The recent advances in Artificial Intelligence (AI) are radically transforming the healthcare sector. Implementing the related solutions presents significant challenges, ranging from managing data quality and heterogeneity to compliance with stringent regulations (e.g., GDPR and HIPAA). In this context, MLOps emerges as a crucial solution to address these issues through a set of practices and tools. As a result, MLOps-based pipelines play a pivotal role in the efective management of Machine Learning (ML) models, which is vital to support diagnostic and prognostic activities. On the other hand, the development of healthcare systems should also consider several cybersecurity aspects required by the same regulations. To this end, the Cybersecurity Framework (CSF) 2.0, developed by the National Institute of Standards and Technology (NIST), describes updated guidelines to mitigate cybersecurity risks. Therefore, adopting MLOps with the support of the CSF represents an essential step for enabling the transition of ML models to enabled devices and improving the security of healthcare systems. For this reason, in this work, we present the high-level architecture of an MLOps pipeline employed by the DARE (DigitAl lifelong pRevEntion) foundation. Moreover, we also analyze its feasibility in satisfying CSF requirements, with particular emphasis on those related to data security, detection, and recovery.
In recent years, Artificial Intelligence (AI) and Machine Learning (ML) have revolutionized the healthcare
sector, providing powerful tools to face complex challenges. For instance, many ML-based models
were increasingly experimented to assist physicians in a wide range of activities, such as disease
diagnosis [
For this reason, new ML engineering practices, known under the terminology of Machine Learning
Operations (MLOps), are emerging to support this transition [
However, despite being crucial in healthcare, only some cybersecurity aspects have been relatively
investigated [
In response to these challenges, the Cybersecurity Framework (CSF) 2.0, defined by the National Institute of Standards and Technology (NIST), provides updated guidelines to address security challenges in an ever-evolving technological landscape [23]. The CSF is a strategic tool to protect digital assets, enhance stakeholder trust, and improve the organizational’s resilience. Since each organization presents unique risks, varying risk tolerances, specific missions, and desired objectives, the CSF does not embrace a one-size-fits-all approach. Instead, it recommends its implementation by employing several emerging technologies and solutions [23].
Therefore, adopting MLOps with the support of the CSF represents an essential investment to help the transition of ML-based models to enabled devices. Moreover, their employment also improves the security of healthcare organizations like DARE (DigitAl lifelong pRevEntion) [24], a foundation financed by the Italian Ministry for University & Research (MUR) to foster collaboration between healthcare, academia, industry, and policymakers. In detail, DARE aims to become a national reference for digital prevention technologies, enhance health promotion, and enable lifelong prevention. To achieve such goals, DARE needs a compliant infrastructure capable of hosting diferent research studies, managing healthcare data securely, and developing reliable AI models.
For this reason, in order to study the feasibility of MLOps pipelines in ensuring several cybersecurity aspects, we first define a high-level MLOps pipeline employed by the DARE foundation. Then, by adopting the CSF, we analyze its validity in ensuring diferent requirements, with particular emphasis on those related to data security, detection, and recovery.
The main contributions of this work can be summarized as follows: 1. We define the high-level architecture of an MLOps pipeline employed in a healthcare foundation; 2. We adopt the CSF to analyze the pipeline’s feasibility in ensuring diferent requirements, namely data security, detection, and recovery.
The remainder of the paper is organized as follows. Sec. 2 will present the related works on MLOps pipelines employed in healthcare scenarios. Sec. 3 will report an overview of the CSF’s structure and MLOps. Then, Sec. 4 will define the architecture of our MLOps pipeline employed for the DARE foundation. Finally, Sec. 5 will analyze the feasibility of the pipeline in ensuring CSF requirements, while Sec. 6 will present the conclusions and future work.
Several studies have explored the application of MLOps frameworks in healthcare with the aim of
enhancing the development, deployment, and management of ML models in clinical settings [
To this end, A. Basile et al. [27] have proposed a comprehensive MLOps pipeline by integrating
many famous tools for version control, experiment tracking, and continuous monitoring. Instead, V.
