To cover these gaps, this research proposes Integrated Safety, Security, and Privacy (ISSP) Risk Assessment Framework to determine the risk level of the device and required security controls. It is, then applied to a case scenario of an infusion pump and further evaluated by comparing it with current standards and practices” Yasqoob et al (2019).
Abstract:
The substantial improvements and innovations in communication networks and bio-medical technologies have led to the adoption of networked medical devices. Due to such developments, medical devices have made phenomenal strides in the course of the last half-century. However, the prolific amalgamation of technology and medical devices is constantly generating novel attack vectors. As these devices are no longer standalone systems and are network-connected, the attack surface has increased profoundly. Numerous devices in practice were designed and developed years ago without security measures. In such a scenario, the role of regulatory bodies has become evident. The Food and Drug Administration (FDA) validates and approves devices before commercialization. In contrast, the European Union (EU) follows a decentralized approach and Notified Bodies (NB) for assuring high standards, safety and quality of medical devices being marketed in Europe. Once the device has gone through stringent regulations including good manufacturing practices, Quality Management System (QMS), labeling, clinical tests, performance standards, adequate storage and packaging practices, a declaration of conformity will be granted, which is a legal binding document stating that the device is conformant with applicable European requirements and can be marketed in Europe. However, with the introduction of networking capabilities in medical devices, security and privacyrelated attacks have been increased profoundly. The existing regulations lack a systematic methodology to determine unified security, safety and privacy risk that eventually influence the health of patients. To cover these gaps, this research proposes Integrated Safety, Security, and Privacy (ISSP) Risk Assessment Framework to determine the risk level of the device and required security controls. It is, then applied to a case scenario of an infusion pump and further evaluated by comparing it with current standards and practices. The comparison shows that the framework provides a unified approach to consider different types of risks associated with devices.
You may also be interested in…
[rp4wp]
Reference:
Yasqoob, T., Abbas, H. and Shafqat, N. (2019) Integrated Security, Safety, and Privacy Risk Assessment Framework for Medical Devices. IEEE Journal of Biomedical and Health Informatics. November 11th. doi: 10.1109/JBHI.2019.2952906. [Epub ahead of print].