IEEE Std 11073-40101:2020 pdf download.Health informatics-Device interoperability-Part 40101:Foundational- cybersecurity-Processes for vulnerability assessment.
Within the context of secure plug-and-play interoperability, cybersecurity is the process and capability of preventing unauthorized access or modification, misuse, denial of use, or the unauthorized use of information that is stored on, accessed from, or transferred to and from a PHD/PoCD. The process part of cybersecurity is risk analysis of use cases specific to a PHD/PoCD.
For PHDs/PoCDs, this standard defines an iterative, systematic, scalable, and auditable approach to identification of cybersecurity vulnerabilities and estimation of risk. This iterative vulnerability assessment uses the Spooling, Tampering. Repudiation, Information Disclosure. Denial of Service, and Elevation of Privilege (STRIDE) classification scheme and the embedded Common Vulnerability Scoring System (eCVSS). The assessment includes system context, system decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the remaining vuincrabilities arc reduced to an acceptable level of risk.
1.3 Purpose
The purpose of this document is to define a common approach to cybersecurity assessment in PHDs/PoCDs and define an iterative, systematic, scalable, and auditable vulnerability assessment appropriate for use in the desigr of PHDs/PoCDs.
1.4 Word usage
The word shall indicates mandatory requirements strictly to be followed in order to conform to the standard and from which no deviation is permitted (shall equals is required to).
The word should indicates that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others or that a certain course of action is preferred but not necessarily required.
The word may is used to indicate a course of action permissible within the limits of the standard (may equals is perniited to).
The word can is used for statements of possibility and capability, whether material, physical, or causal (can equals is able to).
2. Definitions, acronyms, and abbreviations
2.1 Definitions
For the purposes of this document, the terms and definitions provided in the PHD Cybersecurity Standards Roadmap (IEEE white paper [134]) apply. The IEEE Standards Dictionaty Online should be consulted for terms not defined there.5
2.2 Acronyms and abbreviations
CRUD create, read, update, and delete
CVSS Common Vulnerability Scoring System
DFD data flow diagram
eCVSS embedded Common Vulnerability Scoring System
HCP Health Care Provider
PHD Personal Health Device
PoCD Point-of-Care Device
STRIDE Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges
TMT Threat Modeling Tool
UML Unified Modeling Language
3. Risk management
Various regulations, standards, and guidelines address the subject of risk and risk management. In some cases, the application of specific standards may be mandated by regulations, contracts, or customer expectations. This standard does not define a specific risk management process as appropriate for all manufacturers because each manufacturer’s risk management process needs to comply with the regulations, standards, contracts for the specific disease domain, and the jurisdiction in which the device is marketed.IEEE Std 11073-40101 pdf download.