1、Application of risk managementfor it-networks incorporating medical devicesPart 2-9: Application guidance Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001-2-2 security capabilitiesPD IEC/TR 80001-2-9:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.
2、indd 1 15/05/2013 15:06National forewordThis Published Document is the UK implementation of IEC/TR80001-2-9:2017. The UK participation in its preparation was entrusted by TechnicalCommittee CH/62, Electrical Equipment in Medical Practice, toSubcommittee CH/62/1, Common aspects of Electrical Equipmen
3、t used in Medical Practice.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 201
4、7.Published by BSI Standards Limited 2017ISBN 978 0 580 91661 8ICS 11.040.01; 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 28 February 2017.Amendment
5、s/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD IEC/TR 80001-2-9:2017IEC TR 80001-2-9 Edition 1.0 2017-01 TECHNICAL REPORT Application of risk management for it-networks incorporating medical devices Part 2-9: Application guidance Guidance for use of security assurance ca
6、ses to demonstrate confidence in IEC TR 80001-2-2 security capabilities INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 11.040.01, 35.240.80 ISBN 978-2-8322-3907-0 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtained this publication from an author
7、ized distributor. PD IEC/TR 80001-2-9:2017 2 IEC TR 80001-2-9:2017 IEC 2017 CONTENTS FOREWORD . 4 INTRODUCTION . 6 1 Scope 8 2 Normative references 8 3 Terms, definitions and abbreviated terms 9 3.1 Terms and definitions 9 3.2 Abbreviated terms . 12 4 ASSURANCE case 12 5 Use of this document . 13 5.
8、1 Intended use . 13 5.2 Intended audience 13 Intended purpose . 13 5.2.1MEDICAL DEVICE MANUFACTURERS (MDM) 13 5.2.2Healthcare delivery organizations (HDO) . 14 5.2.3Other stakeholders 15 5.2.46 General guidelines. 15 6.1 General . 15 6.2 Overview of the SECURITY CASE framework 15 6.3 Notation 16 Com
9、ponents of a SECURITY CASE 16 6.3.1Goal 16 6.3.2Strategy . 17 6.3.3Justification . 17 6.3.4Context 17 6.3.5Solution (EVIDENCE) . 18 6.3.6Stakeholder . 18 6.3.7Notation extensions . 18 6.3.87 Developing the SECURITY CASE . 19 8 SECURITY CASE change management 28 Annex A (informative) Exemplar SECURIT
10、Y PATTERNS 29 A.1 General . 29 A.2 Exemplar SECURITY PATTERN for person authentication (PAUT) SECURITY CAPABILITY PAUT established by MDM for a medical system . 29 A.2.1 Goal G6: Replay attack mitigated. 29 A.2.2 Goal G8: Man-in-the-middle attack mitigated 29 A.2.3 Goal G10: Brute force attack mitig
11、ated 29 A.2.4 Goal G13, G14: Denial of service attacks due to account lockout controls mitigated 30 A.3 Exemplar SECURITY PATTERN for automatic logoff (ALOF) established for a thin client terminal system . 31 A.3.1 Goal: Patient safety RISK with short session timeouts in OR mitigated 31 A.3.2 Goal:
12、Patient safety RISK with restoring sessions in the OR and ICU mitigated . 31 A.4 Exemplar SECURITY PATTERN for audit controls (AUDT) for a system or a device in a HDO facility such as a pharmacy system or an EMR, where multiple people require access to the same data set Goal G6: Keep a correct audit
13、 trail of attending staff in the OR while sessions are kept open 33 PD IEC/TR 80001-2-9:2017IEC TR 80001-2-9:2017 IEC 2017 3 Bibliography 35 Figure 1 Example GOAL (top-level) . 17 Figure 2 Example strategy . 17 Figure 3 Example justification 17 Figure 4 Example context 18 Figure 5 Example solution (
14、EVIDENCE) 18 Figure 6 Example stakeholder 18 Figure 7 Leading components Steps 1 through 9 . 19 Figure 8 SECURITY CAPABILITY pattern . 22 Figure 9 SECURITY CASE structure . 27 Figure A.1 Exemplar SECURITY PATTERN for PAUT 30 Figure A.2 Exemplar SECURITY PATTERN for ALOF 32 Figure A.3 Exemplar SECURI
15、TY PATTERN for AUDT 34 Table 1 Notation extensions . 18 Table 2 SECURiTY CASE steps 1 through 9 . 20 Table 3 SECURITY CASE steps 10 through 26 . 23 PD IEC/TR 80001-2-9:2017 4 IEC TR 80001-2-9:2017 IEC 2017 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS INC
16、ORPORATING MEDICAL DEVICES Part 2-9: Application guidance Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001-2-2 security capabilities FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all na
17、tional electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Techni
18、cal Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work.
