Iec Tr 80001-2-9-2017.Pdf

IEC TR 80001 2 9 Edition 1 0 201 7 01 TECHNICAL REPORT Application of risk management for i t networks incorporating medical devices – Part 2 9 Application guidance – Guidance for use of security assu[.]

IEC T R 80001 -2-9

Editio 1.0 2 17-01

Appl cation of risk management for it networ k s incorporating medical dev ices –

Part 2-9: Appl cation guidance – Guidance for use of security assurance cases

to demonstrate confidence in IEC T R 80001-2-2 security capabi ities

THIS PUBLICA TION IS COPYRIGHT PROTECTED

Copyright © 2 17 IEC, Ge e a, Switzerla d

Al rig ts re erv d Unle s oth rwis s e ifie , n p rt of this p blc tio ma b re ro u e or uti z d in a y form

or b a y me n , ele tro ic or me h nic l in lu in p oto o yin a d microfim, with ut p rmis io in writin from

eith r IEC or IEC's memb r Natio al Commite in th c u try of th re u ster If y u h v a y q e tio s a o t IEC

c p rig t or h v a e q iry a o t o tainin a ditio al rig ts to this p blc tio , ple s c nta t th a dre s b low or

y ur lo al IEC memb r Natio al Commite for furth r informatio

Th Intern tio al Ele trote h ic l Commis io (IEC) is th le din glo al org niz tio th t pre are a d p bls e

Intern tio al Sta d rd for al ele tric l ele tro ic a d relate te h olo ie

A bo t IE p blc tio s

Th te h ic l c nte t of IEC p blc tio s is k pt u d r c n ta t re iew b th IEC Ple s ma e s re th t y u h v th

late t e itio ,a c rig n a or a ame dme t mig t h v b e p bls e

IE Catalogue - webstore ie c h/ catalogue

Th sta d-alo e a plca tio f or c n ultin th e tir e

biblo r ap ic l informa tio o IEC Inter natio al Sta d r ds,

Te h ic l Sp cifica tio s, Te h ic l Re or ts a d oth r

d c me ts Av aia le for PC, Ma OS, An r oid Ta lets a d

iPa

IE p blc tio s s arch - w w w.ie ch/ se rch u

Th a v an e s ar ch e a le to fin IEC p blc tio s b a

v ar i ty of c te a (r efer en e n mb r , tex t, te h ica l

c mmite ,…) It als giv es infor ma tio o pr oje ts, r epla e

a d with r awn p blc tio s

IE Just Pu lshed - webstore ie ch/ justp blshe d

Sta u to da te o al n w IEC p blc tio s Ju t Pu ls e

d tais al n w p blca tio s r ele s d Av aia le o ln a d

als o c a mo th b emai

Ele to edia - w w w.e le to edia.org

Th wo d's le din o ln dictio ar y of ele tr onic a d

ele tr i al terms c ntainin 2 0 0 terms a d d finitio s in

En ls a d Fr en h, with e uiv ale t terms in 16 a ditio al

la g a e Als k nown a th Inter natio al Ele tr ote h ic l

Vo a ular y (IEV) o ln

IE Glos ary - std.ie ch/ glos ary

6 0 0 ele tr ote h ic l termin lo y e tr i s in En ls a d

Fr en h ex tr acte fr om th Terms a d Definitio s cla s of

IEC p blca tio s is u d sin e 2 0 Some e tr i s h v e b e

c le te fr om e r lier p blc tio s of IEC TC 3 , 7 , 8 a d

CIS R

IE Customer Servic Cente - webstore ie ch/ cs

If y u wis to giv e u y our fe d a k o this p blc tio or

n e fur th r a sista c , plea se c nta t th Cu tomer Ser v ic

Ce tr e: c c@ie c

IEC T R 80001 -2-9

Editio 1.0 2 17-01

Appl cation of risk management for it networ k s incorporating medical dev ices –

to demonstrate confidence in IEC T R 80001-2-2 security capabi ities

INT ERNAT IONAL

ELECT ROT ECHNICAL

FOREWORD 4

INTRODUCTION 6

1 Sco e 8

2 Normative referen es 8

3 Terms, definition an a breviated terms 9

3.1 Terms an definition 9

3.2 Ab reviated terms 12 4 AS U A CE case 12 5 Use of this doc ment 13 5.1 Inten ed u e 13 5.2 Inten ed au ien e 13 Inten ed purp se 13 5.2.1 MEDICAL DEVICE MA UFA TU ERS (MDM) 13 5.2.2 He lth are del very organization (HDO) 14 5.2.3 Other stakeholders 15 5.2.4 6 General g idel nes 15 6.1 General 15 6.2 Overview of the S C RITY C S framework 15 6.3 Notation 16 Comp nents of a S C RITY C S 16 6.3.1 Go l 16 6.3.2 Strateg 17 6.3.3 Ju tification 1

7 6.3.4 Context 17 6.3.5 Solution (EVIDEN E) 18 6.3.6 Stakeholder 18 6.3.7 Notation exten ion 18 6.3.8 7 Develo in the S CU ITY C S 19 8 SECU ITY CAS c an e management 2

An ex A (informative) Exemplar S CU ITY PAT ERNS 2

A.1 General 2

A.2 Exemplar S C RITY PAT ER for p rson authentication (PAUT) — SEC RITY C PA ILITY PAUT esta ls ed by MDM for a medical s stem 2

A.2.1 Go l G6: Re lay at ac mitigated 2

A.2.2 Go l G8: ‘Man-in- he-mid le’ at ac mitigated 2

A.2.3 Go l G10: Brute force atac mitigated 2

A.2.4 Go l G13, G14: Denial of service at ac s d e to ac ou t loc out controls mitigated 3

