Skip to content

mak3r-cyber/healthcare-iomt-risk

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RiskOps Health / IoMT — Open-Source Cybersecurity Toolkit

Version Python License Code Coverage Code Style Type Checking Security

Empowering small healthcare organizations to manage IoMT cybersecurity risks with a lightweight, scriptable framework.


What's New in v0.2.0

RiskOps v0.2.0 brings production-ready GRC capabilities with enterprise-grade security:

  • RiskAssessmentEngine: EBIOS RM Light methodology with Probability × Impact scoring
  • ComplianceMapper: Automated mapping to ISO/IEC 27001, HIPAA, and GDPR Article 32
  • CLI Framework: Professional Typer-based interface with Rich formatting
  • Security Hardened: CSV injection protection, path traversal prevention, HTTP security
  • 91% Test Coverage: Comprehensive test suite with 584+ lines of tests
  • 25 IoMT Scenarios: Medical device vulnerabilities, ransomware, data breaches

View Full Changelog | Upgrade Guide


Overview

RiskOps Health / IoMT is an open-source cybersecurity toolkit focused on risk management for connected medical devices (IoMT) in small and medium-sized healthcare organizations (clinics, hospitals, labs). Inspired by EBIOS RM – no heavy tools or consultants needed.

Why RiskOps?

Small and medium-sized healthcare organizations (SMEs) typically lack the necessary resources to manage cybersecurity risks associated with connected medical devices. RiskOps Health / IoMT provides an automated, scriptable framework for assessing IoMT risks without needing heavy consulting or expensive commercial tools.

Challenges for Healthcare SMEs

  • Limited Budget: Cannot afford €3,000-€5,000/year commercial GRC tools
  • Limited Staff: No dedicated cybersecurity team
  • Limited Time: Clinical operations take priority
  • Limited Tools: Few IoMT-specific risk assessment frameworks

Solutions Provided by RiskOps

  • Python-based risk scoring engine (EBIOS RM Light)
  • Compliance gap analysis (ISO 27001, HIPAA, GDPR)
  • CLI tools for automated risk matrix generation
  • Detection rules for HL7/DICOM (pilot phase)
  • Non-intrusive pentest checklists (design phase)

Key Features

  • GRC Engine: Automates risk scoring, compliance mapping (ISO 27001, HIPAA, GDPR), and generates Excel reports
  • Security Hardened: CSV injection protection, path traversal prevention, file validation
  • CLI Framework: riskops command-line tool with rich formatting and validation
  • High Test Coverage: 91.35% code coverage with comprehensive security tests
  • Type Safety: Full mypy strict mode compliance for production reliability
  • HL7/DICOM Detection Rules: Pilot phase for medical device protocol vulnerabilities
  • Compliance: ISO 27001, HDS (France), HIPAA, GDPR, NIS2, EU MDR
  • SAFE Pentest: Non-intrusive penetration testing checklist for healthcare

Installation

Prerequisites

  • Python 3.9 or higher
  • pip package manager
  • Virtual environment (recommended)

Quick Install

# Clone the repository
git clone https://github.com/mak3r-cyber/healthcare-iomt-risk.git
cd healthcare-iomt-risk

# Create and activate virtual environment
python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

# Install package with all dependencies
pip install -e ".[dev]"

# Verify installation
riskops --help

PyPI Installation (Coming Soon)

pip install riskops

Quick Start

1. Validate a Risk Matrix

riskops validate csv 02-Matrices/risk_matrix.csv

# Output:
# ✓ File size: 0.00MB (valid)
# ✓ Loaded 25 rows
# ✓ All required columns present
# ✓ Probability & Impact values valid (1-5)
# ✓ Risk calculations valid (P × I)
#
# Risk Statistics:
#   Critical (≥15): 4
#   High (13-14):   0
#   Medium (7-12):  18
#   Low (≤6):       3

2. Generate Excel Risk Matrix

riskops generate matrix 02-Matrices/risk_matrix.csv --output reports/risk_report.xlsx

