qualitative scores are merged, and a unified risk score is generated. 9.
After the optimal mitigation measures are applied to the systems and their infrastructure by the IT end-user, a new scan from the ADT will be performed and the process restart from Step 1 to finally end with the CAT and/or PAT results that will decrease accordingly during the new risk assessment.
For all three scenarios, defined in the previous section, CUREX should provide cyber hygiene recommendations and procedures to improve the capabilities and training of participants with respect to cybersecurity and privacy risks.

Pilot Plan and Validation Test Steps
The proposed use case allows testing and evaluating cybersecurity and privacy risks, as well as for the CUREX platform potential impact on data exchange in healthcare services, focused on modelling and analyzing POC systems. First, a pilot plan has been defined in Table 4, in order to define the overall specificities involved with the use case. Notice that the defined pilot plan can be used as the base model to define other use cases in the current context as well as in other use case models. Table 4. Use case pilot plan definition.

Involved Partners
The use case pilot is executed involving participants at the hospital facilities. It is convenient for the execution of the pilot because the participants will use computers enabled to run the steps of the defined validations on the develop infrastructure. Furthermore, the preamble presentations and interview/focus groups are hosted as well at the piloting premises with the involvement of the participants and use case managers.

Participants
IT staff. It is the group composed of professionals belonging to the IT department of the hospital. They have experience with the technical aspects of the HIS, medical devices and cybersecurity. Assistance staff. It is the group composed of medical doctors and nurses, who may belong to different medical specialties. These professionals have knowledge and experience in consulting clinical information in the HIS. Administrative outpatient staff. It is the group composed of professionals belonging to the hospital outpatient administrative staff. These professionals have knowledge and regularly plan the appointments for the patients of the hospital.

Short Description
The hospital IT department has raised concerns about the cybersecurity issues that may emerge from the operation and the communication of the clinical data. Indeed, since the data contains highly sensitive personal information, it must be ensured that the hospitals' information systems are properly maintained, and any vulnerabilities are identified and timely patched. In addition, since the hospital has the technical capability of generating data reports and exchanging them with third parties, the platform must ensure that proper cybersecurity and privacy safeguards are in place in order to protect the integrity of the data and-most importantly-the patient safety. Consequently, the hospital decides to adopt the CUREX platform in order to address these issues immediately.
In conjunction with optimal recommended safeguards, CUREX will deliver targeted measures for raising the cyber hygiene of healthcare organizations through the recommendation of strategies and methodologies for training and raising awareness activities, targeted towards healthcare employees (administration, medical, and IT personnel) on cybersecurity and privacy risks incurred during data exchange. Training will involve the development of cybersecurity defending skills, e.g., empowering social engineering de-fences. In this way, healthcare employees will feel more confident in handling and ex-changing sensitive data and improve their capabilities to perform their daily professional tasks effectively and in a secure fashion.

Timeline
The pilot execution will consist of two phases, following the Agile Flow Review methodology, in order to provide feedback to the tool owners and means of validation. Enough participants are involved in the pilots to collect sufficient result in order to generate relevant outcomes. Therefore, more than one session with different participants is executed. In general, each session will last 4 h, consisting of the preamble presentation, running the relevant scenarios of the pilot and conducting the interviews/focus group. Given that three working stations are available in the mounted infrastructure, each session can consist of six participants covering the three different types described above. Around four sessions in the timeframe of the first phase of the pilot can be executed. Depending on the outcome of the first stage of the pilot, the second phase of the pilot can be arranged as explained before, or adjustments of the planning can be arranged.

Preconditions
The CUREX framework has modelled, monitored and assessed the HIS infrastructure. As a result, the CUREX framework is able to provide assessment scores and give a proper set of cybersecurity and privacy recommendations to the hospital in the form of reports and manuals dictating possible best practices to correct issues identified in the infrastructure. Furthermore, the involved CUREX tools have been properly configured.
Preamble A preamble PowerPoint presentation will be given and explained to each participant for them to better understand the use case and CUREX solution in general.
Furthermore, following the use case diagram defined in Section 2, the different validation actions of the three different scenarios have been detailed step-by-step in Table 5. Generally, the three scenarios have a common "start point" step. In this so-called STEP 0, the system is analyzed by CUREX tools providing some recommendations about cybersecurity and privacy risks. Once they are implemented, it is continued with each on-demand scenario. Lastly, the execution of the different scenarios provides cyber hygiene recommendations. Table 5. Use case scenarios validation steps-by-step plan description.