A.3 Exemplar S C RITY PAT ER for automatic logof (ALOF) esta l s ed for a thin cl ent terminal s stem 31

A.3.1 Go l: Patient safety RISK with s ort ses ion time uts in OR mitigated 31

A.3.2 Go l: Patient safety RISK with restorin ses ion in the OR an ICU mitigated 31

A.4 Exemplar S C RITY PAT ER for au it controls (AUDT) for a s stem or a

device in a HDO faci ty s c as a pharmac s stem or an EMR, where

multiple p o le req ire ac es to the same data set – Go l G6: Ke p a

Biblogra h 3

Fig re 1 – Example G AL ( o -level) 17

Fig re 2 – Example strateg 17

Fig re 3 – Example ju tification 17

Fig re 4 – Example context 18

Fig re 5 – Example solution (EVIDEN E) 18

Fig re A.2 – Exemplar S C RITY PAT ER for ALOF 3

Fig re A.3 – Exemplar S C RITY PAT ER for AUDT 3

Ta le 1 – Notation exten ion 18

Ta le 2 – SEC RiTY C S ste s 1 throu h 9 2

Ta le 3 – SEC RITY C S ste s 10 throu h 2 2

INTERNATIONAL ELECTROTECHNICAL COMMISSION

1) Th Intern tio al Ele trote h ic l Commis io (IEC) is a worldwid org niz tio for sta d rdiz tio c mprisin

al n tio al ele trote h ic l c mmite s (IEC Natio al Commite s) Th o je t of IEC is to promote

intern tio al c -o eratio o al q e tio s c n ernin sta d rdiz tio in th ele tric l a d ele tro ic field To

this e d a d in a ditio to oth r a tivitie , IEC p bls e Intern tio al Sta d rd , Te h ic l Sp cific tio s,

Te h ic l Re orts, Pu lcly Av ia le Sp cific tio s (PAS) a d Guid s (h re fer refer e to a “IEC

Pu lc tio (s)”) Th ir pre aratio is e tru te to te h ic l c mmite s; a y IEC Natio al Commite intere te

in th s bje t d alt with ma p rticip te in this pre aratory work Intern tio al g v rnme tal a d n

n-g v rnme tal org niz tio s laisin with th IEC als p rticip te in this pre aratio IEC c la orate clo ely

with th Intern tio al Org niz tio for Sta d rdiz tio (ISO) in a c rd n e with c n itio s d termin d b

a re me t b twe n th two org niz tio s

2) Th formal d cisio s or a re me ts of IEC o te h ic l maters e pre s, a n arly a p s ible, a intern tio al

c n e s s of o inio o th rele a t s bje ts sin e e c te h ic l c mmite h s re re e tatio from al

intere te IEC Natio al Commite s

3) IEC Pu lc tio s h v th form of re omme d tio s for intern tio al u e a d are a c pte b IEC Natio al

Commite s in th t s n e Whie al re s n ble eforts are ma e to e s re th t th te h ic l c nte t of IEC

Pu lc tio s is a c rate, IEC c n ot b h ld re p n ible for th wa in whic th y are u e or for a y

misinterpretatio b a y e d u er

4) In ord r to promote intern tio al u iformity, IEC Natio al Commite s u d rta e to a ply IEC Pu lc tio s

tra s are tly to th ma imum e te t p s ible in th ir n tio al a d re io al p blc tio s An div rg n e

b twe n a y IEC Pu lc tio a d th c re p n in n tio al or re io al p blc tio s al b cle rly in ic te in

th later

5) IEC its lf d e n t pro id a y ate tatio of c nformity In e e d nt c rtific tio b die pro id c nformity

a s s me t s rvic s a d, in s me are s, a c s to IEC mark of c nformity IEC is n t re p n ible for a y

s rvic s c rie o t b in e e d nt c rtific tio b die

6) Al u ers s o ld e s re th t th y h v th late t e itio of this p blc tio

7) No la i ty s al ata h to IEC or its dire tors, emplo e s, s rv nts or a e ts in lu in in ivid al e p rts a d

memb rs of its te h ic l c mmite s a d IEC Natio al Commite s for a y p rs n l injury, pro erty d ma e or

oth r d ma e of a y n ture wh ts e er, wh th r dire t or in ire t, or for c sts (in lu in le al fe s) a d

e p n e arisin o t of th p blc tio , u e of, or rela c u o , this IEC Pu lc tio or a y oth r IEC

Pu lc tio s

8) Ate tio is drawn to th Normativ refere c s cite in this p blc tio Us of th refere c d p blc tio s is

in is e s ble for th c r e t a plc tio of this p blc tio

9) Ate tio is drawn to th p s ibi ty th t s me of th eleme ts of this IEC Pu lc tio ma b th s bje t of

p te t rig ts IEC s al n t b h ld re p n ible for id ntifyin a y or al s c p te t rig ts

The main tas of IEC tec nical commit e s is to pre are International Stan ard However, a

tec nical commit e may pro ose the publcation of a tec nical re ort when it has col ected

data of a diferent kin from that whic is normaly publs ed as an International Stan ard, for

example "state of the art"

IEC TR 8 0 1-2-9, whic is a tec nical re ort, has b en pre ared by s bcommite 6 A:

Common asp cts of electrical eq ipment u ed in medical practice, of IEC tec nical commite

6 : Electrical eq ipment in medical practice, an ISO tec nical commit e 215: He lth

informatic

The text of this tec nical re ort is b sed on the fol owin doc ments:

Ful information on the votin for the a proval of this tec nical re ort can b fou d in the

re ort on votin in icated in the a ove ta le

This doc ment has b en draf ed in ac ordan e with the ISO/IEC Directives, Part 2

Terms defined in Clau e 3 of this stan ard are printed in SMAL C PITALS

A l st of al p rts of the 8 0 1 series, publs ed u der the general title App lic ato o f risk

manag eme nt for IT-n two rks incorpo ratn medic alde ic e s, can be fou d on the IEC we site