Moskalenko et al. [
Moreover, an additional efort has been made by implementing several MLOps-based tools, such as that proposed by A. Krishnan et al. [28]. In detail, they have developed CyclOps, an open-source framework to address the fragmented nature of ML tools in healthcare units. The achieved results, derived by predicting in-hospital and decompensation mortality, have proven the efectiveness of CyclOps in ensuring the adaptability, scalability, and reliability of the developed ML models. Similar outcomes have been shown by Advanced Notebook (ADVN), a tool proposed by G. Danciu et al. [29] to standardize data ingestion and manage ML models in two major EU projects: iHELP and RETENTION. In such studies, the authors have employed ADVN to predict the risk of pancreatic cancer using urinary biomarkers (in iHELP) and estimate heart failure survival (in RETENTION). The related use cases have highlighted the versatility of ADVM in handling various medical challenges and improving the development process. Finally, T. Granlund et al. [30] have employed Oravizio, a CE-certified software used in joint replacement surgery risk assessments, to demonstrate how MLOps can ensure data privacy laws and regulatory standards without compromising performance. To accomplish this, the authors have designed a continuous training pipeline to automate data validation, model re-training, and the generation of regulatory-compliant reports.
However, as shown in Tab. 1, only some cybersecurity aspects have been relatively investigated [
Feature
V. Moskalenko et al. [
medical diagnostic systems G. Danciu et al. [29] T. Granlund et al. [30] – Integration of ADVN to manage
data ingestion and ML models – Continuous generation of
regulatory-compliant reports Our proposal – Adoption of the CSF 2.0
Gap & Novelty ✗ No use of well-known cybersecurity
techniques or protocols ✓ Analyze risks like adversarial attacks,
fault injections, and distribution shifts ✗ No cybersecurity analysis is done
(just some considerations) ✓ Employ anonymized data ✗ No cybersecurity analysis is done
(just some considerations) ✓ Ensure data privacy laws and
regulatory standards ✓ Feasibility analysis of data security, detection, and recovery
This section provides an overview of the fundamental concepts related to the proposed pipeline. For this reason, we first recall the structure of CSF and the related Functions. Then, we briefly summarize the main characteristics of MLOps, which represent the adopted framework.
The Cybersecurity Framework (CSF) 2.0, defined by NIST, is designed to help organizations of all sizes and sectors to manage and reduce their cybersecurity risks [23]. Since each organization has diferent risks and desired objectives, the CSF does not embrace a one-size-fits-all approach. Instead, the way how organizations implement CSF can vary and involve diferent emerging solutions. For this reason, the CSF describes the cybersecurity outcomes and requirements for a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. As shown in Fig. 1, such outcomes are mapped into a dedicated list known as Core, and which consists of 6 Functions, namely Govern (GV), Identify (ID), Protect (PR), Detect (DT), Respond (RS), and Recover (RC).
These outcomes do not represent a checklist of actions to perform but, instead, high-level requirements that an organization should ensure in relationship with its use cases. In detail, each Function is divided into Categories that represent a subset of cybersecurity outcomes. Finally, subcategories further divide each Category into more specific outcomes. Fig. 2 reports the Categories associated with each Function and the related identifiers.
The acronym MLOps (Machine Learning Operations) represents the evolution of DevOps (Development
Operations) practices applied to the lifecycle of ML models [
Therefore, MLOps focuses on all aspects of ML models, from the requirement analysis to monitoring in production. In detail, the lifecycle involves several stages, each closely tied to monitoring, maintenance, and continuous updates. In MLOps, the lifecycle does not end with the initial training phase but extends to ongoing management and optimization, enhancing the model’s ability to adapt to dynamic changes. Also, the employment of a Continuous Integration and Continuous Delivery (CI/CD) approach significantly contributes to the model’s stability and reliability over time [31].
