JWG7TigerTeamSecurity&PrivacyrecommendationsforISOTC210,TC215andIECSC62A

Reportout2016-12-15

CharterfortheJWG7SecurityTigerTeam

1. ConsiderhowbesttoaddresssecuritywithintheremitoftheJWG7:a) Safe,effectiveandsecurehealthsoftwareandhealthITsystems,includingthoseincorporatingmedicaldevicesb) StandardizationintheareaofhealthinformaticsandelectricalequipmentinhealthcarewhereISO/TC215andIEC/SC62Ahave

identifiedaneedforjointstandardsdevelopment.

2. Considerhowtoleverageguidance(-2-2,-2-8&-2-9)

3. WhatisdirectedtowardtheDesign&Development"left"side(primary)stakeholdersvs.Implementation&use"right"side(primary)stakeholders

4. Timing- 62304and80001-1arebothbeingrevisedandwillbeavailablebeforeanynewstandardcouldbecompleted;soconsiderhowneartermupdatescouldbeincludedinthesedocumentsandpublishedbeforeanynewdocuments- especiallystandards- couldbecompletedandpublished.

5. Impact/useofcurrentprojects&documents:82304-x,62304,81001-1 ,80001-1and80001-2-x

6. CoordinationwithTC210&JWG1

7. Coordinationwithnationalinitiatives,includingintheEU,USandAsia

8. Considerrecommendationstoaddressprivacy,andespeciallyconsent

Recommendations

• TherecommendationsoftheJWG7tigerteamisabouthowtoextendriskmanagementbeyondsafetyforthenewandupcomingdocumentchangesfromJWG1andJWG7.

• ItdoesnotprovideallanswersbutmereguidanceonhowandwhereweneedtoensurethatSafety,SecurityandPrivacythreatsareconsideredinriskanalysisandlifecyclemanagement.

Introduction

• Globaltrendsrequireustomakefoundationalchangesinhealthcare.• Thesetrendsinhealthcarerequireinnovativesolutionswithamoremultidisciplinaryapproachtobeabletodevelopsafe,effectiveandsecureHealthsoftwareandhealthITsystems,includingthoseincorporatingmedicaldevices.• Theolderfunctionalsafetystandardsdidnotaddressthechallengesofhighlyconnected“systems-of-systems”.• ISO/IEC80001-1wasafirstattempttoaddresstheserisksrelatedto“systems-of-systems”butnewtypesofsolutionsandachangeinthethreatlandscapeandregulatoryspacerequiresadifferentapproach.

Documentstructure

1. SecurityRiskManagementa) generalb) formanufacturersc) foroperators/users

2. SecurityRequirementstobemet3. Consistentsetofterms4. SoftwareandSystemprocessrequirements

a) formanufacturersb) Foroperators/users

5. Communicationbetweenstakeholders6. DatalifecycleandPrivacy

Topic Title

Whatneedstobeaddressed

PriorityHowshallitbeaddressed

Rationale

Constraints/Input/Ideasforcontent

MainTakeaways• Ofkeyimportanceistheunderstandingthatsafety,securityandprivacyareinterlinkedandcannotbeviewedinisolation!

• Updateof14791à ExtendbeyondSafety• Expanded(exploded)scopeà Cloud,ByoMD,familyportals• Operationalsecurityà HDOisnottheonlyoperator/user• “Multipletieredsuppliers”àWhereSLAswon’tworkanymore• Privacyà Alsoconsentandnotificationmayintroducesafetyrisks• Consistentsetoftermsà Cyber,security,risk,threats,vulnerabilities

TheJWG7TigerTeamis

lookingforwardto

yourfeedbackandquestions