Cybersecurity and medical devices: Are the ISO/IEC 80001-2-2 technical controls up to the challenge?

Scott Anderson, Trish Williams
<span title="">2018</span> <i title="Elsevier BV"> <a target="_blank" rel="noopener" href="" style="color: black;">Computer Standards &amp; Interfaces</a> </i> &nbsp;
Highlights  An analysis of technical guidance for cybersecurity of ISO 80001-2-8 is presented  ISO 80001-2-8 technical security controls have significant gaps in areas  ISO 80001-2-8 presents an effective baseline for cybersecurity of medical devices ABSTRACT Medical devices, in the case of malfunction, can have tangible impact on patient safety. Their security, in a world where the Internet of Things has become a reality, is paramount to the continued safety of patients that are dependent
more &raquo; ... on these devices. The international standard ISO/IEC 80001 -Application of risk management for IT-networks incorporating medical devices presents a unified and amalgamated approach to the safety of medical devices connected to IT networks. Whilst this standard presents a guide for security and risk management in health delivery organisations, its effectiveness with regard to contemporary cybersecurity is unknown. This research employed a structured review process to compare and analyse the ISO/IEC 80001 technical controls standards (ISO/IEC 80001-2-2 and ISO/IEC 80001-2-8), with contemporary cybersecurity best practice, guidelines and standards. The research deconstructed the technical controls and drew links between these standards and cybersecurity best practice to assess the level of harmonisation. Subsequently, a deeper analysis identified the areas of omission, coverage, addition or improvement that may impact the effectiveness of ISO/IEC 80001 to provide effective cybersecurity protection. ISO/IEC 80001 aims to provide a minimal level of cybersecurity however this research demonstrates that there are deficiencies in the standard and identifies the important aspects of cybersecurity that could be improved. This situation has arisen due to the rapidly evolving nature of the cybersecurity environment and the protracted time to revise and republish international standards. This research identified several areas that require urgent consideration, including Emergency Access, Health Data De-Identification, Physical Locks on Devices, Data Backup, Disaster Recovery, Third-Party Components in Product Lifecycle Roadmap, Transmission Confidentiality, and Transmission Integrity. The research will provide health delivery organisations implementing ISO/IEC 80001, assurance as to the level of protection supplied by the ISO/IEC 80001 standard, and the areas that may need enhancement to increase cybersecurity protection and consequently increase in patient safety. Further, the outcomes are expected to influence development of the related international standard,
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="">doi:10.1016/j.csi.2017.10.001</a> <a target="_blank" rel="external noopener" href="">fatcat:phlnmqcvtfdmtjuuswbska3gjq</a> </span>
<a target="_blank" rel="noopener" href=";jsessionid=FC5DE970B5F51708565A093BA20E7D79?sequence=1" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href=""> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> </button> </a>