Đăng ký
  1. Trang chủ
  2. » Luận Văn - Báo Cáo

Iec Tr 80001-2-9-2017.Pdf

40 1 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

IEC TR 80001 2 9 Edition 1 0 201 7 01 TECHNICAL REPORT Application of risk management for i t networks incorporating medical devices – Part 2 9 Application guidance – Guidance for use of security assu[.]

I E C TR 80 001 -2-9 ® Edition 201 7-01 TE CH N I CAL R E POR T Ap pl i cati o n o f ri sk m an ag em en t fo r i t-n etwo rks i n co rporati n g m ed i cal d evi ces – Part -9: Appl i cati on g u i d an ce – G u i d an ce fo r u se of secu ri ty assu ran ce cases IEC TR 80001 -2-9:201 7-01 (en) to d em on strate co n fi d en ce i n I E C TR 80 001 -2 -2 secu ri ty capabi l i ti es TH I S P U B L I C AT I O N I S C O P Y R I G H T P R O T E C T E D C o p yri g h t © I E C , G e n e v a , Sw i t z e rl a n d All rights reserved Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or IEC's member National Committee in the country of the requester If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or your local IEC member National Committee for further information IEC Central Office 3, rue de Varembé CH-1 21 Geneva 20 Switzerland Tel.: +41 22 91 02 1 Fax: +41 22 91 03 00 info@iec.ch www.iec.ch Ab o u t th e I E C The International Electrotechnical Commission (I EC) is the leading global organization that prepares and publishes International Standards for all electrical, electronic and related technologies Ab o u t I E C p u b l i ca t i o n s The technical content of IEC publications is kept under constant review by the IEC Please make sure that you have the latest edition, a corrigenda or an amendment might have been published I E C Catal o g u e - websto re i ec ch /catal o g u e The stand-alone application for consulting the entire bibliographical information on IEC International Standards, Technical Specifications, Technical Reports and other documents Available for PC, Mac OS, Android Tablets and iPad I E C pu bl i cati on s search - www i ec ch /search pu b The advanced search enables to find IEC publications by a variety of criteria (reference number, text, technical committee,…) It also gives information on projects, replaced and withdrawn publications E l ectroped i a - www el ectro ped i a o rg The world's leading online dictionary of electronic and electrical terms containing 20 000 terms and definitions in English and French, with equivalent terms in additional languages Also known as the International Electrotechnical Vocabulary (IEV) online I E C G l o ssary - std i ec ch /g l o ssary 65 000 electrotechnical terminology entries in English and French extracted from the Terms and Definitions clause of IEC publications issued since 2002 Some entries have been collected from earlier publications of IEC TC 37, 77, 86 and CISPR I E C J u st Pu bl i sh ed - websto re i ec ch /j u stpu bl i sh ed Stay up to date on all new IEC publications Just Published details all new publications released Available online and also once a month by email I E C Cu stom er Servi ce Cen tre - websto re i ec ch /csc If you wish to give us your feedback on this publication or need further assistance, please contact the Customer Service Centre: csc@iec.ch I E C TR 80 001 -2-9 ® Edition 201 7-01 TE CH N I CAL R E POR T Ap pl i cati on of ri sk m an ag em en t fo r i t-n etwo rks i n corporati n g m ed i cal d evi ces – Part -9: Appl i cati on g u i d an ce – G u i d an ce for u se o f secu ri ty assu ran ce cases to d em on strate fi d en ce i n I E C TR 80 001 -2 -2 secu ri ty capabi l i ti es INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 1 040.01 , 35.240.80 ISBN 978-2-8322-3907-0 Warn i n g ! M ake su re th a t yo u o btai n ed th i s pu bl i c ati o n fro m an au th ori zed d i