Next Article in Journal
From Liquid Crystal on Silicon and Liquid Crystal Reflectarray to Reconfigurable Intelligent Surfaces for Post-5G Networks
Next Article in Special Issue
Leveraging Language Models for Inpatient Diagnosis Coding
Previous Article in Journal
Artificial Intelligence in Agriculture: Benefits, Challenges, and Trends
Previous Article in Special Issue
MIDOM—A DICOM-Based Medical Image Communication System
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 13
Issue 13
10.3390/app13137406
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

Printed Edition

A printed edition of this Special Issue is available at MDPI Books....
share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Challenges and Opportunities for Conducting Dynamic Risk Assessments in Medical IoT

Appl. Sci. 2023, 13(13), 7406; https://doi.org/10.3390/app13137406
by Ricardo M. Czekster 1,*, Paul Grace 1, César Marcon 2, Fabiano Hessel 2 and Silvio C. Cazella 3
Reviewer 1:
Bharat Bhushan
Reviewer 3:
Mohammad Almaiah
Appl. Sci. 2023, 13(13), 7406; https://doi.org/10.3390/app13137406
Submission received: 1 June 2023 / Revised: 16 June 2023 / Accepted: 20 June 2023 / Published: 22 June 2023
(This article belongs to the Special Issue eHealth Innovative Approaches and Applications)

Round 1

Reviewer 1 Report

1.      In this work authors present a Systematic Literature Review outlining current trends and existing approaches. Further, the work highlight meaningful ways of addressing the impact of unwarranted intrusions and the set of mitigations to protect end-users from leaking personal and private information or preventing them from using the equipment.

2.      There are several such existing articles. How is this work different from other previously published works.

3.      The contribution of the work is not properly outlined.

4.      This is a very very important line and must be discussed appropriately. Provide sufficient evidence for the same. “Although these devices offer remote management capabilities and near real-time sensing, when considering cyber security and privacy, they have considerably enlarged the potential attack surface to protect”.

5.      Section 2.3 looks weak and must be significantly ameliorated. Authors must discuss the various types of attacks that can be launched in these systems. A comparative analysis of these attacks will be appreciated.

6.      Security needs to be discussed properly. The following works may be useful. Nullifying the Prevalent Threats in IoT Based Applications and Smart Cities Using Blockchain Technology; Towards a Secure and Sustainable Internet of Medical Things (IoMT): Requirements, Design Challenges, Security Techniques, and Future Trends.

7.      Section 3 can be summarized in the form of a table.

8.      Why is there need to hire proficient cyber security personnel and comply with regulations to protect customers.

9.      Section 4 looks weak and not convincing. Authors must discuss recent advancements in the field in this section.

Satisfactory

Author Response

1. We thank the reviewer for this remark and understanding of the work's objectives.

2. This is an interesting point. We mention that few works detail how dynamic risk assessments would work for IoT, and we have worked here towards showcasing the underpinnings of Medical IoT, the inherent issues, and challenges to consider when outlining attempts to tackle such issues. As far as we know, there is no similar research discussing dynamic risk assessment specifically for MIoT, which is why we consider our contribution novel. IoT and MIoT are prime candidate fields for dynamic research assessment, and therefore it is important to capture existing work and identify the further contributions required. Our approach of using an SLR to outline major results is reproducible; one researcher may take our search queries outlined in the paper and replicate the same results, following our PRISMA protocol. 
[ACTION] We have revised our contribution to align it with our approach's novelty.

3. Thank you for this remark. We will review the abstract, Introduction and Conclusion to outline our contribution clearly. 

4. We agree with the line highlighted by the reviewer.
[ACTION] We have discussed these points in a new discussion in Section 2.3 and Section 3.2, where we outline how the (potential) attack surface is increased in home settings when patients take IoT/IoMT equipment into their premises and how this is influenced by other devices sharing network resources under the presence of malicious threat actors (most likely). We stress that this is why thinking about risk assessment is vital in healthcare contexts, anticipating these issues and proactively preparing, mitigating, and recovering from cyber-attacks or failures.

5. We agree that MIoT is the usual target for a host of cyber-attacks. Although we have added substantial references to surveys specific to this problem, we shall incorporate some venues in the manuscript. This paper focuses on risk assessment and its implications as we are aware of a myriad of scientific outcomes detailing cyber-attacks already available in the literature, which we cited throughout the manuscript.
[ACTION] We have created a new paragraph in Section 2.3 highlighting common attacks on MIoT devices with comments on mitigation and protective measures.

6. Security was the core focus of the paper throughout the contribution. We have explained several aspects regarding security specific to MIoT and how it intersects with usual security mechanisms. We acknowledge the use of Blockchain and thank the reviewer for pointing us toward the paper, which we will cite appropriately.
[ACTION] We thank the reviewer for the comment and mention that cybersecurity is the backbone of the manuscript, with explanations about its underpinnings throughout the manuscript. About the suggested paper, although it focuses on approaches applicable to Smart Cities, we acknowledge its usefulness for IoT-specific threats, so we have added the suggested paper to Section 2.3 when we discuss how other studies are incorporating Distributed Ledger Technologies (DLT). We have also added comments and research concerning IoT Application (IOTA), a hot research topic gaining attention in recent years that aims to circumvent limitations of blockchain in IoT. 

7. Section 3 (outcome of the SLR) is summarised in Table 1. What we did next was, for each paper, to highlight their key points, which contributed to our discussion/analysis afterwards. The table has a column named 'Highlights' that summarises the work's objectives, so we expand on their ideas next (out of the selected list of papers derived from the SLR).

8. One of the most significant problems in organisations is poor preparedness, usually caused by a lack of training in cybersecurity, situational awareness, and unfocused security monitoring. Only by hiring proficient cybersecurity personnel with a background in mitigations, responses, and proactive cybersecurity skills will organisations be able to cope with impending attacks and thwart malicious occurrences before they propagate over networks. The manuscript covers these issues as we discuss the need for specialised defences and proactive behaviours when protecting infrastructure against cyber-attacks.
[ACTION] We have further explained this phrase and highlighted why hiring skilled cybersecurity personnel is essential in healthcare contexts.

9. In chapter 4, we stress that Dynamic Risk Assessment is seldom considered in Medical IoT or even IoT, for that matter. The closest approach we could find towards this goal (and it was commented on in the manuscript) is directed at autonomous vehicles (by Le et al., 2018). Given the challenges and difficulties outlined by the authors and our own manuscript, we can attest that the recent advancements in the field are duly described. Other authors, such as Nurse et al., 2017, and Nurse et al., 2018 have discussed the latest RA-related scientific progresses for IoT, which is, in fact, a broader perspective that does not take into account the particularities of Medical IoT, which we believe our manuscript has tackled in good measure. We have revisited the section to better highlight that this research field is incipient and still poses open research questions, many of which we have addressed in the healthcare context in order to ensure that arguments are more convincing.
[ACTION] We have further investigated the literature on dynamic RA to inspect whether there were other relevant works worth mentioning, which we have found. Then we have added additional commentary to the manuscript in Section 4. Most importantly, we have produced and incorporated a new figure contrasting traditional RA with DRA in IoT contexts and ecosystems, highlighting cyber security objectives on each part. This figure adds value to the discussion and helps towards a better, in-depth discussion section. Moreover, complementing the new figure, we have added another figure (Figure 4) to explain the overall risks that end-users are exposed in these networks, outlining most likely attack vectors and impact to stakeholders. We added further explanations and comments about these risks and overarching issues.

Reviewer 2 Report

Dear authors, from my point of view this manuscript provides an interesting topic and scope, but I would like to recommend some suggestions to enhance the quality and context of the paper:

1º. The abstract section need to provide the main goals, method, findings, and new contribution of this paper in its area of knowledge, please.

2º. I checked the entire references and authors should include updated studies because authors are tackling a topic related to technologies, ubiquity information, and MIoT devices, that is, this sector change daily in its processes. Readers and researchers must know the last information that authors are facing in this study. Indeed, authors claim my comment in the first paragraph: "The latest technological advances in remote asset management have significantly changed the healthcare industry"

3º. Authors should add real examples of cyber-attacks in hospitals. For instance, "A ransomware cyberattack on one of Barcelona’ s main hospitals has crippled the center’s computer system and forced the cancellation of 150 nonurgent operations and up to 3,000 patient checkups"

https://abcnews.go.com/Health/wireStory/cyberattack-hits-major-hospital-spanish-city-barcelona-97653391 

4º. Authors did not tackle the main gaps of this study to develop their main objectives and research questions. Indeed, authors need to explain why you have worked in this research project. Furthermore, authors need to re-write better the main objectives of this study, and future research questions.

5º. Introduction section has a lot of information which should be included in Literature review section. This section is a trailer movie of your study. For this reason, authors have to handle the most relevant information at introduction section. Besides, Introduction section is very long for future readers.

