A Process Assessment Model for Security Assurance of Networked Medical Devices

  • Anita Finnegan
  • Fergal McCaffery
  • Gerry Coleman
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 349)


The recent introduction of networked medical devices has posed many benefits for both the healthcare industry and improved patient care. However, because of the complexity of these devices, in particular the advanced communication ability of these devices, security is becoming an increasing concern. This paper presents work to develop a framework to assure the security of medical devices being incorporated into an IT network. It begins by looking at the development processes and the assurance of these through the use of a Process Assessment Model with a major focus on the security risk management processes. With the inclusion of a set of specific security controls, both the Healthcare Delivery Organisations and the Medical Device Manufacturers work together to establish fundamental security requirements. The Medical Device Manufacturer reports the achieved security assurance level of their device through the development of a security assurance case. The purpose of this approach is to increase awareness of security vulnerabilities, risks and controls among Medical Device Manufacturers and Healthcare Delivery Organisations with the aim of increasing the overall security capability of medical devices.


Process Assessment Model Security Assurance Security Assurance Cases Networked Medical Devices 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    DHS, Attack Surface: Healthcare and Public Heath Sector (2012)Google Scholar
  2. 2.
    Government Accountability Office, Medical Devices, FDA Should Expland Its Consideration of Information Security for Certain Types of Devices, GAO (2012)Google Scholar
  3. 3.
    ISO/IEC, 15504-2: 2003 Software Engineering - Process Assessment - Performing an Assessment (2003) Google Scholar
  4. 4.
    ISO/IEC, 15288 - Systems engineering — System life cycle processes (2008)Google Scholar
  5. 5.
    ISO/IEC, 15504-6:2008 Information technology — Process assessment — An exemplar system life cycle process assessment model (2008)Google Scholar
  6. 6.
    ISO/IEC, 15026-4: Systems and Software Engineering - Systems and Software Assurance - Assurance in the Life Cycle (2012)Google Scholar
  7. 7.
    IEC, TR 80001-2-2 - Application of risk management for IT-networks incorporating medical devices - Guidance for the disclosure and communication of medical device security needs, risks and controls, International Electrotechnical Committee, p. 30 (2011)Google Scholar
  8. 8.
    ISO/IEC, 27001 Information Technology - Security Techniques - Information Security Management Systems - Requirements (2005)Google Scholar
  9. 9.
    ISO, EN ISO 27799:2008 Health informatics. Information security management in health using ISO/IEC 27002 (2008)Google Scholar
  10. 10.
    ISO/IEC, 15408-1 Information Technology - Security Techniques - Evaluation Criteria for IT Security, Introduction and General Model 2009 (2009)Google Scholar
  11. 11.
    IEC, 62443-3-3 – Security for industrial automation and control systems - Network and system security – System security requirements and security assurance levels Introductory Note 2011 (2011) Google Scholar
  12. 12.
    NIST, 800-53 Recommended Security Controls for Federal Information Systems and Organisations, U.S.D.o. Commerce (2009)Google Scholar
  13. 13.
    FDA, Total Product Life Cycle: Infusion Pump - Premarket Notification [510(k)] Submissions - Draft Guidance (2010) Google Scholar
  14. 14.
    Consulting (York) Ltd., GSN Community Standard Version 1 (2011)Google Scholar
  15. 15.
    Finnegan, A., McCaffery, F., Coleman, G.: Development of a process assessment model for assessing security of IT networks incorporating medical devices against ISO/IEC 15026-4. In: Healthinf 2013, Barcelona, Spain (2013)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Anita Finnegan
    • 1
  • Fergal McCaffery
    • 1
  • Gerry Coleman
    • 1
  1. 1.Regulated Software Research GroupDundalk Institute of Technology & LeroCo LouthIreland

Personalised recommendations