Abstract
Medical imaging devices (MIDs) are exposed to cyber-security threats. Currently, a comprehensive, efficient methodology dedicated to MID cyber-security risk assessment is lacking. We propose the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk assessment (TLDR) methodology and demonstrate its feasibility and consistency with existing methodologies, while being more efficient, providing details regarding the severity components, and supporting organizational prioritization and customization. Using our methodology, the impact of 23 MIDs attacks (that were previously identified) was decomposed into six severity aspects. Four Radiology Medical Experts (RMEs) were asked to assess these six aspects for each attack. The TLDR methodology's external consistency was demonstrated by calculating paired T-tests between TLDR severity assessments and those of existing methodologies (and between the respective overall risk assessments, using attack likelihood estimates by four healthcare cyber-security experts); the differences were insignificant, implying externally consistent risk assessment. The TLDR methodology's internal consistency was evaluated by calculating the pairwise Spearman rank correlations between the severity assessments of different groups of two to four RMEs and each of their individual group members, showing that the correlations between the severity rankings, using the TLDR methodology, were significant (P < 0.05), demonstrating that the severity rankings were internally consistent for all groups of RMEs. Using existing methodologies, however, the internal correlations were insignificant for groups of less than four RMEs. Furthermore, compared to standard risk assessment techniques, the TLDR methodology is also sensitive to local radiologists' preferences, supports a greater level of flexibility regarding risk prioritization, and produces more transparent risk assessments.