Empowering small healthcare organizations to manage IoMT cybersecurity risks with a lightweight, scriptable framework.
RiskOps v0.2.0 brings production-ready GRC capabilities with enterprise-grade security:
- RiskAssessmentEngine: EBIOS RM Light methodology with Probability × Impact scoring
- ComplianceMapper: Automated mapping to ISO/IEC 27001, HIPAA, and GDPR Article 32
- CLI Framework: Professional Typer-based interface with Rich formatting
- Security Hardened: CSV injection protection, path traversal prevention, HTTP security
- 91% Test Coverage: Comprehensive test suite with 584+ lines of tests
- 25 IoMT Scenarios: Medical device vulnerabilities, ransomware, data breaches
View Full Changelog | Upgrade Guide
RiskOps Health / IoMT is an open-source cybersecurity toolkit focused on risk management for connected medical devices (IoMT) in small and medium-sized healthcare organizations (clinics, hospitals, labs). Inspired by EBIOS RM – no heavy tools or consultants needed.
Small and medium-sized healthcare organizations (SMEs) typically lack the necessary resources to manage cybersecurity risks associated with connected medical devices. RiskOps Health / IoMT provides an automated, scriptable framework for assessing IoMT risks without needing heavy consulting or expensive commercial tools.
- Limited Budget: Cannot afford €3,000-€5,000/year commercial GRC tools
- Limited Staff: No dedicated cybersecurity team
- Limited Time: Clinical operations take priority
- Limited Tools: Few IoMT-specific risk assessment frameworks
- Python-based risk scoring engine (EBIOS RM Light)
- Compliance gap analysis (ISO 27001, HIPAA, GDPR)
- CLI tools for automated risk matrix generation
- Detection rules for HL7/DICOM (pilot phase)
- Non-intrusive pentest checklists (design phase)
- GRC Engine: Automates risk scoring, compliance mapping (ISO 27001, HIPAA, GDPR), and generates Excel reports
- Security Hardened: CSV injection protection, path traversal prevention, file validation
- CLI Framework:
riskopscommand-line tool with rich formatting and validation - High Test Coverage: 91.35% code coverage with comprehensive security tests
- Type Safety: Full mypy strict mode compliance for production reliability
- HL7/DICOM Detection Rules: Pilot phase for medical device protocol vulnerabilities
- Compliance: ISO 27001, HDS (France), HIPAA, GDPR, NIS2, EU MDR
- SAFE Pentest: Non-intrusive penetration testing checklist for healthcare
- Python 3.9 or higher
- pip package manager
- Virtual environment (recommended)
# Clone the repository
git clone https://github.com/mak3r-cyber/healthcare-iomt-risk.git
cd healthcare-iomt-risk
# Create and activate virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install package with all dependencies
pip install -e ".[dev]"
# Verify installation
riskops --helppip install riskopsriskops validate csv 02-Matrices/risk_matrix.csv
# Output:
# ✓ File size: 0.00MB (valid)
# ✓ Loaded 25 rows
# ✓ All required columns present
# ✓ Probability & Impact values valid (1-5)
# ✓ Risk calculations valid (P × I)
#
# Risk Statistics:
# Critical (≥15): 4
# High (13-14): 0
# Medium (7-12): 18
# Low (≤6): 3riskops generate matrix 02-Matrices/risk_matrix.csv --output reports/risk_report.xlsx
# Output:
# ✓ Loaded 25 risks from CSV
# ✓ SUCCESS: Excel file generated successfully!
# • 3 tabs created: Risk Matrix + Heatmap + Dashboard
# • CSV injection protection applied
# • Risk scores validatedriskops validate links docs/compliance/iso27002-iomt-mapping.md
# Output:
# ✓ All links are valid!pytest tests/test_grc -v
# Output:
# tests/test_grc/test_assessment.py::test_load_csv_valid PASSED
# tests/test_grc/test_compliance.py::test_map_risks_to_controls PASSED
# ...
# ===================== 24 passed in 2.31s =====================
# Coverage: 91.35%| Feature | RiskOps (Open Source) | Qualys VMDR | Tenable.io | RSA Archer GRC |
|---|---|---|---|---|
| Annual Cost | €0 | €3,000-€5,000 | €4,000-€6,000 | €10,000+ |
| Risk Assessment | ✓ EBIOS RM Light | ✓ Proprietary | ✓ Proprietary | ✓ Enterprise |
| Compliance Mapping | ✓ ISO/HIPAA/GDPR | ✓ Multi-framework | ✓ Multi-framework | ✓ Multi-framework |
| IoMT-Specific | ✓ HL7/DICOM focus | ✗ Generic | ✗ Generic | ✗ Generic |
| Source Code Access | ✓ MIT License | ✗ Closed | ✗ Closed | ✗ Closed |
| Customizable | ✓ Python/CLI | Limited | Limited | Limited |
| Learning Curve | Low (CLI) | Medium | Medium | High |
| SME-Friendly | ✓ Designed for SMEs | Enterprise-focused | Enterprise-focused | Enterprise-focused |
| Healthcare Focus | ✓ Medical devices | General IT | General IT | General GRC |
Savings for Healthcare SME: €3,000-€10,000/year with RiskOps open-source
- 25 Risk Scenarios: Covering ransomware, device vulnerabilities, data breaches
- 91.35% Code Coverage: Comprehensive test suite with 584+ lines
- 3 Compliance Frameworks: ISO 27001, HIPAA, GDPR Article 32
- 0 Critical Vulnerabilities: Security-hardened codebase
- 10 MiB File Limit: DoS protection
- 10s HTTP Timeout: Network security hardening
- 100% Type Annotated: Full mypy strict mode compliance
- 6 CLI Commands: validate, generate, convert, grc, assess, report
Active development: GRC module stable and production-ready (v0.2.0); SOC detection and pentest modules in pilot phase.
