Abstract
The recent introduction of networked medical devices has posed many benefits for both the healthcare industry and improved patient care. However, because of the complexity of these devices, in particular the advanced communication ability of these devices, security is becoming an increasing concern. This paper presents work to develop a framework to assure the security of medical devices being incorporated into an IT network. It begins by looking at the development processes and the assurance of these through the use of a Process Assessment Model with a major focus on the security risk management processes. With the inclusion of a set of specific security controls, both the Healthcare Delivery Organisations and the Medical Device Manufacturers work together to establish fundamental security requirements. The Medical Device Manufacturer reports the achieved security assurance level of their device through the development of a security assurance case. The purpose of this approach is to increase awareness of security vulnerabilities, risks and controls among Medical Device Manufacturers and Healthcare Delivery Organisations with the aim of increasing the overall security capability of medical devices.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
DHS, Attack Surface: Healthcare and Public Heath Sector (2012)
Government Accountability Office, Medical Devices, FDA Should Expland Its Consideration of Information Security for Certain Types of Devices, GAO (2012)
ISO/IEC, 15504-2: 2003 Software Engineering - Process Assessment - Performing an Assessment (2003)
ISO/IEC, 15288 - Systems engineering — System life cycle processes (2008)
ISO/IEC, 15504-6:2008 Information technology — Process assessment — An exemplar system life cycle process assessment model (2008)
ISO/IEC, 15026-4: Systems and Software Engineering - Systems and Software Assurance - Assurance in the Life Cycle (2012)
IEC, TR 80001-2-2 - Application of risk management for IT-networks incorporating medical devices - Guidance for the disclosure and communication of medical device security needs, risks and controls, International Electrotechnical Committee, p. 30 (2011)
ISO/IEC, 27001 Information Technology - Security Techniques - Information Security Management Systems - Requirements (2005)
ISO, EN ISO 27799:2008 Health informatics. Information security management in health using ISO/IEC 27002 (2008)
ISO/IEC, 15408-1 Information Technology - Security Techniques - Evaluation Criteria for IT Security, Introduction and General Model 2009 (2009)
IEC, 62443-3-3 – Security for industrial automation and control systems - Network and system security – System security requirements and security assurance levels Introductory Note 2011 (2011)
NIST, 800-53 Recommended Security Controls for Federal Information Systems and Organisations, U.S.D.o. Commerce (2009)
FDA, Total Product Life Cycle: Infusion Pump - Premarket Notification [510(k)] Submissions - Draft Guidance (2010)
Consulting (York) Ltd., GSN Community Standard Version 1 (2011)
Finnegan, A., McCaffery, F., Coleman, G.: Development of a process assessment model for assessing security of IT networks incorporating medical devices against ISO/IEC 15026-4. In: Healthinf 2013, Barcelona, Spain (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Finnegan, A., McCaffery, F., Coleman, G. (2013). A Process Assessment Model for Security Assurance of Networked Medical Devices. In: Woronowicz, T., Rout, T., O’Connor, R.V., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2013. Communications in Computer and Information Science, vol 349. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38833-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-38833-0_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38832-3
Online ISBN: 978-3-642-38833-0
eBook Packages: Computer ScienceComputer Science (R0)