However, due to the growth of cybersecurity threats, it has become essential for MLOps to manage security aspects. In such cases, the adopted terminology is known as SecMLOps or MLSecOps [22]. Although it is dificult to identify a common and widely accepted definition, we can refer to that provided by B. Ghosh [32]. In detail, he defined MLSecOps as “implementing and managing a set of processes, tools, and best practices that are designed to secure machine learning models and the systems that support them. It aims to address the unique challenges of securing ML models at scale.”
As previously mentioned, the integration of MLOps represents a crucial step towards adopting safe,
reliable, and efective ML-based approaches, which are increasingly experimented in the healthcare
domain to assist physicians in a wide range of activities, such as disease diagnosis [
The proposed pipeline aims to securely manage healthcare data and deploy reliable AI models while ensuring adherence to regulatory and ethical standards. Therefore, intending to provide a compliant infrastructure capable of hosting diferent research studies for the DARE foundation [ 24], we structured our pipeline into the following steps shown in Fig. 3: 1. Data Collection: data are systematically gathered from multiple sources, including table data, DICOM medical imaging files, and other structured or unstructured datasets. Furthermore, this step incorporates rigorous provenance tracking to ensure compliance with consent protocols and legal approvals before data ingestion; 2. Data Processing: once gathered, data undergoes comprehensive processing activities to ensure its suitability for the research goals. In detail, this step involves systematic cleaning and transformation procedures to enhance the data quality and consistency, addressing also issues related to missing values and inaccuracies. The processed data is thus standardized and aligned with established clinical frameworks, including Fast Healthcare Interoperability Resources (FHIR) and Observational Medical Outcomes Partnership (OMOP), to facilitate seamless interoperability; 3. Model Management: next, the processed data are pèriodically organized and stored within a data lake infrastructure, which is capable of handling several data formats. To this end, the Model Management integrates relational databases, Picture Archiving and Communication Systems (PACS), and servers that adhere to widely recognized clinical standards. This step also incorporates mechanisms for controlled data retention, avoiding unnecessary storage prolongation. However, the primary aim of this step is the development of AI and ML models. For this reason, these models leverage the processed data to extract relevant insights for the decision-making activities; 4. Results Visualization: finally, the developed models are deployed inside real healthcare applications to face diferent tasks. For this reason, it is crucial to monitor the related performance by tracking each execution along with the associated input configurations. Consequently, the pipeline must also incorporate specific monitoring tools, such as interactive dashboards and decision-support systems. These tools become pivotal in providing a comprehensive visualization of the results, enabling physicians and AI experts to assess the models’ performance.
During our experience inside the DARE foundation, we encountered several challenges related to the
development environment. To face them and be compliant with existing regulations, we thought that
MLOps was the best solution to ensure high-quality data and release safe models. For instance, thanks
to its CI/CD nature, MLOps can monitor the related outcomes by providing accurate prediction tools
for the diagnostic and prognostic processes [
Therefore, starting from the healthcare pipeline shown in Fig. 3, we continue its definition by
explaining the role played by MLOps. To this end, we first describe the main MLOps steps. Then, we
conceptually map such steps over our pipeline and show how MLOps fully supports the entire workflow.
According to the definition provided by Moskalenko et al. [
According to the given definitions, these steps are overlappable with those shown in Fig. 3. More precisely, Data Preparation covers the same roles as Data Collection. They are responsible for data collection, cleaning, and transformation that may come from diferent healthcare scenarios. Follows the Model Development step, which covers some functions of Data Processing and Model Management. Thanks to the most famous MLOps platforms (i.e., MLflow [ 38] and ClearML [39]), Model Development ensures that the collected data are continuously stored and monitored. Similarly, the Model Deployment step also covers some functions of Data Processing and Model Management. In detail, it rigorously manages models in production by following a CI/CD logic. For this reason, the stored data do not represent only those coming from patients but also those related to models (e.g., provided outputs, considered hyperparameters, and tracked metrics). Finally, the Performance Monitoring and Results Visualization steps aim to monitor the models’ drift and data quality through dedicated graphical interfaces, as well as the data related to new patients (i.e., those not considered during the training process). Ultimately, adopting an MLOps framework not only supports the development of a healthcare pipeline but also provides additional benefits for the involved models.