# Output:
# ✓ Loaded 25 risks from CSV
# ✓ SUCCESS: Excel file generated successfully!
#   • 3 tabs created: Risk Matrix + Heatmap + Dashboard
#   • CSV injection protection applied
#   • Risk scores validated

3. Validate Documentation Links

riskops validate links docs/compliance/iso27002-iomt-mapping.md

# Output:
# ✓ All links are valid!

4. Run Full Test Suite

pytest tests/test_grc -v

# Output:
# tests/test_grc/test_assessment.py::test_load_csv_valid PASSED
# tests/test_grc/test_compliance.py::test_map_risks_to_controls PASSED
# ...
# ===================== 24 passed in 2.31s =====================
# Coverage: 91.35%

Cost Comparison: RiskOps vs Commercial Tools

Feature RiskOps (Open Source) Qualys VMDR Tenable.io RSA Archer GRC
Annual Cost €0 €3,000-€5,000 €4,000-€6,000 €10,000+
Risk Assessment ✓ EBIOS RM Light ✓ Proprietary ✓ Proprietary ✓ Enterprise
Compliance Mapping ✓ ISO/HIPAA/GDPR ✓ Multi-framework ✓ Multi-framework ✓ Multi-framework
IoMT-Specific ✓ HL7/DICOM focus ✗ Generic ✗ Generic ✗ Generic
Source Code Access ✓ MIT License ✗ Closed ✗ Closed ✗ Closed
Customizable ✓ Python/CLI Limited Limited Limited
Learning Curve Low (CLI) Medium Medium High
SME-Friendly ✓ Designed for SMEs Enterprise-focused Enterprise-focused Enterprise-focused
Healthcare Focus ✓ Medical devices General IT General IT General GRC

Savings for Healthcare SME: €3,000-€10,000/year with RiskOps open-source


Current Metrics (v0.2.0)

  • 25 Risk Scenarios: Covering ransomware, device vulnerabilities, data breaches
  • 91.35% Code Coverage: Comprehensive test suite with 584+ lines
  • 3 Compliance Frameworks: ISO 27001, HIPAA, GDPR Article 32
  • 0 Critical Vulnerabilities: Security-hardened codebase
  • 10 MiB File Limit: DoS protection
  • 10s HTTP Timeout: Network security hardening
  • 100% Type Annotated: Full mypy strict mode compliance
  • 6 CLI Commands: validate, generate, convert, grc, assess, report

Project Status

Active development: GRC module stable and production-ready (v0.2.0); SOC detection and pentest modules in pilot phase.

Version Roadmap:

  • v0.2.0 (Current): Production GRC engine, CLI framework, 91% coverage
  • v0.3.0 (Q1 2026): Threat intelligence, SOC/pentest modules, PDF reports
  • v1.0.0 (Q2 2026): REST API, database integration, full production release

Quality Pipeline

  • Type Checking: mypy in strict mode
  • Linting: ruff with E, F, I, N, W rules
  • Formatting: black (line-length=100)
  • Tests: pytest with 91% coverage (minimum 70%)
  • Security: SBOM generation (syft), vulnerability scans (trivy)
  • CI/CD: GitHub Actions for automated QA and security checks

Structure

├── 01-Research/          # IoMT references, risk sources
├── 02-Matrices/          # Input CSV files for risk matrices
├── 03-Methodology/       # EBIOS RM documentation
├── 04-Planning/          # Project planning and organization
├── 05-Business-Processes/# Processes for ISO 27001, NIS2 compliance
├── data/                 # Supporting catalogs and datasets
├── docs/                 # Documentation (runbooks, compliance reports)
├── src/riskops/          # Core code (GRC, SOC, Pentest, CLI)
│   ├── cli/             # Typer-based CLI commands
│   ├── grc/             # Risk assessment and compliance mapping
│   ├── converters/      # CSV to Excel with security hardening
│   ├── validators/      # Input validation and link checking
│   └── utils/           # Security utilities and helpers
├── tests/                # Unit tests (91% coverage)
├── tools/                # Legacy utilities (deprecated)
└── LICENSE, ROADMAP.md, CHANGELOG.md