The commite has decided that the contents of this doc ment wi remain u c an ed u ti the

sta i ty date in icated on the IEC we site u der "htp:/ we store.iec.c " in the data related to

the sp cific doc ment At this date, the doc ment wi b

This doc ment outl nes a proces for s p ortin CONFIDEN E in the u e of the 8 0 1 series by

develo in sec rity AS U A CE cases (hen eforth S C RITY C S s) to complement a sec rity

RISK MA AGEMENT proces IEC 8 0 1-1 provides the roles, resp n ibi ties an activities

neces ary for RISK MA AGEMENT

IEC TR 8 0 1-2-2 provides ad itional g idan e in relation to how S C RITY C PA ILITIE mig t

b referen ed (dis losed an dis u sed) in b th the RISK MA AGEMENT proces an

stakeholder commu ication an agre ments phases IEC TR 8 0 1-2-2 contain an

informative set of common, des riptive S C RITY CAPA ILITIE inten ed to b the startin p int

for a sec rity-centric dis u sion b twe n the ven or an purc aser or amon a larger group

of stakeholders in olved in a MEDIC L DEVICE IT-NE WOR project Scala i ty is p s ible

acros a ran e of dif erent sizes of RE PONSIBLE ORGA IZATIONS (hen eforth cal ed he lth are

del very organization – HDOs) as e c evaluates RISK u in the S C RITY C PA ILITIE an

decides what to in lu e or not to in lu e ac ordin to their RISK toleran e, inten ed u e an

avai a le resources This information may b u ed by HDOs as input to their IEC 8 0 1-1

PROCE S or to form the b sis of RE PONSIBILITY AGRE MENT amon stakeholders

IEC TR 8 0 1-2-1 provides ste -by-ste g idan e in the RISK MA AGEMENT PROCE S

IEC TR 8 0 1-2-2 S C RITY C PA ILITIE en ourages the dis los re of more detaied

S CU ITY CONTROLS

IEC TR 8 0 1-2-8 identifies S C RITY CONTROLS from key sec rity stan ard whic aim to

provide g idan e to HDOS, MEDICAL DEVICE man facturers (MDMs) when ada tin the

framework outl ned in IEC TR 8 0 1-2-2 and esta ls in e c of the S C RITY C PA ILITIE

presented here A S C RITY C PA ILITY, as defined in IEC TR 8 0 1-2-2, re resents a broad

category of tec nical, administrative an /or organizational S CU ITY CONTROLS

1)

req ired to

manage RISKS to confidential ty, integrity, avai a i ty an ac ou ta i ty of data an s stems

IEC TR 8 0 1-2-8 presents these categories of S C RITY CONTROLS pres rib d for a s stem to

esta l s S C RITY C PA ILITIE to s p ort the maintenan e of confidential ty an the

protection from intentional or u intentional intru ion that may le d to compromises in integrity

or s stem/data avai a i ty IEC TR 8 0 1-2-8 provides HDOs an MDMs with a catalog e of

tec nical, management, o erational an administrative controls IEC TR 8 0 1-2-8 presents

the 19 S CU ITY C PA ILITIE , their resp ctive “req irement go l” an “u er ne d” (identical to

that in IEC TR 8 0 1-2-2) with a cor esp n in l st of S CU ITY CONTROLS from a n mb r of

sec rity stan ard

This doc ment integrates the information an g idan e contained in IEC TR 8 0 1-2-2 an

IEC TR 8 0 1-2-8 together to provide g idan e to HDOs an MDMs for identifyin ,

develo in , interpretin , updatin an maintainin sec rity

AS U A CE cases Althou h other

me n of esta l s in CONFIDEN E in a p rtic lar pro erty (e.g sec rity) exist, this doc ment

provides one s c way in as urin CONFIDEN E in the esta ls ment of IEC TR 8 0 1-2-2

S CU ITY C PA ILITIE throu h the u e of S C RITY CAS S The purp se of the S CU ITY CAS

is to provide CONFIDEN E in the esta l s ment of the IEC TR 8 0 1-2-2 S C RITY C PA ILITIE

for networked MEDIC L DEVICE This is ac ieved by a plyin a S C RITY PAT ERN to e c of

the 19 S CU ITY CAPA ILITIE The o jectives of the S C RITY PAT ER are as fol ows:

– to red ce the time req ired to develo the S C RITY C S by providin a re e ta le an

s stematic ste -by-ste , RISK b sed blue-print;

– provide a me n to re-u e comp nents of the S C RITY PAT ER either within a S CU ITY

C S or from one S C RITY C S to another;

– to red ce the complexity of en as ociated with the develo ment of S CU ITY C S S;

– provide a visible trace bi ty matrix ln in the S C RITY CONTROLS to the sec rity thre ts

an v lnera i ties identified d rin RISK MA AGEMENT;

1)

For th p rp s of c n iste c thro g o t this d c me t, th terms S CURIT C N R LS refer to th te h ic l

ma a eme t, a ministrativ a d org niz tio al c ntrols/s fe u rd pre crib d to e ta ls S CURIT

– red ce the l kel ho d of mis in a ste in the A GUMENT;

– improve the re da i ty of the S C RITY CAS ;

– provide CONFIDEN E regardin the integrity of the EVIDENCE col ected b sed on the

information presented in the A GUMENT

The proces of develo in the S C RITY C S is not inten ed to re lace a RISK MA AGEMENT

proces nor do s it generate new proces es, rather, the S C RITY C S s ould complement

the RISK MA AGEMENT proces with a referen e to, or, in lu ion of the fol owin s p ortin

doc mentation by MDMs an HDOs:

