The cybersecurity of health information systems is a complex issue that requires a systematic approach.
In this article we will analyze a proposed cybersecurity architecture for a generic Healthcare Authority. Here, Healthcare Authority means a generic Healthcare Organization that deals with primary care, or secondary care, but also home care and community care….
The proposed architecture is designed to fit a University hospital, as well as a country hospital, as well as a local Healthcare Authority with medical outpatients clinics…
We will indicate the generic Healthcare Authority with the acronym HA.
Architecture schema

Health Systems Cybersecurity Schema
The roles
All users can be modeled in only three main roles:
- the guests – not authenticated users -;
- the professionals – authenticated users who use systems from inside and outside the HA -;
- IOTs and other automated systems that needs an interaction with the HA.
The double role of IoT and IoMT
The IoTs – Internet of Things – and the IoMTs – Internet of Medical Things – devices comprehend also medical devices that operate outside the HA.
For simplicity we will map IoTs to unauthenticated users – guests role – if they do not need an access to HA systems – they do not need access to applicative functions -. We will map IoTs to professionals role, if they need access to applicative functions.
The cyber-security architecture
The HA infrastructure is segmented in four zones:
- the sandbox zone;
- the exposed systems zone;
- the untrusted systems zone;
- the isolated systems zone.
The sandbox zone is the only zone the guest can access to. From the sandbox zone is not possible to access other zones.
Vice versa from other zones you can access the sandbox zone.
In the sandbox zone there is a restricted access area to which only authenticated users can access to. The datas in this area are crypted and they are accessible also offline. This sandboxes zone can be located on a portable devices in order to make sensitive data available when the used devices are offline.
The exposed system zone is the area where are located the hardenized systems which are accessible by authenticated users, from outside or inside of the HA. The systems in the exposed zone are the only way to reach the systems in the isolated zone or in the untrusted zone.
The isolated zone and the untrusted systems zone are accessible only by authenticated users who have application grants on servers of the exposed zone. Typically in the isolated zone you can find the most sensitive systems and the DB resources. The isolated zone in segmented by sensitivity or level of trust.
The untrusted zone is typical of the healthcare domain and contains the Medical Devices and other systems which cannot be considered hardenized to handle a direct access in the exposed zone. Typically, these systems need a network protection. For the same reasons the most sensitive systems are collocated in the isolated zone.
As the exposed zone, the untrusted zone is logically unique, but physically represents a myriad of connected network areas that include only a few or only one equipment.
Test systems and Maintenance activity
In HA, the maintenance activity is often guaranteed by outside partners. These partners must have access to the systems they manage, but only those. In addition, all their activities must be network logged, because HA cannot trust system logging due to the fact that these partners often have administrative rights over the systems they manage.
Another important issue is the HA need of a test area, or “staging” area, in each zone.
In the test area of each zone there are test systems or pre-production systems. The systems in the test areas cannot access to production systems. The test systems in each zone has the same security restriction and possibilities of analogous production systems. In other words, the test area is specular to the production area, but completely separated.
GDPR orchestration
HA must orchestrate the entire security architecture according the GDPR – GDPR, General Data Protection Regulation, UE 2016/679 – policy and rules. In fact, the GDPR imposes the definition of the security policies the administration has decided to undergo and the periodic verification of the respect of these policies.
Use case
Access to inpatient datas: in the morning, Doctor Alice orders an entire suite of blood exams for inpatient Bob. Later, in the afternoon, doctor Alice is notified the Bob’s results are ready and Alice access to the the results from her home.
When Alice is at work, in the morning, she uses a ward mobile device to order the exams, then uses a POCT – point of care testing – analyzer located in the ward the analyze the Bob’s blood. She takes a look at the values the analyzer gives directly, but she needs the pathology department validation. She receives notification a validation is ready when is at home, in the late afternoon. She receives a SMS that says new pathology results are ready – no sensitive data are sent in the SMS -. Alice take a look at the results with her home computer.
From a security perspective several systems in different zones are involved in the process:
A) in the morning, Alice accesses the Order System that is in the Exposed Systems Zone;
B) the analyzer Alice uses is located in the Untrusted Systems Zone;
C) the Bob’s exams results are collected by the Pathology System which is located in the Exposed Systems Zone;
D) from her home, Alice get accesses to the Clinical Data Repository System in order to get the Pathology report; the Clinical Data Repository is in the Exposed Systems Zone. The DB of the Data Repository is in the Isolated Systems Zone.
Key points
- It doesn’t matter if Alice is at work or at home, she uses the same systems; in other words the systems, in exposed zone, are hardenized to be exposed in internet, even if they are only used from inside HA;
- the medical device, the POCT, is considered untrusted, by virtu of this the network makes port filtering, web firewalling and so on… the device is isolated in the Untrusted Systems Zone and it can not be directly accessed;
- sensitive resources are isolated in Isolated Systems Zone and can not be directly accessed;
- Guests interact with HA safely through a Sandbox Zone.
Conclusion
Security architecture is not the solution. In order to achieve a sufficient level of cybersecurity you have to adopt a conspicuous number of different techniques, but without a security architecture it’s difficult to reach the goal.
Pierfrancesco Ghedini

Quest’opera è distribuita con Licenza Creative Commons Attribuzione 3.0 Italia.