Step # Description of Tasks
Step to Execute Expected Results Confirmation of the proper operation of the medical devices and emulator Table 5. Cont.

Step # Description of Tasks
Step to Execute Expected Results Credential pass-through to CITRIX that will present the icons of those applications that the user has configured Table 5. Cont.

Step # Description of Tasks
Step to Execute Expected Results Particularly, each scenario is composed of a limited number of steps in an ordered sequence (Column 1), with clear indications of the performed action (Column 2), description of the step to perform (Column 3) and the outcome, which might be linked to a specific requirement assessment, produced by each step (Column 4). Hence, the step-by-step validation test plan described above provides sufficient information for the different participants to execute the actions required for each scenario of the use case. However, also the test plan also allows the use case session managers to monitor the execution of the scenario as well as to annotate any relevant information to be further analyzed afterwards. In this way, the use case specific test plans serve as case report forms for each scenario, as described in the following section.

Discussion on Risk Assessment Capability
There are numerous use case approaches in the literature to model cybersecurity and privacy requirements [27]: multilateral, unified modeling language (UML)-based, goaloriented, problem frame-based, risk/threat analysis-based, and common criteria-based approaches. In particular, the use case approach proposed in this work is based on misuse cases extending UML diagrams and relies on a form of risk/threat analysis to capture various cybersecurity and privacy risks, to elicit threat scenarios in a structured form. Furthermore, it provides mitigation recommendations relaying on CUREX solution, or accordingly, directions given by other cybersecurity and information privacy risk assessment solutions. Therefore, the dimension of assessment capability attained in the proposed use case is large, where a list of contemplated requirements allowed to be assessed are shown in Table 6. Table 6. List of contemplated assessable cybersecurity and privacy requirements.

Cybersecurity and Privacy Requirements Priority/Domain Description
Securing integrity information regarding risk assessment and interactions with the infrastructure Mandatory/Cybersecurity The complete monitoring and assessment flow must be reflected in the private blockchain contents providing support for the fact that end components can connect and disconnect without prior notice.
Check credentials match from previous steps Optional/Cybersecurity Credentials must be passed between steps, from the medical staff, which informs them on the system, to the SAVAC system. Each step must get and pass the credentials through the next step. The CUREX system should monitor, as an important part of its risk assessment phase whether these holds. The requirements listed in Table 6 are not particular to the CUREX solution but general to other cybersecurity and information privacy risk assessment solutions, contemplating both functional and non-functional requirements, and they can be enlarged following bestpractice guidelines, privacy-by-design methodologies and IT standards [28]. Furthermore, the described requirements in Table 6 encompass some mandatory as well as optional requirements, regarding cybersecurity and privacy risks. Mandatory level is considered when the requirement is a must, without which the described functionality cannot be provided. However, optional level is assigned when the requirement is only recommended to have an appropriate performance of the tool/service. The assigned level of mandatory requirements has been qualitatively weighted and agreed between different stakeholders (software developers, healthcare providers, and researchers) within the CUREX consortium. Where the qualitative weighting has been assigned by mapping the requirements' urgency by the end-users to the performance goals elicited by the technical development of the specific CUREX tools. Moreover, the requirements' considerations detailed in our use case, in some part, are highly valid since they are also considered in other information risk analysis works as [4,[29][30][31][32]. Hence, the methodology followed can be applied to other use cases and risk assessment solutions [33,34].
Regarding the employed assessment scoring tools, it is first described the automated cybersecurity and information privacy risks solution proposed for the use case using CUREX platform, but also other assessment procedures will be discussed. In particular, in the proposed use case, the cybersecurity assessment is based in employing state-of-the-art machine-learning algorithms and technologies combined into an automated solution for hospitals and health care centers to understand inherent risks that emerge from exchanging health data and drive the decisions towards successfully mitigating the risks [23]. However, the information privacy risks are assessed based on the OLISTIC Enterprise risk management suites (ERMS) [26]. Where, finally, to calculate the overall impact to all data assets of the healthcare organization it integrates NIST's guide for security risk assessment [35]. Nevertheless, other cybersecurity and information privacy risk assessment approaches are available such as the common vulnerability scoring system (CVSS) [36,37]. In particular, CVSS assigns severity scores (based on a formula that depends on several metrics that approximate ease of exploit and the impact) to vulnerabilities, allowing the prioritization of actions and resources according to the threats.
In this direction, in the detailed step-by-step use case's scenarios of Section 4, each requirement to be assessed is introduced at a specific position of the steps to be performed by the participants. This helps tracing the requirements along the validation test plan to ensure that the full scope of the requirements is assessed. Moreover, following an hybrid Agile-predictive methodology [38], the use case manager can decide to add or delete requirements to be assessed in the different scenarios. In addition, in this way, participants can provide specific feedback during the demonstration, validations and evaluation of the use case through questionnaires, focus groups and interviews. Nevertheless, the planning of the experimental protocols involves the consideration of ethical [28], legal aspects [25], data usage and data processing [39], testing recruitment and informed consent, as well as the impact of each use case and the roadmap [40]. Hence, a first validation round can be conducted to gather the participant's results and reports to provide feedback for improving or updating the requirements in order to improve the functionality of the tools and platform solution, according to the end-user needs, beliefs and requirements.
Importantly, usability feedback depends heavily on the subjective perceptions and the prioritization of needs of each user [41]. Therefore, it is appropriately to carry out the use case with the sufficient number of participants to co-create and to ground solutions that fit the final users. This is because healthcare IT decision-makers will not adopt an IT-health related technology if it does not fulfil their current levels of need, such as security and safety, no matter how simple to use, innovative, affordable or powerful the technology is [42].
Furthermore, the use case proposed also places emphasis on improving cyber hygiene through the recommendation of strategies and methodologies for training and raising awareness activities for a healthcare institution's personnel. Its validation focuses on the highly challenging condition of POC systems; spanning medical devices, big data clinical history and smartphones (and can potentially assess other Internet-of-things devices) through the three appropriately selected use case's scenarios. Furthermore, the focus of the described scenarios has been placed on insider threats, hence easily our use case approach allows to develop new scenarios with other very relevant threats to healthcare, as ransomware attacks, which has proven to have had a high occurrence and a large impact in the past. In particular, one could think of a scenario where the data stored in the HIS system is encrypted (e.g., by the WannaCry ransomware attack) using medical devices with legacy operating systems as entry points triggered by a participant's misstep (which could be mounted combining Scenarios 1 and 3). Lastly, the proposed use case could be extended with security scenarios (mitigation measures) together with derivation of business continuity considerations and cost-effectiveness of the mitigation measurements.

