Integrated Security, Safety, and Privacy Risk Assessment Framework for Medical Devices

Integrated Security, Safety, and Privacy Risk Assessment Framework for Medical Devices

The substantial improvements and innovations in communication networks and bio-medical technologies have led to the adoption of networked medical devices due to which the attack surface has increased profoundly. Numerous devices in practice were designed and developed years ago without security meas...

Full description

Saved in:
Bibliographic Details
Published in:IEEE journal of biomedical and health informatics Vol. 24; no. 6; pp. 1752 - 1761
Main Authors: Yaqoob, Tahreem, Abbas, Haider, Shafqat, Narmeen
Format: Journal Article
Language:English
Published: United States IEEE 01-06-2020
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects:
Bayesian theorem
Biomedical Engineering - instrumentation
Biomedical Engineering - standards
Commercialization
Communication networks
Computer Security
Confidentiality
CVSS
Electronic devices
Equipment and Supplies - standards
Equipment Safety
Europe
FDA
Humans
Internet
ISSP risk assessment framework
Medical devices
Medical equipment
Medical Informatics - methods
Packaging
Performance standards
Privacy
Quality management
Regulations
Regulatory agencies
Risk Assessment
Risk levels
Risk management
Safety
Security
Europe
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The substantial improvements and innovations in communication networks and bio-medical technologies have led to the adoption of networked medical devices due to which the attack surface has increased profoundly. Numerous devices in practice were designed and developed years ago without security measures. In such a scenario, the role of regulatory bodies has become evident. The Food and Drug Administration (FDA) validates and approves devices before commercialization. In contrast, the European Union (EU) follows a decentralized approach and Notified Bodies (NB) for assuring high standards, safety and quality of medical devices being marketed in Europe. Once the device has gone through stringent regulations including good manufacturing practices, Quality Management System (QMS), labeling, clinical tests, performance standards, adequate storage and packaging practices, a declaration of conformity will be granted, which is a legal binding document stating that the device is conformant with applicable European requirements and can be marketed in Europe. However, such regulations lack a systematic methodology to determine unified security, safety and privacy risk that eventually influence the health of patients. To cover these gaps, this research proposes Integrated Safety, Security, and Privacy (ISSP) Risk Assessment Framework to determine the risk level of the device and required security controls. It is, then applied to a case scenario of an infusion pump and further evaluated by comparing it with current standards and practices. The comparison shows that the framework provides a unified approach to consider different types of risks associated with devices.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
ISSN:2168-2194
2168-2208
DOI:10.1109/JBHI.2019.2952906