Abstract
Medical devices (MDs) are becoming increasingly networked. Given, that safety is the most significant factor within then MD industry and the radical shift in MDs design to enable them to be networked, it would make sense that strong security requirements associated with networking of a device should be put in place to protect such devices from becoming increasingly vulnerable to security risks. However, this is not the case. Networked MDs may be at risk. In an attempt to reduce this risk to the MD industry there are a number of upcoming regulatory changes, which will affect the development of networked MDs, how they are regulated and how they are managed in operation. Consequently, an industry-wide issue exists as there is currently no standardised way to assist organisations to satisfy such security related requirements. This paper describes ongoing research for the development of an innovative framework to improve the overall security practices adopted during MD development, in operation and through to retirement.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Radcliffe, J.: Hacking medical devices for fun and insulin: breaking the human SCADA system. In: Black Hat Conference Presentation Slides (2011)
Government Accountability Office: Medical Devices, FDA Should Expland Its Consideration of Information Security for Certain Types of Devices, GAO, Editor (2012)
FDA and CDRH: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, in Draft Guidance for Industry and Food and Drug Administration Staff (2013)
Finnegan, A., McCaffery, F.: A security argument pattern for medical device assurance cases. In: ASSURE 2014, Naples, Italy. IEEE (2014)
IEC: TR 80001-2-2 - Application of risk management for IT-networks incorporating medical devices - Guidance for the disclosure and communication of medical device security needs, risks and controls, International Electrotechnical Committee, p. 30 (2011)
Kelly, T., Weaver, R.: The goal structuring notation – a safety argument notation (2004)
Bloomfield, R., Bishop, P.: Safety and assurance cases: past, present and possible future - an Adelard perspective. In: Dale, C., Anderson, T. (eds.) Making Systems Safer, pp. 51–67. Springer, London (2010)
Consulting (York) Ltd.: GSN Community Standard Version 1 (2011)
Finnegan, A., McCaffery, F., Coleman, G.: A process assessment model for security assurance of networked medical devices. In: Woronowicz, T., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2013. CCIS, vol. 349, pp. 25–36. Springer, Heidelberg (2013)
NIST: SP 800-53 R4 - Recommended Security Controls for Federal Information Systems and Organisations, U.S.D.o. Commerce, Editor (2013)
ISO/IEC: 15408-2 Information Technology - Security Techniques - Evaluation Criteria for IT Security, in Security Functional Components (2008)
ISO/IEC: 15408-3 Information Technology - Security Techniques - Evaluation Criteria for IT Security, in Security Assurance Components (2008)
ISO/IEC: 27002:2013 Information Technology - Security Techniques - Code of Practice for Information Security Management (2013)
ISO: EN ISO 27799:2008 Health informatics. Information security management in health using ISO/IEC 27002 (2008)
IEC: 62443-3-3 Ed 1.0 – Security for industrial automation and control systems -Network and system security – System security requirements and security assurance levels (2013)
Sein, M.K., et al.: Action design research. Mis Q. 35(1), 37–56 (2011)
FDA and CDRH: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, in Guidance for Industry and Food and Drug Administration Staff (2014)
Federici, T.: RE: Docket No. FDA-2010-D-0194: Agency Information Collection Activities; Submission for Office of Management and Budget Review; Comment Request; Draft Guidance for Industry and FDA Staff; Total Product Life Cycle: Infusion Pump—Premarket Notification Submissions, T.a.R. Affairs, Editor 2014: AdvaMed
ISO/IEC: 27005 Information Technology - Security Techniques - Information Security Risk Managment (2011)
ISO: 14971- Medical devices - Application of risk management to medical devices (2007)
IEC/WD: 80001-2-9 - Application of risk management for IT networks incorporating medical devices – Part 2-8: Application guidance - Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities. Lead Author: Finnegan, A. (in press)
Acknowledgments
This research is supported by the Science Foundation Ireland (SFI) Principal Investigator Programme, grant number 08/IN.1/I2030 (the funding of this project was awarded by Science Foundation Ireland under a co-funding initiative by the Irish Government and European Regional Development Fund), and supported in part by Lero - the Irish Software Engineering Research Centre (http://www.lero.ie) grant 10/CE/I1855.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Finnegan, A., McCaffery, F. (2015). Towards an International Security Case Framework for Networked Medical Devices. In: Koornneef, F., van Gulijk, C. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2014. Lecture Notes in Computer Science(), vol 9337. Springer, Cham. https://doi.org/10.1007/978-3-319-24255-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-24255-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24254-5
Online ISBN: 978-3-319-24255-2
eBook Packages: Computer ScienceComputer Science (R0)