– information regardin the intended u e of the MEDIC L DEVICE, o erational en ironment,

network stru ture, interfaces, b u daries etc

– information regardin s stem des ription, sec rity o jectives an as ets to b protected;

– ju tification for selection of S C RITY C PA ILITIE ;

– ju tification for non-selection of S C RITY C PA ILITIE ;

– as ets b in protected by sp cific

– imp ct / thre t s enario / con eq en e information;

– referen e to source for selection of S CU ITY CONTROLS (e.g IEC TR 8 0 1-2-8 ta les)

The a ove information becomes p rt of, an remain with the S C RITY C S

from con e t

phase throu h to develo ment, o eration an retirement Sup ortin information s c as this

can aid in b ter desig c oices, b t er maintenan e d rin o eration an more ef icient an

informative fe db c practices

This doc ment is not inten ed to provide ex au tive g idan e for the a pl cation of a RISK

MA AGEMENT proces nor do s it man ate the u e of an p rtic lar RISK MA AGEMENT proces

however IEC 8 0 1-1 provides g idan e on how to car y out

RISK MA AGEME

NT for medical I

T-network Simi arly, ISO 14 71 provides g idan e for the proces of con u tin RISK

MA AGEMENT for MEDIC L DEVICE For RISK MA AGEMENT proces es s c as RISK/b nefit

analy is, whic is not covered in this doc ment, HDOs refer to IEC 8 0 1-1:2 10, 4.4.5 an

MDMs refer to ISO 14 71,6.5

This p rt of 8 0 1 esta l s es a S C RITY C S framework an provides g idan e to he lth

care del very organization (HDO) an MEDICAL DEVICE MA UFA TURER

S (MDM) for identifyin ,

develo in , interpretin , updatin an maintainin S CU ITY CAS S for networked MEDICAL

DEVICE Use of this p rt of 8 0 1 is inten ed to b one of the p s ible me n to brid e the

ga b twe n MDMs an HDOs in providin adeq ate information to s p ort the HDOS RISK

MA AGEMENT of IT-NE WOR S This doc ment leverages the req irements set out in

ISO/IEC 15 2 -2 for the develo ment of AS UR N E cases

2)

It is not inten ed that this

S CU ITY C S framework wi re lace a RISK MA AGEMENT strategy, rather, the intention is to

complement RISK MA AGEMENT an in turn provide a gre ter level of AS UR NCE for a MEDICAL

DEVICE by:

– ma pin sp cific RISK MA AGEMENT steps to e c of the IEC TR 8 0 1-2-2 S C RITY

C PA ILITIE , identifyin as ociated thre ts an v lnera i ties an presentin them in the

format of a S C RITY C S with the in lu ion of a re-u e ble S C RITY PAT ER ;

– providin g idan e for the selection of a pro riate S C RITY CONTROLS to esta l s

S C RITY CAPA ILITIE an presenting them as p rt of the S C RITY CAS p tern

(IEC TR 8 0 1-2-8 provides examples of s c S C RITY CONTROLS);

– providin EVIDEN E to s p ort the implementation of a S C RITY CONTROL, hen e providin

CONFIDEN E in the esta l s ment of e c of the S C RITY C PA ILITIE

The purp se of develo in the S C RITY C S is to demon trate CONFIDEN E in the

esta l s ment of IEC TR 8 0 1-2-2 S C RITY C PA ILITIE The q al ty of artifacts gathered

an doc mented d rin the develo ment of the S C RITY C S is agre d an doc mented as

p rt of a RE PONSIBILITY AGRE MENT b twe n the relevant stakeholders This doc ment

provides g idan e for one s c methodolog , throu h the u e of a sp cific S CU ITY PAT ER ,

to develo an interpret S C RITY C S S in a s stematic man er

2 Normative refere ces

The fol owin doc ments are refer ed to in the text in s c a way that some or al of their

content con titutes req irements of this doc ment For dated referen es, only the edition

cited a ples For u dated referen es, the latest edition of the referen ed doc ment (in lu in

an amen ments) a pl es

IEC TR 8 0 1-2-2:2 12, Ap plc ato n of risk manag eme t fo r IT-n tworks inc o rpo ratn

medic al de vic e s – Part 2-2: G u idanc e fo r th disclo sure and commu nic ato ofmedicalde vic e

se curiy ne eds, risks and co trols

3)

2)

Th s re uireme ts are a a te for n twork d ME ICAL D VICE wh re th s le critic l pro erty is “s c rity”

a d wh re th CLAIM relate to th e ta ls me t of th IEC TR 8 0 1-2-2 S CURIT CA A ILITIE with th

in lu io of a s e ific s c rity AR UME T P T ERN

3)

IEC TR 8 0 1-2-2 c ntain ma y a ditio al sta d rd , p lcie a d refere c materials whic are als

3 Terms, definitions and abbreviated terms

3.1 Terms a d definitio s

For the purp ses of this doc ment, the fol owin terms an definition a ply

ISO an IEC maintain terminological data ases for u e in stan ardization at the fol owin

ad res es:

• IEC Electro edia: avai a le at htp:/ www.electro edia.org/

• ISO Onl ne browsin plat orm: avai a le at htp:/www.iso.org/o p

con ected series of CLAIMS inten ed to esta ls an overal CLAIM

[SOURCE: GSN Commu ity Stan ard Version 1:2 1 , 0.3]

3.1.3

CLAIM

pro osition b in as erted by the author that is a true or false statement

[SOURCE: GSN Commu ity Stan ard Version 1:2 1 , Glos ary]

3.1.4

CONFIDE CE

q al ty or state of b in certain that the AS UR N E case is a pro riately an ef ectively

stru tured, an cor ect

[SOURCE: Definition by: Grigorova, S & Maib um, T S E (2 13, Novemb r) Takin a

p ge from the law b ok : Con iderin eviden e weig t in evaluatin as uran e case

confiden e In So ftware Relab il y Engin e rin Worksh p s (ISSR EW), 2 13 IEEE

Inte rnato al Symp siu m o n (p 3 7-3 0) IEEE Definition: p ge 3 8]