6º Authors could speak from a patient point of view and devices like smartphones, health apps, iPad, amongst many others. Authors should include these authors:

Florido-Benítez, L. (2022), "International mobile marketing: a satisfactory concept for companies and users in times of pandemic", Benchmarking: An International Journal, Vol. 29 No. 6, pp. 1826-1856. https://doi.org/10.1108/BIJ-06-2021-0303

Zhang, G., & Navimipour, N. J. (2022). A comprehensive and systematic review of the IoT-based medical management systems: applications, techniques, trends and open issues. Sustainable Cities and Society, 103914.

Quy, V. K., Hau, N. V., Anh, D. V., & Ngoc, L. A. (2022). Smart healthcare IoT applications based on fog computing: architecture, applications and challenges. Complex & Intelligent Systems8(5), 3805-3815.

Mukati, N., Namdev, N., Dilip, R., Hemalatha, N., Dhiman, V., & Sahu, B. (2023). Healthcare assistance to COVID-19 patient using internet of things (IoT) enabled technologies. Materials today: proceedings80, 3777-3781.

Balasamy, K., Krishnaraj, N., Ramprasath, J., & Ramprakash, P. (2022). A secure framework for protecting clinical data in medical IoT environment. Smart healthcare system design: security and privacy aspects, 203-234.

7º. Authors wrote in Line 117 this: "In this work, we shall refer to the latter (MIoT) as a base definition as we think it captures the fundamental differences between general IoT systems versus those applied to medical/healthcare contexts with its more specific subtleties. MIoT empowers patients and clinical staff (in general) to understand care paths and plan following interventions". How are patients and clinical staff empowered? I did not see it, please this concept must be totally enhanced.

8º Authors must include a sub-section which tackle real examples of cyber-attacks in hospitals and MIoT to empower this study, so possibly other authors will cite this manuscript and journal. For example, a time line of cyber-attacks in hospitals around the globe from 2000 to 2023.

9º. Authors need to explain acronyms, please. Everyone do not know (SLR ) and you must explain it. Sometimes when authors include a lot of acronyms is not good for readers because these confuse them. 

10º. Authors need to remove a lot of unnecessary information. For example, authors included contextualisation and systematic Literature Review (SLR) sections. This last section must be included in methodology section. Indeed, this paper has a great mistake because this did not include the methodology section. 

11º. There are a lot of unnecessary information in the manuscript and this would be removed. This paper seems a report from a public or private organisation. 

12º A real example why this study need to be considerably improved is how authors faced the discussion and conclusion sections. In these two sections did not explain really the main objectives and possibly research questions that could help to support your results and conclusions. Indeed, these two sections is very short if you compare with the rest of sections. For example: authors wrote in the line 629: "It is undoubtedly true that cyber security offers end-users a protective layer with controls that prevent data leakage, protect PII, and ensure smooth use and data storage of confidential information" This information is provide by a lot of studies and authors. Indeed, this paper adds nothing new to this topic. 

13º. Authors must add theoretical and managerial implications and limitations  sub-sections. I am confident that you have many more things to say in these sub-sections.

14º. Overall,  this manuscript must be totally enhanced to publish in this journal, please. 

 

Author Response

1º. We agree with the reviewer and highlighted these parts in the abstraction to clarify the contribution and positioning of the paper in the area of knowledge - cybersecurity.

2º. We have traversed the complete list of references; approximately one-third are dated from 2020 and 2021, and another one-third are from 2017 and 2018. We highlight that 8\% are dated 2022, and 3\% are from 2023, totalling about 80\% of all references being relatively recent, thus reflecting the level of novelty in our approach.

3º. As another reviewer remarked on the same issue, we have substantially changed Section 2.3 to explain these cyber attacks in IoT/IoMT networks and devices. Instead, we have focused on outlining published papers with in-depth cybersecurity discussions (we thank the reviewer for the link). 

4º. We have tackled our work's main objectives in the abstract and in the introduction, and we have summarised our findings in the conclusion. By inspecting the literature, we have discussed future work on incorporating DRA in MIoT, given the set of particularities of the IoT ecosystem inherent to healthcare. It is our view that the future work is in due measure to what the security field expects as next perspectives.

5º. We agree with the reviewer and thank him for his instruction, as the Introduction section is one of the most crucial parts of a scientific result. To this matter, our Introduction has the context on which we are positioning our work with enough citations to provide a comprehensive outline of expectations by the audience.
[ACTION] We have reviewed the Introduction as a whole in search of parts that could be moved away to the Literature review section.

