ASL Roma 1 HyperSOC Approach Secures Patient Safety, Operational Efficiency

This is Part 2 of a two-part series written by Stefano Scaramuzzino of ASL Roma 1, Italy’s largest local health authority, and Fabio Batelli of Deloitte. Part 2 covers how advanced technologies inform ASL Roma 1’s predictive cybersecurity initiatives. Read Part 1 here.

In part 1 of this series, we wrote about the cybersecurity and compliance landscape facing ASL Roma 1, Italy’s largest local health authority, and how those challenges require the use of cutting-edge technologies and real-time availability of diverse data and information. Here in Part 2, we will cover ASL Roma 1’s HyperSOC implementation. 

ASL Roma 1's project aims to increase the level of security of the healthcare organization’s infrastructure through the implementation of an advanced SOC (security operation center) called "HyperSOC." It allows ASL Roma 1 to convert its cybersecurity approach from reactive to proactive, ensuring effective management of cyber threats. The adoption of this safeguard has led to a significant reduction in security incidents, despite the growing number of attacks at national and European level, because of the continuous monitoring of the attack surface of the infrastructure, which guarantees a higher level of security than other peers in the sector. 

In fact, with the implementation of HyperSOC, a new level of visibility with respect to the ecosystem and a new standard of protection are defined since the attack surface is continuously monitored and the data are analyzed in real-time, offering unprecedented control capabilities and the development of peculiar predictive analyses. 

Because of the integration of a data lake, data is centralized and structured to be used by advanced analytics tools and predictive models, improving the HDO’s ability to correlate demographic, clinical, and operational information. This is made possible by the information collected through different security solutions whose data and logs are collected and integrated within a single platform that allows their processing and rationalization. Taking up the Gartner study referenced in Part 1, therefore, HyperSoc makes it possible to strengthen the ability to collect and analyze data. 

Additionally, ASL Roma 1 has implemented artificial Intelligence and machine learning models that allow data to be transformed into operational and clinical knowledge in real time, improving the efficiency of the healthcare facility, the level of patient safety, and the quality of healthcare services provided to patients. 

In particular, AI and ML allow predictive analysis to be carried out in various areas. You can train algorithms on historical incident data to identify patterns and then predict potential malicious actions. The models may also suggest changes to security policies and actions aimed at preventing attacks, in order to detect and manage security events, as well as optimize their deployment and maintenance, thereby reducing downtime and containing costs and predicting when they will be most needed. Finally, with regard to support in decision making, integration and analysis of aggregated, clinical and demographic data within the data lake, in combination with AI and ML technologies, it is possible to develop advanced predictive scenarios.

The project at ASL Roma 1 has made it possible to develop a dashboard of key performance indicators (KPIs) aimed at providing an overview from a cybersecurity and operational efficiency perspective. In particular, the dashboard is a visual tool useful for real-time monitoring of both cybersecurity events and the use of electromedical devices through statistics, metrics and indicators. This makes it possible to identify areas for improvement, monitor progress towards specific cybersecurity objectives and make the use of medical devices more efficient.

ASL Roma 1’s strategy followed these steps:

1. Defining of parameters and KPIs to be introduced into the dashboard, with the aim of making it compliant with current regulations and sector best practices;

2. Defining of the methods of displaying the data in order to allow easy use of them by different subjects involved;

3. Defining and implementation of a platform that allows the visualization of real-time information, with different degrees of granularity in relation to the different users;

4. Configuring the solution according to the strategic-operational needs of ASL Roma 1, of the models and software used in the various electromedical devices and endpoints. 

The approach used made it possible to strengthen the security of critical infrastructure and healthcare devices, facilitating a rapid response to threats. This initiative has not only strengthened defenses against cyberattacks, but has also created a replicable model for all healthcare companies, helping to define a more coordinated and strategic approach in the management of cybersecurity in the healthcare sector. The transformation of ASL Roma 1 is, therefore, an example of the evolution of cybersecurity in the healthcare sector that aims at a proactive and predictive approach. 

In the future, ASL Roma 1 intends to integrate additional artificial intelligence and machine learning solutions to the currently configured model in order to enhance it. This integration is possible through careful algorithm selection, appropriate model training, and the implementation of trained models in the HyperSOC workflow so that they can analyze data in real time and generate appropriate responses or alerts. 

HyperSOC’s Data Sources, Security-Operational Outputs

HyperSOC allows you to integrate data and logs from different sources so that you have a unified collector, identifiable as the inputs, coming from:

• A platform useful for asset management and protection that allows you to obtain information on the devices connected to the hospital network. The solution collects information on connected assets through a passive monitoring system, i.e. observing network traffic without interfering with the operation of the devices. This non-invasive approach is essential in particularly sensitive environments such as healthcare facilities where it is essential to ensure the operational continuity of medical equipment without interfering with its use.