stri bu to r ® Registered trademark of the International Electrotechnical Commission –2– I EC TR 80001 -2-9:201 © I EC 201 CONTENTS FOREWORD I NTRODUCTI ON Scope N orm ati ve references Term s, defi n iti ons and abbrevi ated term s Term s and defi n i ti ons Abbreviated term s A SSU RAN CE case U se of this docum en t I n ten ded use I n ten ded au di ence I n ten ded purpose 2 M EDI CAL DEVI CE MAN U FACTURERS (M DM) Healthcare deli very organ izations (H DO) Oth er stakeh olders General g u idel in es 6 General Overview of th e SE CU RI TY CASE fram ework N otation 6 Com pon en ts of a SECU RI TY CASE 6 Goal 6 3 Strateg y J ustificati on Context 6 Sol u ti on ( EVI DE NCE ) Stakeh ol der 8 Notation extensi ons Developi ng th e SECURI TY CASE S ECU RI TY CASE ch ang e m an agem ent 28 Ann ex A (inform ati ve) Exem pl ar SE CU RI TY PATTERN S 29 A General 29 A Exem plar SECU RI TY PATTERN for person auth en ticati on (PAU T) — S ECU RI TY CAPABI LI TY PAU T established by M DM for a m edical system 29 A Goal G 6: Replay attack m iti gated 29 A 2 Goal G 8: ‘M an-in-the-m i ddle’ attack m itig ated 29 A Goal G 0: Bru te force attack m iti gated 29 A Goal G 3, G1 4: Den ial of service attacks du e to accou n t l ockout trols m iti gated 30 A Exem plar SECU RI TY PATTERN for autom atic l og off (ALOF) establ ished for a th i n cli en t term i nal system 31 A Goal: Pati ent safety RI SK wi th short sessi on tim eou ts i n OR m iti gated 31 A Goal: Pati ent safety RI SK wi th restori ng sessi ons i n the OR an d I CU m itig ated 31 A Exem plar SECU RI TY PATTERN for audi t trols (AU DT) for a system or a device i n a H DO faci lity such as a pharm acy system or an EM R, where m ultipl e peopl e requ ire access to th e sam e data set – G oal G 6: Keep a correct au di t trai l of atten din g staff i n th e OR wh il e sessi ons are kept open 33 I EC TR 80001 -2-9: 201 © I EC 201 –3– Bibl i ograph y 35 Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re Fig u re – Exam pl e GOAL (top-level) – Exam pl e strateg y – Exam pl e j ustifi cati on – Exam pl e text – Exam pl e solu tion ( EVI DEN CE ) – Exam pl e stakeh ol der – Leadin g com pon ents – Steps th rou gh – S ECU RI TY CAP ABI LI TY pattern 22 – S ECU RI TY CASE structure 27 A – Exem pl ar SECU RI TY PATTERN for PAU T 30 A – Exem pl ar SECU RI TY PATTERN for ALOF 32 A – Exem pl ar SECU RI TY PATTERN for AU DT 34 Tabl e – N otation exten sions Tabl e – S ECU R i TY CASE steps throu gh 20 Tabl e – S ECU RI TY CASE steps throug h 26 23 –4– I EC TR 80001 -2-9:201 © I EC 201 I NTERNATI ON AL ELECTROTECH NI CAL COMMI SSI ON APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS INCORPORATING MEDICAL DEVICES – Part 2-9: Application guidance – Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001 -2-2 security capabilities FOREWORD ) Th e I n ternati on al El ectrotechn i cal Com m i ssi on (I EC) i s a worl d wi d e org an i zati on for stan dardi zati on com pri si n g al l n ati on al el ectrotech ni cal com m i ttees (I EC N ati onal Com m i ttees) The obj ect of I EC i s to prom ote i n ternati on al co-operati on on al l q uesti on s concern i n g stand ardi zati on i n th e el ectri cal an d el ectron i c fi el ds To thi s en d and i n addi ti on to other acti vi ti es, I EC pu bl i sh es I n ternati on al Stan dards, Tech n i cal Speci fi cati ons, Tech ni cal Reports, Pu bl i cl y Avai l abl e Speci fi cati on s (PAS) an d Gu i des (h ereafter referred to as “I EC Publ i cati on (s) ”) Th ei r preparati on i s entru sted to tech n i cal com m i ttees; an y I EC N ati on al Com m i ttee i nterested i n th e su bj ect deal t wi th m ay parti ci pate i n th i s preparatory work I nternati on al , g overnm en tal an d n on g overn m ental org an i zati ons l