3.1.5

E IDE CE

information or o jective artefacts b in of ered in s p ort of one or more CLAIMS

[SOURCE: GSN Commu ity Stan ard Version 1:2 1 , Glos ary]

3.1.6

ME IC L D VIC

an in trument, a p ratu , implement, mac ine, a pl an e, implant, in viro re gent or

cal brator, sof ware, material or other simiar or related article:

a) inten ed by the man facturer to b u ed, alone or in combination, for h man b in s for

one or more of the sp cific purp se(s) of:

– diag osis, prevention, monitorin , tre tment or al eviation of dise se,

– diag osis, monitorin , tre tment, al eviation of or comp n ation for an injury,

– in estigation, re lacement, modification, or s p ort of the anatomy or of a

– s p ortin or s stainin l fe,

– control of con e tion,

– disinfection of MEDIC L DEVICE ,

– providin information for medical or diag ostic purp ses by me n of in vitro

examination of sp cimen derived from the h man b d ; an

b) whic do s not ac ieve its primary inten ed action in or on the h man b d by

pharmacological, immu ological or meta ol c me n , but whic may b as isted in its

inten ed fu ction by s c me n

Note 1 to e try Th d finitio of a d vic for in viro e amin tio in lu e , for e ample, re g nts, c lbrators,

s mple c le tio a d stora e d vic s, c ntrol materials, a d relate in trume ts or a p ratu Th informatio

pro id d b s c a in viro dia n stic d vic ma b for dia n stic, mo itorin or c mp tibi ty p rp s s In s me

juris ictio s, s me in viro dia n stic d vic s, in lu in re g nts a d th lk , ma b c v re b s p rate

re ulatio s

Note 2 to e try Pro u ts whic c n b c n id re to b ME ICAL D VICE in s me juris ictio s b t for whic th re

is n t y t a h rmo iz d a pro c , are:

‒ aid for dis ble /h n ic p e p o le;

‒ d vic s for th tre tme tdia n sis of dis a e a d injurie in a imals;

‒ a c s orie for ME ICAL D VICE (s e Note to e try 3)

‒ disinfe tio s b ta c s;

‒ d vic s in orp ratin a imal a d h ma tis u s whic c n me t th re uireme ts of th a o e d finitio b t

are s bje t to difere t c ntrols

Note 3 to e try Ac e s rie inte d d s e ific ly b ma ufa turers to b u e to eth r with a ‘p re t’ ME ICAL

D VICE to e a le th t ME ICAL D VICE to a hie e its inte d d p rp s s o ld b s bje t to th s me GHT

pro e ure a a ply to th ME ICAL D VICE its lf For e ample, a a c s ory wi b cla sifie a th u h it is a

ME ICAL D VICE in its own rig t This ma re ult in th a c s ory h vin a difere t cla sific tio th n th ‘p re t’

d vic

Note 4 to e try Comp n nts to ME ICAL D VICE are g n raly c ntrole thro g th ma ufa turer’s q alty

ma a eme t s stem a d th c nformity a s s me t pro e ure for th d vic In s me juris ictio s, c mp n nts

are in lu e in th d finitio of a ‘ME ICALD VICE’

entity ac ou ta le for the u e an maintenan e of a MEDICAL IT-NE WORK

Note 1 to e try Th a c u ta le e tity c n b , for e ample, a h s ital a priv te clnicia or a tele e lth

RISK MA AGEME T

s stematic a plcation of management p lcies, proced res an practices to the tas s of

analy in , evaluatin , control n , an monitorin RISK

[SOURCE: IEC 8 0 1-1:2 10, 2.2 ]

3.1.1

S CU ITY CA A ILITY

bro d category of tec nical, administrative or organizational controls to manage RISKS to

confidential ty, integrity, avai a i ty an ac ou ta i ty of data an s stems

[SOURCE: IEC TR 8 0 1-2-8:2 16, 3.21]

3.1.12

S CU ITY CA E

re soned, au ita le artefact cre ted that s p orts the contention that its to -level CLAIM (or

set of CLAIMS) is satisfied, in lu in stru tured an explcit arg mentation an its u derlyin

EVIDEN E an explcit as umption that s p ort the CLAIM(s)

Note 1 to e try A S CURIT CA Ec ntain th folowin a d th ir relatio s ip :

 o e or more CLAIMS a o t th critic l pro erty s c rity;

 AR UME T th t lo ic ly ln th E ID NCE a d a y a s mptio s to th CLAIM(s)

 a b d of E ID NCE a d p s ibly a s mptio s s p ortin th s AR UME T for th CLAIM(s)

 ju tific tio of th c oic of th to -le el CLAIM a d th meth d of re s nin

[SOURCE: ISO/IEC 15 2 -1:2 13, 3.1.3, modified — Ada ted an amen ed definition of

“AS U A CE C S ” sp cifical y ad res in sec rity as the critical pro erty]

3.1.13

S CU ITY CONTROL

management, o erational, an tec nical controls (i.e safeg ard or cou terme s res)

pres rib d for an information s stem to protect the confidentialty, integrity, an avai a i ty of

the s stem an its information

[SOURCE: FIPS Publ cation 19 , Ap en ix A]

3.1.14

S CU ITY P T E N

a me n of doc menting an reu in s c es ful sec rity A GUMENT stru tures

[SOURCE: Ada ted an amen ed definition in Kel y, T.P & McDermid, J.A (19 7) Safety

Case Con tru tion an Reu e u in Patern 16th International Conferen e on Computer

Safety, Rel a i ty an Sec rity (SAFECOMP' 9 ) (p 5 -6 ): Sprin er L n on]

