7
JWG7 Tiger Team Security & Privacy recommendations for ISO TC210, TC215 and IEC SC62A Report out 2016 - 12 - 15
JWG7TigerTeamSecurity&PrivacyrecommendationsforISOTC210,TC215andIECSC62A
Reportout2016-12-15
CharterfortheJWG7SecurityTigerTeam
1. ConsiderhowbesttoaddresssecuritywithintheremitoftheJWG7:a) Safe,effectiveandsecurehealthsoftwareandhealthITsystems,includingthoseincorporatingmedicaldevicesb) StandardizationintheareaofhealthinformaticsandelectricalequipmentinhealthcarewhereISO/TC215andIEC/SC62Ahave
identifiedaneedforjointstandardsdevelopment.
2. Considerhowtoleverageguidance(-2-2,-2-8&-2-9)
3. WhatisdirectedtowardtheDesign&Development"left"side(primary)stakeholdersvs.Implementation&use"right"side(primary)stakeholders
4. Timing- 62304and80001-1arebothbeingrevisedandwillbeavailablebeforeanynewstandardcouldbecompleted;soconsiderhowneartermupdatescouldbeincludedinthesedocumentsandpublishedbeforeanynewdocuments- especiallystandards- couldbecompletedandpublished.
5. Impact/useofcurrentprojects&documents:82304-x,62304,81001-1 ,80001-1and80001-2-x
6. CoordinationwithTC210&JWG1
7. Coordinationwithnationalinitiatives,includingintheEU,USandAsia
8. Considerrecommendationstoaddressprivacy,andespeciallyconsent
Recommendations
• TherecommendationsoftheJWG7tigerteamisabouthowtoextendriskmanagementbeyondsafetyforthenewandupcomingdocumentchangesfromJWG1andJWG7.
• ItdoesnotprovideallanswersbutmereguidanceonhowandwhereweneedtoensurethatSafety,SecurityandPrivacythreatsareconsideredinriskanalysisandlifecyclemanagement.
Introduction
• Globaltrendsrequireustomakefoundationalchangesinhealthcare.• Thesetrendsinhealthcarerequireinnovativesolutionswithamoremultidisciplinaryapproachtobeabletodevelopsafe,effectiveandsecureHealthsoftwareandhealthITsystems,includingthoseincorporatingmedicaldevices.• Theolderfunctionalsafetystandardsdidnotaddressthechallengesofhighlyconnected“systems-of-systems”.• ISO/IEC80001-1wasafirstattempttoaddresstheserisksrelatedto“systems-of-systems”butnewtypesofsolutionsandachangeinthethreatlandscapeandregulatoryspacerequiresadifferentapproach.
Documentstructure
1. SecurityRiskManagementa) generalb) formanufacturersc) foroperators/users
2. SecurityRequirementstobemet3. Consistentsetofterms4. SoftwareandSystemprocessrequirements
a) formanufacturersb) Foroperators/users
5. Communicationbetweenstakeholders6. DatalifecycleandPrivacy
Topic Title
Whatneedstobeaddressed
PriorityHowshallitbeaddressed
Rationale
Constraints/Input/Ideasforcontent
MainTakeaways• Ofkeyimportanceistheunderstandingthatsafety,securityandprivacyareinterlinkedandcannotbeviewedinisolation!
• Updateof14791à ExtendbeyondSafety• Expanded(exploded)scopeà Cloud,ByoMD,familyportals• Operationalsecurityà HDOisnottheonlyoperator/user• “Multipletieredsuppliers”àWhereSLAswon’tworkanymore• Privacyà Alsoconsentandnotificationmayintroducesafetyrisks• Consistentsetoftermsà Cyber,security,risk,threats,vulnerabilities
TheJWG7TigerTeamis
lookingforwardto
yourfeedbackandquestions