Business Processes

This project includes reusable business processes aligned with key industry standards:

  • Incident Management: [See 05-Business-Processes/incident-management.md]
  • IoMT Risk Management: [See 05-Business-Processes/risk-management.md]
  • ISO 27001 Compliance: [See 05-Business-Processes/iso27001-compliance.md]
  • NIS2 Compliance: [See 05-Business-Processes/nis2-compliance.md]

Methodology

RiskOps Health / IoMT follows the EBIOS RM Light methodology:

  1. Scope: Define system boundaries and objectives
  2. Threats: Identify and evaluate threats (ransomware, device vulnerabilities)
  3. Vulnerabilities: Identify vulnerabilities in the IoMT environment
  4. Score Risks: Automatically calculate risk scores (Probability × Impact)
  5. Treatment: Propose risk treatment options (Avoid, Reduce, Transfer, Accept)
  6. Monitor: Track risk status and ensure ongoing mitigation

Regulatory Coverage:

  • GDPR Article 32 (Security of Processing)
  • ISO/IEC 27001 (Clause 6.1.2 Risk Assessment)
  • HDS (French Health Data Security Requirements)
  • EU MDR (Cybersecurity for Medical Devices)
  • NIS2 Directive (Critical Health Infrastructure)
  • HIPAA Security Rule (45 CFR §§ 164.302-318)

Sources

Regulators & Standards Bodies:

  • CNIL (French Data Protection Authority)
  • ANSSI (French Cybersecurity Agency)
  • European Commission (GDPR, NIS2, EU MDR)
  • NIST (SP 800-30, SP 800-66)
  • ISO/IEC (27001, 27002, 80001)

Medical Device Security:

  • FDA Cybersecurity Guidelines
  • IEC 62304 (Medical Device Software)
  • IEC 80001 (Network Security for Medical Devices)
  • CVE/NVD Databases

Healthcare Protocols:

  • HL7 FHIR (Fast Healthcare Interoperability Resources)
  • DICOM (Digital Imaging and Communications in Medicine)
  • Bluetooth LE (Medical Device Communication)
  • 802.1X (Network Access Control)

Roadmap

v0.2.0 (Current - Released 2025-11-16):

  • ✓ Stable GRC engine with EBIOS RM Light
  • ✓ 25+ IoMT risk scenarios
  • ✓ Excel generation tool with security hardening
  • ✓ CLI framework with validation commands
  • ✓ 91% test coverage

v0.3.0 (Planned Q1 2026):

  • Threat intelligence integration (CVE databases)
  • SOC module with Suricata detection for HL7/DICOM
  • Pentest module with Nmap integration
  • PDF report generation
  • Interactive assessment wizard

v1.0.0 (Planned Q2 2026):

  • REST API with FastAPI
  • 50+ risk scenarios with case studies
  • French/English bilingual support
  • Database integration for trend analysis
  • Production-ready enterprise deployment

View Full Roadmap


Contribute

We welcome contributions from healthcare security professionals, developers, and compliance experts!

Priority Areas:

  • SOC module (Suricata rules for HL7/DICOM)
  • Pentest module (Nmap integration)
  • Risk scenario library (expand to 50+ scenarios)
  • PDF report generation
  • Documentation and case studies

Getting Started:

git checkout -b feature/your-feature-name
# Make your changes...
pytest  # Ensure tests pass
git commit -m "feat(scope): description"
git push origin feature/your-feature-name
# Open a Pull Request

Read Contributing Guidelines


Authors

Kamilia Meliani & Lazreg Meliani Cybersecurity Leads specializing in GRC, ISO 27001, EBIOS RM, and Healthcare Security Audits


Contact


License

MIT License - See LICENSE file for details


Last Updated: November 2025 Project Status: Active Development Current Version: 0.2.0


Supporting Healthcare Security Worldwide Help us expand risk scenarios, improve documentation, and enhance detection capabilities. Star this project to show your support!

About

Open-source IoMT risk toolkit: CSV→XLSX (CI), EBIOS RM Light notes, planning skeleton.

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors