WP2 conducted a requirements analysis of the Healthcare related CS domain
To create an Artificial Intelligence-based system to increase the cyber-security in healthcare, a sector with numerous different human actors and embedded in complex IT structures, it is crucial to perform a thorough requirements analysis at the beginning.
In AI4HealthSec a closer look was taken on three pillars which reflected the three basics of creating the ground for a successful system. Besides literature analysis and analysis of existing technical tools, a large focus was on the end-users:
We engaged representatives of intended stakeholders for creating high-level requirements such as user expectations and business needs.
Questionnaires containing mostly closed questions were created in iterative rounds. We focused on two aspects of user perspectives: The so-called internal point of view (i.e. the end users within the project partners, containing members of the pilot organizations) and the “external” view. For the latter, we created questionnaires for organizations outside of the project to get a broader view.
For both types of questionnaires, we made sure that the intended group of persons was reflected properly; so we assured beforehand that we know about the general background of intended users for AI4HealthSec within the pilot organizations. Using several questions for pilot partners’ representatives within the project we were able to then create fitting questionnaires for each group of persons that is part of the user scenarios. For example, we had questions for more IT-savvy users as well as for less experienced users; we also took different professional backgrounds into account
- Development of questionnaires iteratively with all WP2 project partners
- “Internal” questionnaires (within pilot partners) & “external” questionnaires (for organizations outside of the project)
- 10 “internal” questionnaires
- Designed to fit each group of persons that is part of user scenarios
- E.g. questionnaires for more experienced users and for less experiences users, or users from different backgrounds (e.g. physician or administrative staff)
- One “external” questionnaire
By using the questionnaires with external organisations as well as within our pilot partners we were able to extract six Business Needs:
We found out that organizations need long-term solutions that are able to forecast and prevent cyber-attacks and to assess existing cyber-security weaknesses. Equally important is that human errors in the organizations should be prevented in the future by a creation of better personell awareness of cyber-threats. A system should be able to detect abnormal patterns and create warnings on this basis. Also the complete process of cyber-security enablement should be simpler than existing solutions.
Those findings were supported by the fact that most organizations in our small survey indeed are willing to provide the frame for a higher security awareness. The environment should be there to implement systems to work directly on this issue. Especially in the hospital setting, we found that human errors were seen as crucial when it comes to cyber-threats. Here, a system that in a way enables the creation of higher awareness among the staff was seen as having great potential.
The self-assessed knowledge on cyber-security was found to be average to good; but we also found that numerous staff members of healthcare organizations indeed did not know what to do in the case of a cyber-security incident.
If there was a framework to be implemented, our internal project organizations would slightly prefer something that was visible in the daily work, e.g. by regular status reports.
Also, the internal partners wished that an external cyber-security framework should run completely by itself.
External partners also slightly preferred a visible system but they preferred a system that indeed would need input by the user.
WP2 Refinement of requirements, evaluation metrics and AI4HEALTHSEC Architecture
Griebel Lena, Dr.