Version Roadmap:
- v0.2.0 (Current): Production GRC engine, CLI framework, 91% coverage
- v0.3.0 (Q1 2026): Threat intelligence, SOC/pentest modules, PDF reports
- v1.0.0 (Q2 2026): REST API, database integration, full production release
- Type Checking: mypy in strict mode
- Linting: ruff with E, F, I, N, W rules
- Formatting: black (line-length=100)
- Tests: pytest with 91% coverage (minimum 70%)
- Security: SBOM generation (syft), vulnerability scans (trivy)
- CI/CD: GitHub Actions for automated QA and security checks
├── 01-Research/ # IoMT references, risk sources
├── 02-Matrices/ # Input CSV files for risk matrices
├── 03-Methodology/ # EBIOS RM documentation
├── 04-Planning/ # Project planning and organization
├── 05-Business-Processes/# Processes for ISO 27001, NIS2 compliance
├── data/ # Supporting catalogs and datasets
├── docs/ # Documentation (runbooks, compliance reports)
├── src/riskops/ # Core code (GRC, SOC, Pentest, CLI)
│ ├── cli/ # Typer-based CLI commands
│ ├── grc/ # Risk assessment and compliance mapping
│ ├── converters/ # CSV to Excel with security hardening
│ ├── validators/ # Input validation and link checking
│ └── utils/ # Security utilities and helpers
├── tests/ # Unit tests (91% coverage)
├── tools/ # Legacy utilities (deprecated)
└── LICENSE, ROADMAP.md, CHANGELOG.md
This project includes reusable business processes aligned with key industry standards:
- Incident Management: [See 05-Business-Processes/incident-management.md]
- IoMT Risk Management: [See 05-Business-Processes/risk-management.md]
- ISO 27001 Compliance: [See 05-Business-Processes/iso27001-compliance.md]
- NIS2 Compliance: [See 05-Business-Processes/nis2-compliance.md]
RiskOps Health / IoMT follows the EBIOS RM Light methodology:
- Scope: Define system boundaries and objectives
- Threats: Identify and evaluate threats (ransomware, device vulnerabilities)
- Vulnerabilities: Identify vulnerabilities in the IoMT environment
- Score Risks: Automatically calculate risk scores (Probability × Impact)
- Treatment: Propose risk treatment options (Avoid, Reduce, Transfer, Accept)
- Monitor: Track risk status and ensure ongoing mitigation
Regulatory Coverage:
- GDPR Article 32 (Security of Processing)
- ISO/IEC 27001 (Clause 6.1.2 Risk Assessment)
- HDS (French Health Data Security Requirements)
- EU MDR (Cybersecurity for Medical Devices)
- NIS2 Directive (Critical Health Infrastructure)
- HIPAA Security Rule (45 CFR §§ 164.302-318)
Regulators & Standards Bodies:
- CNIL (French Data Protection Authority)
- ANSSI (French Cybersecurity Agency)
- European Commission (GDPR, NIS2, EU MDR)
- NIST (SP 800-30, SP 800-66)
- ISO/IEC (27001, 27002, 80001)
Medical Device Security:
- FDA Cybersecurity Guidelines
- IEC 62304 (Medical Device Software)
- IEC 80001 (Network Security for Medical Devices)
- CVE/NVD Databases
Healthcare Protocols:
- HL7 FHIR (Fast Healthcare Interoperability Resources)
- DICOM (Digital Imaging and Communications in Medicine)
- Bluetooth LE (Medical Device Communication)
- 802.1X (Network Access Control)
v0.2.0 (Current - Released 2025-11-16):
- ✓ Stable GRC engine with EBIOS RM Light
- ✓ 25+ IoMT risk scenarios
- ✓ Excel generation tool with security hardening
- ✓ CLI framework with validation commands
- ✓ 91% test coverage
v0.3.0 (Planned Q1 2026):
- Threat intelligence integration (CVE databases)
- SOC module with Suricata detection for HL7/DICOM
- Pentest module with Nmap integration
- PDF report generation
- Interactive assessment wizard
v1.0.0 (Planned Q2 2026):
- REST API with FastAPI
- 50+ risk scenarios with case studies
- French/English bilingual support
- Database integration for trend analysis
- Production-ready enterprise deployment
We welcome contributions from healthcare security professionals, developers, and compliance experts!
Priority Areas:
- SOC module (Suricata rules for HL7/DICOM)
- Pentest module (Nmap integration)
- Risk scenario library (expand to 50+ scenarios)
- PDF report generation
- Documentation and case studies
Getting Started:
git checkout -b feature/your-feature-name
# Make your changes...
pytest # Ensure tests pass
git commit -m "feat(scope): description"
git push origin feature/your-feature-name
# Open a Pull RequestKamilia Meliani & Lazreg Meliani Cybersecurity Leads specializing in GRC, ISO 27001, EBIOS RM, and Healthcare Security Audits
- Issues & Bugs: GitHub Issues
- Feature Requests: GitHub Issues
- Security Vulnerabilities: git-healthcareframe.mascot374@passmail.com (90-day responsible disclosure)
- LinkedIn: Kamilia Meliani
MIT License - See LICENSE file for details
Last Updated: November 2025 Project Status: Active Development Current Version: 0.2.0
Supporting Healthcare Security Worldwide Help us expand risk scenarios, improve documentation, and enhance detection capabilities. Star this project to show your support!