This section aims to examine the feasibility of MLOps in ensuring CSF requirements. To this end, starting from the defined pipeline, we show how MLOps can enable one of the most important Categories of the Protect (PR) Function, namely Data Security. Then, we also highlight that our pipeline ensures other CSF Categories, focusing on those related to Detect (DT) and Recover (RC) Functions. For each Category, we report the related results through checklist tables containing the Subcategory ID (ID), the Subcategory definition (Definition), and the ensure type (i.e., direct, indirect, and no). Notice that we derived such tables by faithfully following those reported by CSF [23]. Furthermore, we use the term direct for those requirements that MLOps ensures, together with best practices, without further implementation steps. Instead, with indirect, we refer to all those requirements in which MLOps needs to interface with additional implementations or unrelated tools.
With reference to Fig. 2, we start our discussion by showing how MLOps can ensure Data Security (DS).
To this end, we assume that our pipeline complies with all cybersecurity best practices (i.e., efectively
implements and employs communication protocols, access controls, and encryption techniques) [
For this reason, as shown in Tab. 2, MLOps allows the consistent management of data with risk
management strategies [23], by directly ensuring confidentiality, integrity, and availability throughout
the development cycle (see PR.DS-01, PR.DS-02, and PR.DS-10). As discussed in Sec. 4, the role played
by MLOps becomes more pivotal because it forces organizations to adopt a multi-dimensional approach
that includes a range of advanced techniques and tools [43], such as MLFlow [38], DVC [35], and
Great Expectations [37]. All this is possible because these tools give MLOps pipelines the fundamental
ability to track any aspect (i.e., data, hyperparameters, metrics, and models) [44], minimize performance
degradation, and manage data drift [
ID PR.DS-01 PR.DS-02 PR.DS-10 PR.DS-11
Definition
The confidentiality, integrity, and availability of data-at-rest are protected
The confidentiality, integrity, and availability of data-in-transit are protected
The confidentiality, integrity, and availability of data-in-use are protected
Backups of data are created, protected, maintained, and tested
Subsequently, by adopting the same methodology, we also focused on the remaining Functions (i.e., Govern - GV, Identify - ID, Detect - DT, Respond - RS, and Recover - RC). With reference to Fig. 2, the results of this iterative process have highlighted interesting evidence for some Categories of DT and RC Functions. Concerning DT, we have found some correspondences in the Continuous Monitoring (CM) Category. As shown in Tab. 3, CM defines some requirements for ensuring that assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events [ 23]. Among the requirements identified with DE.CM, only two are indirectly ensured: DE.CM-01 and DE.CM-09. More precisely, the ability to monitor models in production allows to count the number of interactions made. For instance, during a Denial-of-Service (DoS) attack, there could be numerous "unnecessary" requests aimed at saturating the responsiveness of the hosting asset. Therefore, by employing dedicated user interfaces, such as those implemented with Prometheus [40] and Grafana [41], it is possible to monitor networks and the related services (see DE.CM-01) by considering the number of requests, the received inputs, and the provided outputs. Consequently, together with the ability to record any experimental aspect, this also allows MLOps to monitor runtime environments and the employed data (see DE.CM-09).