i si n g wi th th e I EC al so parti ci pate i n thi s preparati on I E C col l aborates cl osel y wi th th e I n tern ati onal Org an i zati on for Stan d ardi zati on (I SO) i n accordan ce wi th di ti on s determ i ned by ag reem en t between th e two org ani zati ons 2) Th e form al deci si on s or ag reem en ts of I EC on tech ni cal m atters express, as n earl y as possi bl e, an i nternati on al sen su s of opi ni on on th e rel evant su bj ects si n ce each tech ni cal com m i ttee h as representati on from al l i n terested I EC N ati onal Com m ittees 3) I EC Pu bl i cati ons h ave th e form of recom m en dati ons for i ntern ati on al u se an d are accepted by I EC N ati onal Com m i ttees i n th at sense Whi l e al l reasonabl e efforts are m ade to en sure that th e tech n i cal content of I EC Pu bl i cati on s i s accu rate, I EC cann ot be h el d respon si bl e for th e way i n whi ch th ey are u sed or for an y m i si n terpretati on by an y en d u ser 4) I n order to prom ote i n tern ati onal u n i form i ty, I EC Nati on al Com m i ttees u nd ertake to appl y I EC Pu bl i cati on s tran sparen tl y to the m axi m um exten t possi bl e i n thei r n ati onal an d reg i on al pu bl i cati on s An y d i verg en ce between an y I EC Pu bl i cati on and the correspon di ng n ati on al or reg i on al pu bl i cati on sh al l be cl earl y i n di cated i n the l atter 5) I EC i tsel f d oes n ot provi de an y attestati on of form i ty I n depen d en t certi fi cati on bodi es provi de conform i ty assessm ent servi ces and, i n som e areas, access to I EC m arks of form i ty I EC i s not responsi bl e for an y servi ces carri ed out by i nd epen den t certi fi cati on bodi es 6) Al l u sers shou l d en su re th at th ey h ave th e l atest edi ti on of th i s pu bl i cati on 7) N o l i abi l i ty shal l attach to I EC or i ts di rectors, em pl oyees, servants or ag ents i ncl u di n g i n di vi du al experts an d m em bers of i ts tech ni cal com m i ttees and I EC N ati on al Com m i ttees for any person al i n j u ry, property d am ag e or oth er dam ag e of any n ature wh atsoever, wh eth er di rect or i ndi rect, or for costs (i n cl u d i n g l eg al fees) and expen ses ari si n g out of the pu bl i cati on, u se of, or rel i an ce u pon , th i s I EC P ubl i cati on or any oth er I EC Publ i cati on s 8) Atten ti on i s drawn to th e N orm ati ve referen ces ci ted i n th i s pu bl i cati on U se of th e referenced publ i cati on s i s i n di spen sabl e for th e correct appl i cati on of thi s publ i cati on 9) Atten ti on i s drawn to th e possi bi l i ty th at som e of th e el em en ts of th i s I EC Publ i cati on m ay be the su bj ect of patent ri g hts I EC shal l n ot be h el d responsi bl e for i denti fyi ng an y or al l such paten t ri g h ts The m n task of I EC techn ical com m ittees is to prepare I n tern ati on al Stan dards H owever, a tech nical com m ittee m ay propose the pu bl ication of a techn ical report wh en i t h as col l ected data of a different ki nd from that wh ich is norm all y pu blish ed as an I ntern ati onal Standard, for exam ple "state of th e art" I EC TR 80001 -2-9, wh ich is a techn ical report, has been prepared by su bcom m ittee 62A: Com m on aspects of electrical equ ipm en t used in m edical practice, of I EC tech n ical com m ittee 62: El ectrical equ ipm en t i n m edical practice, an d I SO tech n ical com m ittee 21 5: H ealth inform atics I EC TR 80001 -2-9: 201 © I EC 201 –5– The text of th is tech n ical report is based on the fol l owing docu m ents: Enqui ry draft Report on voti n g 62A/1 097/DTR 62A/1 28/RVDTR Fu l l i nform ati on on the voti ng for the approval of th is tech nical report can be fou n d in th e report on voti ng in dicated