3.2 Abbre iate terms

ALOF Automatic logof

AUDT Au it controls

CNFS Config ration of sec rity fe tures

CSUP Cyb r sec rity prod ct upgrades

DIDT He lth DATA de-identification

DT K Data b c up an disaster recovery

IGAU He lth data integrity an authenticity

MLDP Malware protection/recovery

NAUT Node authentication

PAUT Person authentication

PLOK Phy ical loc s on device

RDMP Third p rty comp nents an ro dma s

SAHD Sy tem an a plcation hardenin

SGUD Sec rity g ides

STCF He lth data storage confidential ty

TXCF Tran mis ion confidential ty

TXIG Tran mis ion integrity

MDM MEDIC L DEVICE man facturer

HDO He lth are del very organization

SDLC Sy tem/sof ware develo ment lfec cle

An AS U A CE case is a stru tured, EVIDEN E b sed A GUMENT u ed to demon trate

CONFIDEN E that a s stem hold a p rtic lar critical pro erty AS U A CE cases have b en

commonly a pl ed to the safety domain, sp cifical y ad res in safety con ern for s stems,

however the u e of AS U A CE cases has exp n ed an nowaday ad res other critical

pro erties s c as de en a i ty, rel a i ty an sec rity acros a ran e of safety critical

domain s c as automotive, rai way, defen e, aviation etc An AS U A CE case is cal ed a

safety case when u ed to arg e the safety of a s stem Simiarly they are refer ed to as

resp ctively

A S C RITY CAS is req ired d e to the as ociated sec rity RISK related pro erties of certain

MEDICAL DEVICE where CONFIDEN E is req ired to demon trate sec rity AS U A CE of s c

MEDICAL DEVICE

An A GUMENT is a con ected series of CLAIMS inten ed to esta l s an overal CLAIM This

hierarc y of CLAIMS presents the A GUMENT of a S C RITY C S The A GUMENT in a S CU ITY

C S s ows how a hig -level CLAIM is s p orted by a n mb r of c i d CLAIMS, whic , in turn

are s pp rted by detai ed presentation of EVIDEN E It is the combination of CLAIMS an

EVIDEN E that provide CONFIDEN E in the overal hig level CLAIM for the S C RITY C S In

demon tratin the sec rity AS UR NCE of a MEDIC L DEVICE, it is dific lt to se the adeq ac

of the EVIDEN E (e.g test res lts) if no A GUMENT s p ortin the CLAIM of the MEDICAL DEVICE

exists Presentin the A GUMENT an EVIDEN E in a stru tured a pro c red ces the

l kel ho d of u certainty an al ows for a b t er analy is of the ac ievement of the set of

The S C RITY CAS also provides a mec anism for ca turin s p ortin information (by

me n of ad itional notation whic can form p rt of an A GUMENT) in the form of

as umption , ju tification an context This information s p orts rationale an decision

makin whi e develo in , interpretin an updatin the S C RITY CAS

5 Use of this document

This doc ment is inten ed to s p ly MDMs an HDOs with g idan e for the develo ment,

interpretation, updatin an maintenan e of S C RITY C S S It sp cifical y g ides MDMs,

HDOs an other stakeholders for s p ortin a sec rity dialog e throu h the u e of

AS U A CE cases as a s ared a pro c b twe n al stakeholders This doc ment detai s the

a pl cation of S C RITY C S S by providin examples with the u e of Go l Stru ture Notation

(GSN) whie ac nowled in that other an otation an other me n to commu icate are also

a pl ca le

ME IC L D VIC MA UFA TU E S (MDM)

5.2.2

This doc ment provides g idan e to MDMs for develo in a S C RITY C S to demon trate

CONFIDEN E in the ac ievement of IEC TR 8 0 1-2-2 S C RITY C PA ILITIE for the purp se of

providin HDOs with the a pro riate level of information to adeq ately s p ort the HDO’s

RISK MA AGEMENT of MEDIC L DEVICE on a MEDIC L DEVICE IT-network

A S C RITY C S s ould b tre ted as a ‘ vin doc ment’ that is contin ou ly develo ed

maintained an updated d rin desig , prod ction an o eration of a MEDIC L DEVICE

maintainin the trace bi ty b twe n the S C RITY CONTROLS, sec rity RISKs an their

as ociated S C RITY C PA ILITIE CLAIMS Tre tin a S CU ITY C S as a ‘ vin ’ doc ment

d rin o eration of a MEDIC L DEVICE wi aid in gatherin o erational information an ado tion

to a c an in thre t lan s a e

A MDM s ould commen e develo ment of the S C RITY CAS at the outset of the

s stem/sof ware develo ment lfec cle (SDLC)

Usin this doc ment, a S C RITY C S wi provide a trace bi ty matrix b twe n identified

sec rity RISKs an relatin S CU ITY CONTROLS an S CU ITY C PA ILITIE

A S C RITY C S can form p rt of a bro der AS UR NCE case for a MEDIC L DEVICE ad res ing

other s stem critical pro erties s c as safety, rel a i ty, u a i ty etc

A S C RITY C S can b develo ed by MDMs to demon trate the sec rity AS U A CE of a

MEDICAL DEVICE to HDOs

The S C RITY C S may act as a s p ort doc ment to the Man facture Dis los re Statement

(MDS

2

) whic also uti zes IEC TR 8 0 1-2-2 S C RITY C PA ILITIE

In the event of an in ident con ernin a MEDICAL DEVICE, the S C RITY C S is u eful for

analy is an also to provide information/ e db c to HDOs

He lth are del v ry orga izations (HDO)