Conclusions
This work describes a particular use case to assess cybersecurity and privacy risks for POC systems, but it can be readily generalized to other common related risk situations in healthcare. In particular, the proposed use case has been focused on allowing to experiment with the cybersecurity and privacy risk assessment for POC systems in a relevant healthcare IT infrastructure. Hence, the work presented is ambitious not only concerning the considerations regarding IT solution architectures, but also in different domains and number of requirements that are included in the use case to be assessed. Moreover, the particular use case considerations regarding the CUREX platform can be generalized to other solution platforms and use cases, following the indications provided in the discussion section.
Furthermore, it has been argued that developing a use case approach is crucial to improve the user experience and increase user adoption. In this regard, the designed and develop IT infrastructure contain a HIS system, actual servers, POC systems and portable devices (e.g., smartphone). Such a development is the base to allow running different oriented scenarios for the participation of different stakeholders and end-users. Particularizing the configurations to conduct threat scenarios (misuse cases), as well as the regular functionality scenarios.
Moreover, the three develop specific use case scenarios, for cybersecurity and privacy risk assessment, have relevant differences on the outcomes in several dimensions as well as in the adversary profiles. Furthermore, an extra scenario regarding highly recurrent and impactful ransomware attacks has been raised at the end of the discussion section. Although the ransomware attack has not been fully developed, the described use case approach in this work holds promise as highly moldable tool to assess the cybersecurity and privacy risk of other threats of interest. Finally, we have also contemplated and included in the different scenarios the demonstration steps for a cybersecurity and privacy trustenhancing platform in development (CUREX), which is part of an international research and innovation effort lead by academics, companies and healthcare providers.
In addition, cybersecurity and privacy protection are expanding with more laws and regulations expected to be issued in the coming years. Therefore, it is important for healthcare providers to continue monitoring and adopting successful developments, demonstrated in validated use cases, complying with the prescribed security and privacy protection requirements, and be aware of the applicable risks and exposures; especially for POC systems in IT health infrastructures. Thus, despite the increasing levels of government attention on information technology risks in healthcare and increased funding, we still need to define critical use cases, as the one proposed in this work, that can deliver the biggest impact in healthcare through cybersecurity and privacy risk assessments, to ensure the highest quality for what is actually being delivered on the ground or showing promise in terms of developments in the pipeline.

Conflicts of Interest:
The authors declare no conflict of interest.