6º Thank you for reminding us that other devices may significantly influence healthcare-based IoT and how to cope with this from a cybersecurity perspective.
[ACTION] We have added all suggested references in the manuscript (mostly in Section 5.1), except for the one by Lázaro Florido-Benítez, deemed irrelevant to our proposal. Also, we have added comments on these smart-based devices, as suggested at the end of Section 3, showcasing how they might interfere with medical equipment and the implications to cyber security. We have commented on novel Ambient Assistant Living (AAL) mechanisms to help deliver remote assistance in patients' homes.

7º. Patients are empowered by having additional data that can be inspected by automated information systems and medical doctors making decisions remotely. We agree with the reviewer's comments and shall add paragraphs to tackle these suggestions.
[ACTION] We included a new paragraph in the Introduction (right after the phrase that comments on the fact that IoT may empower users/patients), commenting on how patients and staff are empowered by IoT/IoMT deployed out of the hospital's premises.

8º We agree that cyber-attacks in MIoT are important and relevant to the discussion; however, these issues have been extensively outlined in the scientific literature concerning cyber security. Since our focus here is on exploring static and dynamic risk assessment, and the existing challenges therein, we think that mentioning the attacks (as we extended Section 2.3 given previous reviewers' remarks) and citing them in the manuscript is sufficient to meet the scope of the direction taken here. For this reason, we have focused on risk assessment approaches to highlight major shortcomings and research opportunities.  

9º. We agree that everyone does not know some acronyms like SLR, as mentioned. For the specific case of SLR, we are using PRISMA and explaining the overall process that it follows in Section 3 (the checklist). The other acronyms are used in the cybersecurity field and the IoT community, so there will be no need for further explanations depending on the case.
[ACTION] We have reviewed and inspected acronyms throughout the manuscript for clarity and better understanding.

10º. Since the SLR is one (out of two) major contribution of the paper, we have decided to make it a specific section, as it is detached from previous work (albeit sharing some scientific outcomes altogether). Regarding methodology, we have addressed methodological aspects of the SLR in the PRISMA process, which dictates a straightforward methodology. For the case of our second contribution, the discussion, the methodology was to gather a relevant body of work concerning dynamic risk assessment in IoT/IoMT and map out the most relevant and significant challenges and opportunities.
[ACTION] We have clarified the methodology for the second contribution at the beginning of Section 4. 

11º. We thank this comment that made us take a step back and reflect about unnecessary parts of our manuscript and for conciseness and clarity in conveying our contributions. We believe the paper includes all information required to be self-contained enough to present to our most-likely audience the underpinnings of conducting dynamic risk assessments in MIoT. That is why we have added the contents as presented in the manuscript. We would require further clarification on the irrelevant parts that need to be removed to make a sound decision on how to proceed with potential exclusions. 

12º. We thank the reviewer position on this matter, and we stress that this particular manuscript took into account the execution of an SLR of applying dynamic risk assessments in IoT/MIoT as well as a discussion of the challenges faced by managers and cyber security officers whilst tackling emerging situations arising in networks of limited capacity devices that communicate status and remote management capabilities. As highlighted in this major revision, the conclusion section and future work have incorporated other discussions.

13º. We agree with this point; tackling managerial implications is something we haven't covered in early versions of our manuscript.
[ACTION] Regarding managerial implications for organisations, we have added paragraphs in Section 4 (as suggested by another reviewer) to explain the cyber security issues organisations face, major problems and tasks they could do to protect their assets. We have also expanded Section 4.3 (Discussion) to include how modern SOC should be equipped to tackle cyber security integrated with risk assessment, adding current research and novel approaches.

14º. We thank the valuable remarks of the reviewer towards comments on how our manuscript could be improved and have a stronger contribution to the MIoT research area applied to cyber security. We have  addressed the remarks and suggestions pointed out by the reviewers, including additions to citations that will help the journal's audience better understand how to apply RA/DRA in MIoT contexts.

Reviewer 3 Report

The study aimed to achive the following points:

- To review the current trends and existing approaches for the common Challenges and Opportunities for Conducting Dynamic Risk Assessments. 

1. Table 1 includes 12 studies on RA/DRA in IoT/MIoT. First, the number of studies is very low. Second the authors should review the studies in more deeply in terms of limitations, findings and etc.

2. As mentioned before the authors need to add more studies.

-  highlight meaningful ways of addressing the impact of unwarranted intrusions and the set of mitigations to protect end-users from leaking personal and private information or preventing them from using the equipment.

Actually, I dont understand this objective and how the authors achieve it. please clarify this point. 

The abstract does not written in a correct way. What is the findings. Rewrite the abstract.