19、 International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) T
20、he formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendat
21、ions for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end
22、user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publicati
23、on shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent
24、 certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any person
25、al injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative refer
26、ences cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for
27、identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. However, a technical committee may propose the publication of a technical report when it has collected data of a different kind from that which is normally published as an Inte
28、rnational Standard, for example “state of the art“. IEC TR 80001-2-9, which is a technical report, has been prepared by subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC technical committee 62: Electrical equipment in medical practice, and ISO technical commit
29、tee 215: Health informatics. PD IEC/TR 80001-2-9:2017IEC TR 80001-2-9:2017 IEC 2017 5 The text of this technical report is based on the following documents: Enquiry draft Report on voting 62A/1097/DTR 62A/1128/RVDTR Full information on the voting for the approval of this technical report can be foun
30、d in the report on voting indicated in the above table. This document has been drafted in accordance with the ISO/IEC Directives, Part 2. Terms defined in Clause 3 of this standard are printed in SMALL CAPITALS. A list of all parts of the 80001 series, published under the general title Application o
31、f risk management for IT-networks incorporating medical devices, can be found on the IEC website. The committee has decided that the contents of this document will remain unchanged until the stability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific
32、 document. At this date, the document will be reconfirmed, withdrawn, replaced by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. PD IEC/TR 80001-2-9:2017 6 IEC TR 80001-2-9:2017 IEC 2017 INTRODUCTION This document outlines a process for supporti
33、ng CONFIDENCE in the use of the 80001 series by developing security ASSURANCE cases (henceforth SECURITY CASEs) to complement a security RISK MANAGEMENT process. IEC 80001-1 provides the roles, responsibilities and activities necessary for RISK MANAGEMENT. IEC TR 80001-2-2 provides additional guidan
34、ce in relation to how SECURITY CAPABILITIES might be referenced (disclosed and discussed) in both the RISK MANAGEMENT process and stakeholder communications and agreements phases. IEC TR 80001-2-2 contains an informative set of common, descriptive SECURITY CAPABILITIES intended to be the starting po
35、int for a security-centric discussion between the vendor and purchaser or among a larger group of stakeholders involved in a MEDICAL DEVICE IT-NETWORK project. Scalability is possible across a range of different sizes of RESPONSIBLE ORGANIZATIONS (henceforth called healthcare delivery organizations
36、HDOs) as each evaluates RISK using the SECURITY CAPABILITIES and decides what to include or not to include according to their RISK tolerance, intended use and available resources. This information may be used by HDOs as input to their IEC 80001-1 PROCESS or to form the basis of RESPONSIBILITY AGREEM
37、ENTS among stakeholders. IEC TR 80001-2-1 provides step-by-step guidance in the RISK MANAGEMENT PROCESS. IEC TR 80001-2-2 SECURITY CAPABILITIES encourages the disclosure of more detailed SECURITY CONTROLS. IEC TR 80001-2-8 identifies SECURITY CONTROLS from key security standards which aim to provide
38、 guidance to HDOS, MEDICAL DEVICE manufacturers (MDMs) when adapting the framework outlined in IEC TR 80001-2-2 and establishing each of the SECURITY CAPABILITIES presented here. A SECURITY CAPABILITY, as defined in IEC TR 80001-2-2, represents a broad category of technical, administrative and/or or
39、ganizational SECURITY CONTROLS1)required to manage RISKS to confidentiality, integrity, availability and accountability of data and systems. IEC TR 80001-2-8 presents these categories of SECURITY CONTROLS prescribed for a system to establish SECURITY CAPABILITIES to support the maintenance of confid
40、entiality and the protection from intentional or unintentional intrusion that may lead to compromises in integrity or system/data availability. IEC TR 80001-2-8 provides HDOs and MDMs with a catalogue of technical, management, operational and administrative controls. IEC TR 80001-2-8 presents the 19
41、 SECURITY CAPABILITIES, their respective “requirement goal” and “user need” (identical to that in IEC TR 80001-2-2) with a corresponding list of SECURITY CONTROLS from a number of security standards. This document integrates the information and guidance contained in IEC TR 80001-2-2 and IEC TR 80001
42、-2-8 together to provide guidance to HDOs and MDMs for identifying, developing, interpreting, updating and maintaining security ASSURANCE cases. Although other means of establishing CONFIDENCE in a particular property (e.g. security) exist, this document provides one such way in assuring CONFIDENCE
43、in the establishment of IEC TR 80001-2-2 SECURITY CAPABILITIES through the use of SECURITY CASES. The purpose of the SECURITY CASE is to provide CONFIDENCE in the establishment of the IEC TR 80001-2-2 SECURITY CAPABILITIES for networked MEDICAL DEVICES. This is achieved by applying a SECURITY PATTER
44、N to each of the 19 SECURITY CAPABILITIES. The objectives of the SECURITY PATTERN are as follows: to reduce the time required to develop the SECURITY CASE by providing a repeatable and systematic step-by-step, RISK based blue-print; provide a means to re-use components of the SECURITY PATTERN either
45、 within a SECURITY CASE or from one SECURITY CASE to another; to reduce the complexity often associated with the development of SECURITY CASES; provide a visible traceability matrix linking the SECURITY CONTROLS to the security threats and vulnerabilities identified during RISK MANAGEMENT; _ 1)For t
46、he purpose of consistency throughout this document, the terms SECURITY CONTROLS refer to the technical, management, administrative and organizational controls/safeguards prescribed to establish SECURITY CAPABILITIES. PD IEC/TR 80001-2-9:2017IEC TR 80001-2-9:2017 IEC 2017 7 reduce the likelihood of m
47、issing a step in the ARGUMENT; improve the readability of the SECURITY CASE; provide CONFIDENCE regarding the integrity of the EVIDENCE collected based on theinformation presented in the ARGUMENT.The process of developing the SECURITY CASE is not intended to replace a RISK MANAGEMENT process nor doe
48、s it generate new processes, rather, the SECURITY CASE should complement the RISK MANAGEMENT process with a reference to, or, inclusion of the following supporting documentation by MDMs and HDOs: information regarding the intended use of the MEDICAL DEVICE, operational environment,network structure,
49、 interfaces, boundaries etc.; information regarding system description, security objectives and assets to be protected; justification for selection of SECURITY CAPABILITIES; justification for non-selection of SECURITY CAPABILITIES; assets being protected by specific SECURITY CAPABILITY; RISK acceptability criteria policy; all identified unacceptable threats/vulnerabilities; threat / vulnerability / RISK log; impact / threat scenario / consequenc