5.2.3

cases can b a pled to any level of an IT-network whic can s p ort the entire

HDO IT-network ad res in an network comp nent e.g the radiolog network, network

commu ication comp nents, MEDIC L DEVICE , ac es ories an even comp nents of devices

HDOs can u e the S CU ITY CAS , as outl ned in this doc ment, to form p rt of a bro der

AS U A CE case ad res in ad itional critical pro erties s c as safety, rel a i ty,

maintaina i ty etc Simi arly, a S C RITY C S for one MEDIC L DEVICE on an IT-network can

form p rt of a larger MEDIC L DEVICE IT-network S CU ITY CAS

However, a CLAIM “The o ject x z is sec re” wi not make sen e in every case, e.g on a

device level, the ac ievement of req ired sec rity AS UR NCE may de en on whether the

device is protected by malware protection in the network infrastru ture or u ers are for

in tan e restricted ac es by organizational p l cies In other word , ac e ta le sec rity for a

MEDICAL DEVICE IT-network req ires the combined ef ort of the HDO, MDM an other

stakeholders

Sec rity is not l mited to tec nical me s res an may also req ire administrative me s res

e.g ac es controls at the u ers site or field monitorin an p tc proces es at MDMs site

SECU ITY C S S with their layered a pro c are a me n to co e with s c complex

situation In general, it is a b st practice to start on a level that a HDO has c osen as its

o ject to a ply RISK MA AGEMENT to This mig t b p rt of a medical IT-network an so the

CLAIM mig t be “This p rt of the medical IT-network is sec re” This CLAIM wi then b

s p orted by a set of A GUMENT whic wi eventual y le d to a CLAIM for a sin le MEDICAL

DEVICE that is p rt of the medical IT-network However, this CLAIM for a sp cific MEDICAL

DEVICE is not neces ari y “ he MEDICAL DEVICE x z is sec re” but in te d the CLAIM may b for

a sp cific (set of pro erty (pro erties) of the MEDIC L DEVICE Typical pro erties of a MEDICAL

DEVICE that relate to sec rity are given in IEC TR 8 0 1-2-2

HDO’s s ould u e this doc ment for one or more of the fol owin :

a) evaluate a S CU ITY C S to determine the extent of ac ievement of the IEC TR 8 0 1-2-2

c) further develo a received MDM S C RITY CAS to in lu e ad itional sp cific

thre ts/v lnera i ties related to the en ironment an also EVIDEN E of an o erational or

administrative controls implemented in the o erational en ironment

The information contained in a S C RITY CAS wi s p ort HDO decision makers in

determinin the fol owin :

a) esta l s in s ita i ty of a MEDIC L DEVICE for a sp cific en ironment;

b) identifyin u e-en ironment sec rity RISKs whic may req ire RISK tre tment (b sed on

information provided by a MDM

S C RITY C S

);

c) k owled e an u derstan in of desig c oices taken by MDM;

d) k owled e of u derstan in of action req ired by HDO to maintain a MEDIC L DEVICE as

Other sta e olders

5.2.4

Stakeholders (in olved in conformity as es ment, certification, reg lation, ac uisition or au it

can evaluate the S CU ITY C S to determine the extent of ac ievement of the to -level CLAIM

(esta l s ment of the S C RITY C PA ILITIE ) by the MEDIC L DEVICE an whether this

ac ievement is demon trated within the alowa le u certainty or RISK an an related

con eq en es The res lts regardin the to -level

CLAIM

an its s p ort alon with related

u certainties an con eq en es con titute a b sis for rational y managin RISK, ac ievin

grou d for a pro riate CONFIDEN E, an aidin in decision makin

b) Eac comp nent s ould b u iq ely identified an s ould b a le to have its origin

identified, its history as ertained, an its integrity as ured

c) Detai ed s p ortin artifacts, whic have b en develo ed elsewhere, s ould b identified

in the “context

5)

” comp nent an s ould b ac es ible

d) For e c comp nent, the comp nent's contents, the information related to it, an the other

comp nents with whic it has relation hips s ould b identifia le an ac es ible

e) For e c comp nent, its des ription an req ired comp nents, e.g

EVIDEN E for CLAIMS

an related information s c as test case res lts, s ould b identifia le an ac es ible

f Where a p rtic lar S C RITY C PA ILITY is de med neces ary

6)

a CLAIM relatin to the

esta l s ment of that S C RITY CAPA ILITY s ould b develop d

g) For e c S C RITY C PA ILITY, a S C RITY PAT ER (as outl ned in Clau e 7) whic

comprises of a n mb r of sp cific comp nents s ould b uti zed

6.2 Ov rview of the S C RITY C S framework

The fol owin in lu es recommen ation for the u e of this doc ment:

a) Al 19 S C RITY CAPA ILITIE s ould b con idered for in lu ion in the S C RITY C S

givin con ideration to the ‘u er ne d ’, inten ed u e, o erational en ironment,

interfaces, identified RISKS fu ctional ty etc

b) Where a S CU ITY C PA ILITY is not req ired (d e to any of the con ideration in a) ,

ju tification for omis ion s ould b doc mented in the S C RITY C S

c) Selection of a S C RITY C PA ILITY is ju tified by the MEDIC L DEVICE as ets protected by

that S CU ITY C PA ILITY

d) Thre ts/v lnera i ties whic are identified d rin RISK MA AGEMENT s ould b presented

in the S CU ITY CAS whic is develo ed u ti an adeq ate solution for mitigation

Co te t ma in lu e, b t is n t re tricte to, d finitio s of th terms u e , d s riptio of e viro me t c nte t,

o tp t from thre t a d v ln ra i ty id ntific tio pra tic s a d th id ntitie of e titie re p n ible for a

c mp n nt’s d v lo me t or mainte a c

f The S CU ITY PAT ER in lu es the S CU ITY CONTROLS that are selected to mitigate the

as ociated thre t or v lnera i ty ( o s p ort the S C RITY C PA ILITY) S C RITY CONTROLS

req ired to esta l s the S CU ITY C PA ILITIE may b selected from IEC TR 8 0 1-2-8