i n the above table This docum en t h as been drafted in accordance wi th th e I SO/I EC Directi ves, Part Term s defined in Clause of th is stan dard are pri nted i n SMALL CAPI TALS A l ist of all parts of th e 80001 series, pu bl ished un der th e g en eral ti tl e Application of risk management for IT-networks incorporating medical devices, can be fou n d on th e I EC websi te The com m ittee h as deci ded that th e ten ts of th is docum en t wi l l rem ain u nch ang ed un til the stabi lity date indicated on th e I EC websi te u n der "http://webstore i ec ch " i n th e data related to th e specific docum ent At th is date, the docum en t wi l l be • reconfirm ed, • wi thdrawn , • replaced by a revised edi ti on, or • am ended A bil in g ual versi on of th is pu blicati on m ay be issu ed at a later date –6– I EC TR 80001 -2-9:201 © I EC 201 I NTRODUCTI ON This docum ent outli nes a process for su pportin g CON FI DEN CE in th e use of the 80001 seri es by developi ng security ASSU RAN CE cases (h enceforth SECU RI TY CASE s) to com plem en t a security RI SK MANAGE MEN T process I EC 80001 -1 provides th e rol es, responsi bil i ti es and acti vi ties necessary for RI SK MANAG EMEN T I EC TR 80001 -2-2 provi des additi on al gu i dance i n rel ati on to h ow SECU RI TY CAPABI LI TI ES m ight be referenced (disclosed an d discussed) in both th e RI SK MAN AG EMENT process and stakehol der com m unicati ons an d agreem ents ph ases I EC TR 80001 -2-2 contains an i nform ati ve set of com m on, descri pti ve SECU RI TY CAPABI LI TI ES inten ded to be the startin g point for a secu rity-centric discu ssion between th e ven dor an d purch aser or am on g a l arger grou p of stakeholders in vol ved in a MEDI CAL DEVI CE I T- N ETWORK project Scalabi li ty is possi ble across a ran g e of different si zes of RESPON SI BLE ORGAN I ZATI ON S (h enceforth call ed h ealthcare deli very organ i zati ons – H DOs) as each eval u ates RI SK using th e SECU RI TY CAPABI LI TI ES and deci des what to i nclu de or n ot to i nclu de accordi ng to th eir RI SK tolerance, i nten ded use and avai l abl e resou rces Th i s inform ati on m ay be used by H DOs as in pu t to th eir I EC 80001 -1 PROCESS or to form th e basis of RESPON SI BI LI TY AGREEMEN TS am on g stakehol ders I EC TR 80001 -2-1 provi des step-by-step g ui dance in th e RI SK MANAGEMEN T PROCESS I EC TR 80001 -2-2 SECU RI TY CAPABI LI TI ES encourag es th e disclosure of m ore detail ed SECU RI TY CON TROLS I EC TR 80001 -2-8 identifi es SECU RI TY CON TROLS from key security stan dards wh ich aim to provide g u i dance to H DO S , ME DI CAL DEVI CE m anu factu rers (M DMs) wh en adaptin g th e fram ework ou tli n ed i n I EC TR 80001 -2-2 an d establ ish in g each of th e SECU RI TY CAPABI LI TI ES presented here A SECU RI TY CAPABI LI TY , as defin ed in I EC TR 80001 -2-2, represents a broad category of tech nical, adm in istrative an d/or org an izational SECU RI TY CON TROLS ) requ ired to m anag e RI SKS to confidentiali ty, in tegrity, avail abi lity an d accou ntabi l ity of data an d system s I EC TR 80001 -2-8 presents th ese categori es of SECURI TY CON TROLS prescri bed for a system to establ ish SECU RI TY CAPABI LI TI ES to su pport th e m aintenance of confi denti al ity and th e protecti on from in ten tion al or u n i nten tion al in trusi on that m ay lead to com prom ises in in tegrity or system /data avai l abi l ity I EC TR 80001 -2-8 provi des H DOs an d MDMs with a catal og u e of tech nical, m an ag em en t, operational an d adm i nistrati ve controls I EC TR 80001 -2-8 presen ts th e SECURI TY CAPABI LI TI ES , th eir respecti ve “requ irem en t g oal” and “user need” (identical to th at i n I EC TR 80001 -2-2) with a correspon din g