Moderate editing of English language required

Author Response

1. We thank the reviewer's remark. This work produced an SLR using the PRISMA methodology where the objective is not quantitative but qualitative. Those 12 studies, albeit low, represent that other researchers running the same search queries as outlined in the manuscript will achieve the same results, i.e., it is replicable. We want to point out that the work has developed a comprehensive scientific literature review (not counting the SLR) to position our outcomes in the cyber security field by explaining major concepts directed at Dynamic Risk Assessment (DRA) which is our main contribution. In terms of the second point raised by the reviewer, about the studies' review for limitations and findings, we would like to comment that this in-depth analysis is present in Section 3.2 (called "Analysis of Selected Results"), where we do state each of the selected work its limitations and findings, by commenting their major outcomes separately.
[ACTION] We have explained these issues regarding PRISMA and the SLR and the number of work retrieved in contrast with the sheer amount of literature on the subject.

2. We understand this point raised by the reviewer; however, we stress that the usual process for conducting a comprehensive SLR, as we have performed in our manuscript, is to find qualitative results rather than quantitative ones. It has selected 12 works, i.e., the most relevant given our SLR's research question and following the protocol. Our parameters for replicating the SLR are in Section 3.1, where we outline parts of the PRISMA checklist with modifications and adaptations to fit our main purposes.

3. We thank this comment and acknowledge the need for such information within the paper. We highlight that our contribution is directed towards better comprehending the underpinnings of Dynamic Risk Assessment in MIoT and that a substantial body of work is already addressing mitigations and protective measures for end-users whilst leaking PII. We have briefly outlined and commented on related work we thought would be relevant to our manuscript, highlighting advantages and similar explanations. Hence, our work is self-contained in Risk Assessment and all the discussions that came forward. However, as requested by other reviewers, we have clarified a few of these points in the major revision, highlighting new discussions in the manuscript.

4. The objective and the contribution of our work is outlined in the abstract and introduction and summarised in the conclusion. This discussion paper presents an SLR to outline major results (qualitatively) existing in the risk assessment field within cybersecurity as related to Medical IoT. It positions current challenges and difficulties whilst addressing dynamic risk assessment in such contexts. We have revised the paper's contributions as requested by the major review and hope that those remarks, plus the reviewers' suggestions, have improved our manuscript's overall quality.

5. We thank the reviewer for pointing this out and helping to enhance the overall quality of our manuscript. We highlight that this is a discussion/positioning paper, where our major contributions are directed to a qualitative survey of the current landscape of dynamic risk assessment as applied to Medical IoT. We stress that this research field is novel and has only started to attract attention from organisations. The focus of our attention was directed at Medical IoT, so less work is present, and that is the main reason why we have expanded our analysis into 'pure' IoT, which showed us how organisations employing IoT across several domain applications are tackling risk assessment and dynamic risk assessment altogether.

Round 2

Reviewer 1 Report

Comments in Review 1 is addressed properly and the manuscript can be accepted for publication.

Satisfactory

Author Response

Thank you for your review.

Reviewer 2 Report

Dear authors, objectives, filling the gaps, and new contribution are not defined. Indeed, I did not see substancial changes in this new review. There is a lack of motivation for this "study", what is the research problem or question, what is the objective of this research, and what is the novelty and contribution of this manuscript. 

Authors have changed some information and added some authors, but really the context and nuclear objectives are not tackled in this paper. 

Author Response

We thank the reviewer for outlining these concerns on our manuscript. We have addressed those concerns, highlighting objectives, gaps, and contribution in red throughout the paper. We have revised it and created a new paragraph explaining the general motivation for doing this paper and we have highlighted important passages in the submitted manuscript. 
At this point, we would like to stress that our contributions are three-fold: (1) a comprehensive Systematic Literature Review (SLR) employing PRISMA, a renown methodology for these kind of studies outlining risk in MIoT/IoT; (2) an exploration of strategies mitigating the impact on users and stakeholders on protections at infrastructure level as required by networks of MIoT/IoT altogether; (3) Identification and discussion of key research directions to take into consideration Dynamic Risk Assessments.
Our paper is a positioning/discussion paper; it states a problem (how to effectively tackle dynamic risk assessments in MIoT/IoT networks?), searches the scientific literature for relevant outcomes and finally, it discusses gaps and issues uncovered by previous steps.
As it stands we are satisfied with our contribution and the quality level of our approach, as we submit another review to the Applied Sciences journal.

Reviewer 3 Report

No further comments 

Author Response

Thank you for your review.

Back to TopTop