Skip to content

Commit 7c1812a

Browse files
authored
docs: update README with GRC, detection and SAFE pentest overview (#10)
1 parent 4c71a07 commit 7c1812a

1 file changed

Lines changed: 54 additions & 48 deletions

File tree

README.md

Lines changed: 54 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,20 @@
1-
# RiskOps Health / IoMT — Open-Source Toolkit
1+
# RiskOps Health / IoMT — Open-Source Cybersecurity Toolkit
22

3-
License: MIT
4-
Python: 3.9+
5-
Tests
6-
Coverage
3+
4+
## License
5+
MIT License
6+
7+
## Python Version
8+
Python 3.9+ or later
79

810
### Empowering small healthcare orgs to manage IoMT cybersecurity risks with a lightweight, scriptable framework.
911

1012
## Overview
11-
Focus: Risk assessment, compliance mapping (ISO 27001, HIPAA, GDPR), and IoMT-focused detection/pentest tools for clinics, labs, and practices.
13+
RiskOps Health / IoMT is an open-source cybersecurity toolkit focused on **risk management** for connected medical devices (**IoMT**) in small and medium-sized healthcare organizations (clinics, hospitals, labs).
1214
Inspired by EBIOS RM – no heavy tools or consultants needed.
1315

1416
## Why RiskOps?
15-
17+
Small and medium-sized healthcare organizations (SMEs) typically lack the necessary resources to manage cybersecurity risks associated with connected medical devices. RiskOps Health / IoMT provides an automated, scriptable framework for assessing IoMT risks without needing heavy consulting or tools.
1618
Challenges for SMEs: Limited time, budget, staff, and IoMT-specific tools.
1719
Solutions Provided:
1820
Python-based risk scoring engine.
@@ -23,25 +25,13 @@ Non-intrusive pentest checklists (design phase).
2325

2426
## Key Features
2527

26-
### GRC Engine (src/riskops/grc/)
27-
28-
Load/validate CSV risk matrices.
29-
Score risks (Probability × Impact).
30-
Map to controls: ISO 27001, HIPAA, GDPR.
31-
Gap analysis & reports.
32-
90% test coverage.
33-
34-
### Detection (Pilot)
35-
36-
HL7/DICOM rules.
37-
Data flow docs (PACS, RIS, HIS).
38-
39-
### Pentest Light (Design)
40-
41-
SAFE approach: Non-intrusive checks.
42-
Attack surface & hardening reviews.
28+
- **GRC Engine**: Automates risk scoring, compliance mapping (ISO 27001, HIPAA, GDPR), and generates reports.
29+
- **HL7/DICOM Detection Rules**: Pilot phase (detection of vulnerabilities in medical device communication protocols).
30+
- **Compliance**: Compliance with ISO 27001, HDS, HIPAA, GDPR.
31+
- **SAFE Pentest**: Non-intrusive pen-test checklist, focused on small healthcare organizations.
4332

4433
## Project Status
34+
4535
Active development: GRC stable; detection/pentest in pilot. Experimental parts may evolve.
4636

4737
## Quality Pipeline
@@ -55,53 +45,69 @@ Security: SBOM (syft), scans (trivy) via tools/sec_checks.sh
5545
CI: GitHub Actions for QA, security, builds.
5646

5747
## Quickstart
48+
49+
Follow these steps to get started with the project:
50+
5851
```bash
5952
git clone https://github.com/mak3r-cyber/healthcare-iomt-risk.git
6053
cd healthcare-iomt-risk
6154
python -m venv venv
6255
. venv/bin/activate
63-
pip install -r requirements.txt -e .
56+
pip install -r requirements.txt
6457
pytest tests/test_grc -v
6558
python tools/csv2xlsx.py # Generates risk_matrix.xlsx
6659
```
67-
Output: Excel with scored matrix, heatmap, dashboard.
6860