list of SECU RI TY CON TROLS from a num ber of securi ty stan dards This docum ent in teg rates th e inform ation an d g u idance contain ed in I EC TR 80001 -2-2 an d I EC TR 80001 -2-8 tog ether to provide gu idan ce to H DOs an d MDMs for i dentifyi n g , developi ng , i nterpretin g , updati ng an d m aintain i n g security ASSU RAN CE cases Althou gh oth er m eans of establ ish in g CON FI DEN CE in a particu lar property (e g security) exist, th is docu m en t provi des on e such way in assuring CON FI DEN CE in the establishm en t of I EC TR 80001 -2-2 SECU RI TY CAPABI LI TI ES throu g h th e use of SECU RI TY CASES The purpose of th e SECU RI TY CASE is to provide CON FI DEN CE i n th e establ ishm en t of the I EC TR 80001 -2-2 SE CU RI TY CAPABI LI TI ES for n etworked ME DI CAL DEVI CES This is ach i eved by appl yi n g a SECURI TY PATTERN to each of th e SECURI TY CAPABI LI TI ES The obj ectives of th e SECU RI TY PATTERN are as foll ows: – – – – to reduce th e tim e requ ired to develop the SECU RI TY CASE by providi n g a repeatable an d system atic step-by-step, RI SK based blu e-pri nt; provi de a m eans to re-u se com ponents of the SE CU RI TY PATTERN ei ther with i n a SECU RI TY CASE or from on e SECU RI TY CASE to an oth er; to reduce th e com plexity often associated wi th th e developm ent of SECU RI TY CASES ; provide a visi bl e traceabi lity m atrix l i nkin g the SE CU RI TY CON TROLS to th e secu ri ty threats an d vu l nerabili ties identifi ed duri ng RI SK MAN AG EM EN T ; _ ) For th e pu rpose of consi stency throug h ou t thi s docu m en t, th e term s SECU RI TY CON TROLS refer to th e techn i cal , m an ag em en t, adm i ni strati ve an d org an i zati on al control s/safeg uards prescri bed to establ i sh S EC U R I TY CAP AB I LI TI ES I EC TR 80001 -2-9: 201 © I EC 201 – – – –7– reduce th e l ikel ih ood of m issin g a step in th e ARG U ME NT ; im prove th e readabi lity of the SECU RI TY CASE ; provi de CON FI DE NCE reg ardi n g th e i ntegri ty of th e EVI DEN CE coll ected based on th e i nform ation presen ted i n th e ARGU MEN T The process of developi ng the SECU RI TY CASE is not in ten ded to repl ace a RI SK MAN AGE MEN T process nor does it gen erate n ew processes, rather, th e SECURI TY CASE shou l d com pl em en t th e RI SK MAN AGE MEN T process wi th a reference to, or, i ncl usion of th e fol lowi n g su pporti ng docum en tation by M DMs an d H DOs: – – – – – – – – – – i nform ation reg ardin g th e i n ten ded use of th e M EDI CAL DEVI CE , operation al en vironm en t, network structure, in terfaces, bou n daries etc ; i nform ation reg ardin g system description , secu ri ty obj ectives and assets to be protected; j ustificati on for sel ecti on of SECU RI TY CAPABI LI TI ES ; ju stification for non-selection of SECU RI TY CAPABI LI TI ES ; assets bein g protected by specific SECU RI TY CAPABI LI TY ; RI SK acceptabi l ity criteria policy; all identifi ed u nacceptable threats/vu l n erabi l ities; threat / vu l nerability / RI SK log; im pact / threat scen ario / consequ ence i nform ation; reference to source for selection of SECU RI TY CON TROLS (e g I EC TR 80001 -2-8 tabl es) The above i nform ati on becom es part of, an d rem ains wi th the SE CU RI TY CASE from concept ph ase throu g h to developm ent, operati on an d retirem ent Su pporti ng i nform ation such as th is can d in better desi gn choices, better m ntenance durin g operati on an d m ore efficien t an d i nform ati ve feedback practices This docum ent is not in ten ded to provide exh au stive gu i dance for th e appl icati on of a RI SK MANAGE MEN T process n or does it m an date th e use of an y particu lar RI SK MANAGEMEN T process however I EC 80001 -1 provides g u idance on h ow