• Additional security solutions placed to protect the ecosystem and which allow, by way of example but not limited to: 

  • Monitor and log incoming and outgoing network traffic, identifying unauthorized access attempts and blocking threats; 

  • Collect data on web requests and monitor interactions with web applications; 

  • Collect information from assets in the perimeter and on user behavior; 

  • Centralize and aggregate security data, logs, and events from all integrated sources, correlating them with all available data. 

In the perspective of the HyperSoc, the centralization of data from different sources allows for a global and integrated view of operational efficiency and security status, making device management more efficient and improving the authority's ability to prevent, detect and respond quickly to cyber threats.

In order to rationalize the information collected and make it clearly usable to the different interlocutors, two KPIs have been defined.

• Cybersecurity: which allow you to track information relating to the cybersecurity posture of the healthcare ecosystem;

• Operational Efficiency: which allows you to monitor the operational efficiency of electromedical devices.

Therefore, the data that feeds the platform (the inputs) are processed and organized on the basis of the performance indicators described. This allows the creation of dashboards that represent the output, i.e.: a synthetic and rationalized view of the information. 

The type of view varies based on the role you hold, ensuring that you have access to information relevant to your responsibilities and expertise. For management roles, it is essential to have an aggregated and synthetic view through high-level KPIs. These indicators provide an overall overview of the security state and operational performance, allowing you to monitor the overall trend and make informed strategic decisions. The analysis of operational and demographic data provides management with strategic information to optimize resource management, facilitating resource allocation according to expected needs and improving the overall efficiency of healthcare facilities.

For illustrative purposes, some of the dashboards, currently simulated with fictitious data, are shown below.

For operational users, such as engineers and analysts, a greater level of granularity can be achieved to meet the need for more detailed and specific information. These operational-level KPIs provide in-depth data on individual components or devices, allowing you to intervene promptly and accurately on critical aspects, such as the maintenance of medical devices or the monitoring of specific vulnerabilities. This tiered structure therefore allows for flexibility that meets visibility and control needs at both strategic and operational levels. 

Finally, the differentiation of the information accessible on the basis of users (i.e., managerial stakeholders or operational staff), allows you to benefit from some advantages. In fact, such personalization allows management to make strategic decisions and allocate resources in an informed way. At the same time, the operational staff has the necessary level of detail in order to act promptly in the event of anomalies. This increases the level of safety and optimizes the performance of medical devices. 

For illustrative purposes, some of the dashboards, currently simulated with fictitious data, are shown below.

A Repeatable Cybersecurity Model Across Healthcare

The implementation of HyperSOC represented a significant step toward improving the cybersecurity and optimizing the management of medical devices of ASL Roma 1, placing it in a prominent position in the field of cybersecurity in the healthcare sector.

Among the advantages offered by the model described, the following are highlighted: 

• The possibility of using high-level and detailed executive dashboards that allow data to be viewed at different levels of granularity. This enables each stakeholder to have the necessary information in order to make informed strategic and operational decision, facilitating investment choices; 

• Centralization of IT security governance through the definition of performance monitoring requirements and the preparation of granular views on the IT security status of the entire IT/OT/IOT infrastructure which allows to improve cyber risk management and to respond promptly to any threats;

• Optimization of the use of electromedical devices and management of waiting lists, while correlating demographic information of the population and the demands for health services, allowing the prediction of peaks in use and the efficiency of the distribution and use of resources within health facilities. This optimization thus allows a more efficient management of waiting lists and provides valuable information for maintenance and renewal activities of the medical devices inventory;

• Regulatory compliance aimed at ensuring the continuity of essential services and minimizing the exposed attack surface offered by the model, ensuring ASL Roma 1 greater compliance with the relevant regulations.

This model can be replicated in other realities of the health sector, allowing a diffusion on a regional and national scale. An initiative of this type, supported by the Ministry of Health, would extend the mentioned advantages throughout the territory by significantly improving the National Health Service (NHS). 

The definition of a model such as ASL Roma 1’s HyperSOC in other implementations would allow a more effective sharing of information and a coordinated and coherent response to cyber threats throughout the country. The creation of an interconnected network of cybersecurity systems would improve the overall resilience of the healthcare sector, allowing a global, clear and defined visibility of the state of cybersecurity and operational efficiency. 

In a context like this, the spread and joint evolution of advanced predictive algorithms based on artificial intelligence and machine learning would allow them to be trained on increasingly complex and diversified data, thus improving the ability to predict and manage cyber attacks and to optimize the management and maintenance of electromedical devices. 

In order to benefit from these advantages and ensure continuous improvement of safety and operational efficiency strategies, it is important to ensure that technologies are regularly updated. However, it remains of fundamental importance to invest in continuous training in order to increase the awareness and knowledge of technical/operational personnel, management and all key figures involved in decision-making and responsible for interventions in critical situations.