Instead, for the RC Function, we have found some correspondences in the Incident Recovery Plan Execution (RP) Category. As shown in Tab. 4, RP defines some requirements for the correct restoration activities, which are performed to ensure the operational availability of systems and services afected by cybersecurity incidents [23]. Among the requirements identified with RC.RP, only three are indirectly ensured: RC.RP-01, RC.RP-02, and RC.RP-03. More precisely, thanks again to its ability to record any aspect of the development lifecycle, MLOps indirectly generates backups of the employed dataset and models. Such backups can be useful when the recovery portion of the incident response plan is executed (see RC.RP-01). Moreover, this ability also supports the selection, prioritization, and execution of recovery actions (see RC.RP-02). For example, running a pipeline’s step rather than or before another. Finally, with the support of some notable technologies (e.g., DVC [35], Deepchecks [36], and Great Expectations [37]), MLOps can verify the backup integrity before the recovery (see RC.RP-03). DE.CM-01 DE.CM-02 DE.CM-03 DE.CM-06 DE.CM-09
Definition Networks and network services are monitored to find potentially
adverse events The physical environment is monitored to find potentially
adverse events Personnel activity and technology usage are monitored to find potentially adverse events External service provider activities and services are monitored to find
potentially adverse events Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events ID RC.RP-01 RC.RP-02 RC.RP-03 RC.RP-04 RC.RP-05 RC.RP-06
Definition
The recovery portion of the incident response plan is executed once initiated
from the incident response process Recovery actions are selected, scoped,
prioritized, and performed The integrity of backups and other restoration assets is verified before using
them for restoration
Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed The end of incident recovery is declared based on criteria, and incident-related documentation is completed indirect no no no indirect Ensure type indirect indirect indirect no no no
Despite the contribution highlighted in this work, it appears that the proposed MLOps pipeline ensures only a few requirements (i.e., Subcategories). However, according to the definition provided by CSF, this aspect does not necessarily represent a limitation. Regardless of the size or importance of the organization concerned, the CSF should be used in conjunction with other resources (e.g., frameworks, standards, guidelines, and leading practices) to manage cybersecurity risks as well as possible [23]. Moreover, from a practical point of view, it is impossible to cover all cybersecurity aspects by employing only one technology [45]. Therefore, on the basis of the discussed outcomes, we consider essential to investigate the remaining CSF Functions (i.e., those not covered) by considering diferent scenarios or enhanced frameworks (e.g., the Machine Learning Security Operations [46]). Finally, the feasibility of MLOps pipelines should be evaluated with respect to legal requirements, such as those defined by the AI Act [47] and European Regulation (2017/745) [48].
Implementing Machine Learning (ML) models for healthcare scenarios represents a challenging activity, ranging from data quality management to compliance with stringent regulations. In this context, MLOps pipelines emerge as promising solutions for managing the lifecycle of developed models, which is vital for diagnostic and prognostic activities. On the other hand, the development of healthcare systems should also consider several cybersecurity aspects strictly related to such regulations. In response to these additional challenges, the Cybersecurity Framework (CSF) 2.0, defined by the National Institute of Standards and Technology (NIST), provides updated guidelines to address security issues in an ever-evolving technological landscape. For this reason, we investigated the feasibility of MLOps pipelines in ensuring the requirements defined by CSF. To this end, we first presented an overview of the fundamental concepts employed, namely the CSF-related structure (i.e., Functions and Categories) and the main characteristics of MLOps. Then, based on our experience with the DARE foundation, we presented the high-level architecture of a healthcare MLOps pipeline. Finally, by adopting the CSF, we discussed the feasibility of our pipeline in ensuring Data Security, which represents one of the most important Categories of the Protect (PR) Function. Moreover, by iteratively analyzing the remaining CSF Functions, we have also highlighted that MLOps might indirectly ensure other CSF Categories, with particular emphasis on those of Detect (DT) and Recover (RC).
However, due to the numerous, heterogeneous, and high-level requirements defined in CSF, it is impossible to cover all related aspects in the following study. For this reason, we will investigate MLOps pipelines and their benefits by considering other healthcare scenarios. This first contribution will allow us to analyze the remaining CSF Functions. Moreover, to improve the achieved outcomes, we will also combine enhanced frameworks, such as Machine Learning Security Operations (MLSecOps), with the implementations of real use cases. Finally, since we presented a pipeline employed by a real healthcare foundation, we will also analyze the feasibility of MLOps in ensuring legal requirements, such as those defined by the AI Act and European Regulation (2017/745).
This study was partially supported by the Italian Ministry of University and Research under PNRR-PNC Project PNC0000002 “DARE—Digital Lifelong Prevention” (CUP: B53C22006450001).
During the preparation of this work, the authors used ChatGPT, Grammarly in order to: Grammar and spelling check, Paraphrase and reword. After using this tool/service, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.