to carry out RI SK MAN AG E MEN T for m edical I Tnetworks Sim i larl y, I SO 4971 provides gu i dance for the process of ductin g RI SK MANAGE MEN T for ME DI CAL DEVI CES For RI SK MANAGEMEN T processes su ch as RI SK /ben efit an al ysis, wh ich is not covered in th is docum ent, HDOs refer to I EC 80001 -1 :201 0, 4 an d MDMs refer to I SO 4971 , –8– I EC TR 80001 -2-9:201 © I EC 201 APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS INCORPORATING MEDICAL DEVICES – Part 2-9: Application guidance – Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001 -2-2 security capabilities Scope This part of 80001 establ ish es a SE CU RI TY CASE fram ework an d provides gu idance to health care deli very org an i zations (H DO) an d ME DI CAL D EVI CE MAN U FACTU RERS (MDM) for identifyi n g , devel oping , i nterpretin g , updati ng an d m ntain ing SECU RI TY CASES for networked ME DI CAL DEVI CES Use of th is part of 80001 is in ten ded to be on e of th e possi ble m eans to bridg e the gap between M DMs and HDOs i n provi di n g adequ ate inform ati on to su pport the H DO S RI SK MANAGE MEN T of I T- NETWORKS This docum en t leverag es th e requirem ents set out in I SO/I EC 5026-2 for th e developm en t of ASSU RAN CE cases 2) I t is n ot intended that th is SECU RI TY CASE fram ework wi ll replace a RI SK MAN AGEMEN T strateg y, rather, th e i n tenti on is to com pl em ent RI SK MAN AG EMEN T an d in turn provide a g reater level of ASSU RAN CE for a MEDI CAL DEVI CE by: – – – m appin g specific RI SK MAN AGE MEN T steps to each of the I EC TR 80001 -2-2 SECU RI TY CAPABI LI TI ES , identifyi n g associated threats an d vu ln erabi l ities an d presen ti n g th em in th e form at of a SE CU RI TY CASE wi th th e incl usi on of a re-u seabl e SECU RI TY PATTERN ; provi di ng gu i dance for th e selecti on of appropriate SECU RI TY CON TROLS to establish SECU RI TY CAPABI LI TI ES an d presen tin g th em as part of th e SECU RI TY CASE pattern (I EC TR 80001 -2-8 provi des exam ples of such SE CU RI TY CON TROLS ) ; provi di ng EVI DEN CE to su pport th e im pl em entati on of a SECURI TY CON TROL , hence providi n g CON FI DENCE i n the establ ishm ent of each of the SE CU RI TY CAPABI LI TI ES The purpose of developin g th e SECURI TY CASE is to dem onstrate CON FI DEN CE in th e establ ishm en t of I EC TR 80001 -2-2 SECU RI TY CAPABI LI TI ES The qu ali ty of artifacts gath ered an d docu m ented du rin g the developm en t of th e SECU RI TY CASE is agreed an d docum ented as part of a RESPON SI BI LI TY AGREEMEN T between th e relevant stakehol ders This docum ent provi des g u idance for on e such m eth odol og y, throug h th e u se of a specific SECURI TY PATTERN , to develop and in terpret SECU RI TY CASES in a system atic m an ner Normative references The foll owi n g docum ents are referred to i n th e text in such a way that som e or al l of their ten t constitutes requ irem ents of th is docum ent For dated references, on l y th e edition cited appl i es For u ndated references, th e latest edition of the referenced docum en t (incl udin g an y am endm en ts) appli es I EC TR 80001 -2-2: 201 2, Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls 3) _ 2) Th ese requ i rem ents are adapted for n etworked M ED I CAL D EVI CE S wh ere the sol e cri ti cal property i s “securi ty” an d wh ere th e CLAI M rel ates to th e establ i shm ent of th e I EC TR 80001 -2-2 S ECU RI TY C APABI LI TI E S wi th th e i ncl usi on of a speci fi c secu ri ty ARG U M EN T P ATTE RN 3) I EC TR 80001 -2-2 tai n s m an y ad di ti on al stand ards, pol i ci es an d reference m ateri al s wh i ch are al so i ndi spensi bl e for th e appl i cati on of thi s docu m ent – 24 – I EC TR 80001 -2-9:201 © I EC 201 Table – S