6961
## Structure
62+
7063
```text
71-
├── 01-Research/ # IoMT refs
72-
├── 02-Matrices/ # CSV inputs
73-
├── 03-Methodology/ # EBIOS RM docs
74-
├── 04-Planning/ # Org
75-
├── 05-Business-Processes/# ISO/NIS2 processes
76-
├── data/ # Catalogs
77-
├── docs/ # Runbooks, reports
78-
├── src/riskops/ # Core code (grc, soc, pentest)
64+
├── 01-Research/ # IoMT references, risk sources
65+
├── 02-Matrices/ # Input CSV files for risk matrices
66+
├── 03-Methodology/ # EBIOS RM documentation
67+
├── 04-Planning/ # Project planning and organization
68+
├── 05-Business-Processes/# Processes for ISO 27001, NIS2 compliance
69+
├── data/ # Supporting catalogs and datasets
70+
├── docs/ # Documentation (runbooks, reports)
71+
├── src/riskops/ # Core code (GRC, SOC, Pentest)
7972
├── tests/ # Unit tests
80-
├── tools/ # Utils (csv2xlsx, sec_checks)
73+
├── tools/ # Utilities (CSV to XLSX, security checks)
8174
└── LICENSE, ROADMAP.md...
8275
```
8376

8477
## Business Processes
85-
Reusable: Incident Mgmt, Risk Mgmt, Access, ISO 27001, NIS2. See 05-Business-Processes/.
8678

87-
## Methodology
88-
EBIOS RM Light steps:
79+
This project includes reusable business processes aligned with key industry standards such as **ISO 27001** and **NIS2**:
80+
81+
- **Incident Management**: [See 05-Business-Processes/incident-management.md]
82+
- **IoMT Risk Management**: [See 05-Business-Processes/risk-management.md]
83+
- **ISO 27001 Compliance**: [See 05-Business-Processes/iso27001-compliance.md]
84+
- **NIS2 Compliance**: [See 05-Business-Processes/nis2-compliance.md]
8985

90-
Scope
91-
Threats
92-
Vulnerabilities
93-
Score risks (automated)
94-
Treatment
95-
Monitor
86+
## Methodology
9687

88+
RiskOps Health / IoMT follows the **EBIOS RM Light methodology**:
89+
90+
1. **Scope**: Define system boundaries and objectives.
91+
2. **Threats**: Identify and evaluate threats.
92+
3. **Vulnerabilities**: Identify vulnerabilities in the IoMT environment.
93+
4. **Score Risks**: Automatically calculate risk scores based on Probability × Impact.
94+
5. **Treatment**: Propose risk treatment options (e.g., Avoid, Reduce, Transfer).
95+
6. **Monitor**: Track risk status and ensure ongoing mitigation.
96+
97+
**Regulatory Coverage**:
98+
- GDPR Article 32
99+
- ISO 27001 (Clause 6.1.2)
100+
- HDS (French Health Data Security Requirements)
101+
- EU MDR (Cybersecurity for Medical Devices)
102+
- NIS2 Directive (Critical Health Infrastructure)
97103
Covers: GDPR Art.32, ISO 27001, HDS, EU MDR, NIS2.
98104

99105
## Sources
100106

101-
Regulators: CNIL, ANSSI, EU.
102-
Standards: ISO 27k, NIST 800-30/66.
103-
Med Devices: FDA, IEC 62304/80001, CVEs.
104-
Protocols: HL7 FHIR, DICOM, BLE, 802.1X.
107+
**Regulators**: CNIL, ANSSI, EU Commission.
108+
**Standards**: ISO/IEC 27001/27002, NIST SP 800-30/66, ISO 80001.
109+
**Medical Devices**: FDA Cybersecurity, IEC 62304/80001, CVE databases.
110+
**Protocols**: HL7 FHIR, DICOM, Bluetooth LE, 802.1X.
105111

106112
## Roadmap
107113

0 commit comments

Comments
 (0)