SCENARIO: The Rocky Ravine Hospital's Maintenance Facility, this facility is responsible for the maintenance of the embedded technology in magnetic resonance imaging (MRI) machines within the hospital. This hospital is in Oklahoma, United States. The hospital has 1340 beds with 40 operating rooms and a level one trauma center.  It is the only hospital in a 500-mile radius that has the best MRI machines. A new employee from the hospital hired a third-party maintenance contractor for the repair of the MRI workstation operator console. The console was repaired in two days. The maintenance manager of the hospital verified a visitor log for the repair and noticed that the third-party contractor was from a country on the U.S. Sanctions List. The MRI machine operator console was malfunctioning during scan on a patient from the trauma unit.

ATTACK: Third-party contractor from Luxembourg, name Alexander-Walter Studhalter was on the visitor log. The maintenance manager issued an alert in the hospital to remove the MRI machine from the network due to a data transmission error.

User-Centered Security Design ensures that the personal and sensitive data of users remains accurate and reflects the information intended by the users. User-centered security design is an approach to develop and implement security measures that prioritize needs, preferences, and abilities of the end users. The goal is to create security systems, protocols, and interfaces that are effective in protecting information and systems while being user-friendly and accessible.

RESPONSE: Realizing that the third-party was affiliated with Russia-EO14024 and on the Specially Designated Nationals and Block Persons List (SDN List on the US. Sanctions list), the maintenance manager alerted the hospitals' CISO and c-suite team to ensure the network was not affected. The maintenance manager located the training records for all new employees and noticed that the new employee was not trained on supply chain policies for the maintenance facility operations. The manager did not locate a sign-off record for the release to use the repaired MRI console

 IMPACT: The hospital's records for the day of the MRIs use resulted in a net loss of $1 million.

 LESSONS LEARNED (Human Factors)

1. User awareness and education. Recognize the levels of security knowledge amongst all users in your facility and/or department.
2. User training. Provide clear and concise training materials to educate users on the US Sanction lists.
3. Accessibility (inclusive design). Ensure security features are accessible to users with varying abilities.
4. Respect for Privacy. Design security solutions that respect user privacy. Clearly identify and communicate how user data is handled, stored, and used.
5. Protection Against Unauthorized Changes. The design should incorporate measures that prevent unauthorized parties or malicious actors from making unauthorized changes or alterations.

Answer these question

1. You are the maintenance manager, what would you have done differently?
2. What are some steps you can think of that the hospital could have taken to prevent this incident?
3. How are you going to reduce your risk?

1.