IEC TR 8 0 1-2-8 provides a catalog e of S CU ITY CONTROLS for e c S C RITY

C PA ILITY

g) Selection of S C RITY CONTROLS is b sed on the MEDIC L DEVICE inten ed u e, o erational

en ironment, context an RISK ac e ta i ty criteria

h) S CU ITY CONTROLS s ould b a pl ed u ti the resid al RISK is de med ac e ta le b sed

on the RISK ac e ta i ty p l c

i) MDMs may doc ment the EVIDEN E in the S C RITY CAS (e.g test res lts, re orts, etc.) or

provide referen e to it

j) Determination, selection, ac e ta i ty an s arin of EVIDEN E is an agre ment amon

the relevant stakeholders Su h information s ould b doc mented an may form p rt of a

stakeholder

RE PONSIBILITY AGRE ME

NT

k) The s arin , extent an u e of pro rietary information within a S C RITY C S s ould also

b doc mented an form p rt of a stakeholder RE PONSIBILITY AGRE MENT

l) It is recommen ed that MDMs u in this framework s p ly the S C RITY C S to HDOs

with the

MEDIC L DEVICE

m) With this information, HDOs s ould identify their ‘on-site’ S C RITY CONTROLS (e.g

p l cies, proced res etc.) for the

MEDIC L DEVICE

on the IT-network The

S C RITY C S

is

maintained in order to s ow any ad itional EVIDEN E in terms of ad itional of

implementation of IT-network S CU ITY CONTROLS

n) The S C RITY C S s ould form p rt of HDO RISK MA AGEMENT fi e (RMF) an s ould b

maintained an updated as neces ary The S C RITY C S may also b u eful as a

This clau e outl nes the comp nents of a S C RITY C S in notation form alon with

as ociated exten ion Al comp nents are req ired in develo in the

S CU ITY C S

A

S CU ITY C S req ires a stru tured A GUMENT (hierarc y of CLAIMS) s p orted by EVIDENCE

There are n merou formats an notation typ s that can b u ed for develo in the S C RITY

C S S As an example, this doc ment u es Go l Stru ture Notation (GSN) to present the

S CU ITY C S GSN is not a to l but a mature notation, stan ardised an widely u ed [6]

A go l is a CLAIM or pro osition to b as ured a out a p rtic lar MEDIC L DEVICE an is a tru

e-false statement It may b ac omp nied with s p ortin comp nents s c as “As umption”,

“Ju tification” or “Context” Within the S C RITY C S , CLAIMS are s p orted by s b-CLAIMS

where the set of s b-CLAIMS make up the b dy of the A GUMENT Fig re 1 b low s ows the

S CU ITY CAS to -level CLAIM The A GUMENT des rib s the relation hip b twe n the CLAIM

an the EVIDEN E an is therefore critical for the esta l s ment of CONFIDEN E in the EVIDEN E

o tained

This S C RITY CAS framework uti zes a S C RITY PAT ERN The u e of a S C RITY PAT ER

provides a re e ta le proces to develo the S C RITY C S whi e maintainin the stru ture

for the S C RITY C S An in tantiated S C RITY PAT ER may b reu a le from one S C RITY

C S to another or within a S C RITY C S

Fig re 1 – Ex mple GOAL (top-le el)

Strate y

6.3.3

The strateg des rib s the nature of the re sonin that exists b twe n a CLAIM an its s

b-CLAIMS Fig re 2 s ows the strateg whic is u ed in the S C RITY C S framework to l n the

to -level CLAIM to the A GUMENT

Figure 2 – Ex mple strate y

Justific tio

6.3.4

Becau e the c oice of a CLAIM is critical to me t the o jective of the S C RITY CAS some

CLAIMS wi req ire ju tification for their selection In order to provide CONFIDEN E in the

re son for selection (or non-selection) an esta l s ment of

S C RITY C PA ILITIE

,

ju tification for non-selection of S C RITY CAPA ILITIE is req ired in every case Where it is

ju tified that a p rtic lar S C RITY C PA ILITY is not req ired, the S C RITY PAT ERN wi not b

develo ed an further Fig re 3 s ows an example of how ju tification u es the RISK analy is

res lts to ju tify the non-selection of a p rtic lar S C RITY C PA ILITY

M an its pro erty is critical in order to me t the

o jective of a S C RITY C S , the context in whic the CLAIM or re sonin ste is made s ould

b ca tured A to -level CLAIM s al have an as ociated context outl nin the u er ne d,

inten ed u e, o erational en ironment etc Fig re 4 s ows an example of a context

comp nent with referen e to s stem des ription, interfaces, b u daries an as ets

IE

IE

IE

Fig re 4 – Ex mple c nte t

Solution (E IDE CE)

6.3.6

An A GUMENT contin es u ti a CLAIM or s b-CLAIM is s p orted by EVIDEN E to s p ort the

truth of that CLAIM As erted EVIDEN E for al A GUMENT within the S C RITY C S provides

CONFIDEN E in the to -level goal (CLAIM) Fig re 5 s ows an example of EVIDEN E relatin to

the identified thre ts an v lnera i ties

Figure 5 – Ex mple s lution (E IDE C )

Sta e older

6.3.7

This is a form of context s mb l whic is u ed to in icate the stakeholders outl nin any

commu icated S C RITY C PA ILITIE as ociated in some way with the go l to whic it is

at ac ed Fig re 6 s ows an example of a stakeholder comp nent with referen e to S C RITY

Lin with h low arowh a in ic tin a c nte tu l relatio s ip

An arow witha bla k d t in ic te multiplcity (z ro to ma y)