ECURI TY CASE steps through 26 Step 16 ID A1 Description (continued) Notation Assumption Support th e validi ty of S2 S2 rel i es on th e assum pti on th at the process of RI SK i denti fi cati on h as been carri ed ou t Thi s m ay i n cl u de responsi bl e person nam e, date RI S K i d enti fi cati on com m en ced, com pl eted etc 17 G5 IEC Goal For the identifi ed threats/vulnerabilities, what level of RI SK remains? C LAI M th at no un acceptabl e RI S K s rem n for S ECU RI TY CAP AB I LI TY [#] IEC 18 Sn1 Optionality/Solution Where no unacceptable RI SK s exist, EVIDENCE should be provided to support thi s ( n=0) I n ord er to provi de CON FI DE N C E i n thi s asserti on (G 5) , sol u ti on Sn shou l d be i nstanti ated Records of threat/vul nerabi l i ty l og sh oul d be i n cl uded to i n di cate n o rem n i n g u nacceptabl e RI SK s 19 OR For al l rem ni ng R I S K s req ui ri ng RI SK red u cti on , G6 shoul d be d evel oped G6 Optionality/Goal IEC Where unacceptable RI SK exists, what threats/vulnerabilities require RISK redu ction? Each threat/vul n erabi l i ty presenti n g un acceptabl e R I S K sh ou l d be expl i ci tl y stated h ere to be add ressed i n th e fol l owi n g su b-g oal s Wh en devel opi n g th e S ECU RI TY CAS E th ere m ay be a n u m ber of CLAI M S i n paral l el to thi s depen di ng on th e nu m ber of th reats and vul nerabi l i ti es req ui ri ng RI SK treatm ent Thi s i s i ndi cated by the arrow wi th a bl ack dot and n > IEC I EC TR 80001 -2-9: 201 © I EC 201 – 25 – Table – S ECURI TY CASE steps through 26 Step 20 ID CON Description (continued) Notation InContextOf What is the associated consequ ence of this? Detai l s of seq uence associ ated wi th i d en ti fi ed th reats/vul nerabi l i ti es (an d un acceptabl e RI SK ) shou l d be i ncl u d ed (or referenced to) i n text of G6 21 S3 IEC Strategy Change the strateg y to address th e SECURI TY CON TROLS Th e strateg y of the ARG U M EN T sh ou l d ch an g e to add ress RI SK trol m easu res for threat/vu l n erabi l i ty [#] IEC 22 G7 Goal What SECU RI TY CON TROLS reduce the RI SK associated with threat/vulnerability [#]? For each m i ti g ati ng SE CU R I TY th at S EC U RI TY been i m pl em ented CON TR OL , assert CON TR OL [#] h as AND G8 Wh en devel opi ng th e S ECU RI TY CAS E th ere m ay be a n u m ber of CLAI M S i n paral l el to thi s S ECU RI TY C ON TROLS sh ou l d be appl i ed u nti l th e resi du al RI SK i s deem ed to be acceptabl e 23 CON _1 IEC InContextOf I denti fy the source for th e sel ected S EC U R I TY C ON TR OL to su pport CLAI M G I n cl ude (or referen ce) the sou rce of th e S ECU RI TY CO N TR OL sel ected IEC – 26 – I EC TR 80001 -2-9:201 © I EC 201 Table – S ECURI TY CASE steps through 26 Step 24 ID Sn2 Description (continued) Notation Solution Provide EVI DEN CE of th e implementation of th e SECURI TY CON TROL For each m i ti g ati n g SE CU R I TY provi de reference or traceabi l i ty to veri fi cati on report(s) CON TR OL , IEC 25 G8 Goal Have an y n ew unacceptable threats /vulnerabilities been introduced with the implementation of SECU RI TY CON TROL [#] ? For each m i ti g ati ng SE CU R I TY assert that n ewl y i ntroduced th reats/vul n erabi l i ti es are n ot present CON TR OL , IEC 26 Sn3 Solution No newl y in trodu ced unacceptable threats / vulnerabilities id enti fied Provi de EVI D E N C E to sh ow that al l RI SK s h ave been red u ced to an acceptabl e l evel N OTE W h ere a n ew th reat / vu l n erabi l i ty i s i n tro d u ced , revert to C LAI M G an d repeat th e steps i n th e S E CU R I TY CAS E IEC The com pl ete SECU RI TY CASE structu re is shown i n Fig ure The com pon ents sh aded represent the resu able SECU RI TY PATTERN I EC TR 80001 -2-9: 201 © I EC 201 – 27 – IEC Figure – S ECURI TY CASE structure – 28 – I EC TR 80001 -2-9:201 © I EC 201 S ECURITY CASE change management A SECURI TY CASE shou ld be treated as a l ive docum en t refl ecti n g th e curren t state of th e securi ty of a ME DI CAL DEVI CE or a MEDI CAL DEVI CE I T-network For th e pu rposes of traceabi lity, chan ge m an ag em en t procedu res sh ou l d be applied to refl ect th is SECURI TY CASE lifecycle A sim pl e ch an g e m an ag em ent or docum en t revisi on system wou ld suffice in m ntain in g this Where i t is sim pl y th e text or EVI DEN CE th at chan ges th is sh ou ld be m ade clear by th e reference or citations shown wi th in th e context or solu tion com pon en ts The SECU RI TY CASE can be revised by ) editin g a com pon ent of th e SECU RI TY CASE , 2) addi ng a n ew com pon en t or 3) rem ovi ng a com pon ent Exam ples of wh en a SE CU RI TY CASE shou ld be revised inclu de th e followi ng n on -exh austive scen ari os: a) th e su pporti n g inform ation used to inform th e developm en t of the SECU RI TY CASE chan g es e g ch an g es to the inten ded u se of a ME DI CAL DE VI CE , operati onal en viron m ent, in terfaces etc ; b) an inciden t occurs wh ich requ ires reportin g an d/or m iti gation; c) a MEDI CAL DEVI CE is added to a MEDI CAL DEVI CE I T-network; d) a MEDI CAL DEVI CE is rem oved from a ME DI CAL DEVI CE I T-network; e) additional SECU RI TY CAP ABI LI TI ES or oth er SECU RI TY CON TROLS are requ ired to fu rther protect ME DI CAL DEVI CE assets; f) additi onal SECU RI TY CAPABI LI TI ES or oth er SECU RI TY CONTROLS are requ ired as a resu l t of a chan ge to the MEDI CAL DE VI CE I T-n etwork; g) additi onal securi ty capabi l ities or other SECU RI TY CONTROLS are requ ired as a resu lt of new threats/vu l nerabi liti es ari sing from alread y establ ished SECU RI TY CON TROLS ; h) additi onal SECU RI TY CAPABI LI TI ES or oth er SE CU RI TY CON TROLS are requ ired as a resu l t of on g oin g RI SK MANAGEMEN T acti vi ties, where n ew RI SKS wi th poten tial to im pact a MEDI CAL DEVI CE or MEDI CAL DEVI CE I T-n etwork are identifi ed I EC TR 80001 -2-9: 201 © I EC 201 – 29 – Annex A (informative) Exemplar SECURITY PATTERNS A.1 General The fol l owin g are exam ples of a SECU RI TY PATTERN for the SECU RI TY CAPABI LI TI ES person au thenticati on (PAU T) , autom atic log off (ALOF) and au dit trols (AU DT) Fi g ure A , Fi gu re A an d Fig ure A reference I EC TR 80001 -2-8 as the resource for sel ecti on of SECU RI TY CON TROLS I EC TR 80001 -2-8 presen ts a catalog ue of SECU RI TY CONTROLS from a n u m ber of securi ty stan dards Th ese SECU RI TY CON TROLS can be used to establ ish each of I EC TR 80001 -2-2 SECU RI TY CAPABI LI TI ES These exam ples are not exh austi ve i n coverin g a ME DI CAL DEVI CE or an en tire m edical I Tnetwork Rath er, they show a “core path” to a specific property of a MEDI CAL DEVI CE , a SECU RI TY CAPABI LI TY , an d furth er devel op to detai ls of the MEDI CAL DEVI CE th at are related to th at SE CURI TY CAPABI LI TY I t is assum ed th at showi ng this core path provi des an exam pl e th at is u sefu l for both H DOs and MDMs A.2 Exemplar SECURITY PATTERN for person authentication (PAUT) — S ECURITY CAPABILITY PAUT established by MDM for a medical system 8) A.2.1 Goal G6: Replay attack mitigated Context CON 9: Attacker attem pts to replay log i n Goal G 7: Detect replay attacks Solution Sn 4: I m pl em en t the trol as defin ed i n I SO/I EC 5408-2 – FTP_RPL A.2.2 Goal G8: ‘Man-in-the-middle’ attack mitigated Context CON 1 : Attacker attem pts to intercept com m unication Goal G 9: Detect ‘m an-i n-th e-m iddle’ attacks Solution Sn 5: I m plem en t the cryptog raph y trol as defi n ed in I EC 62443-3-3, SR A.2.3 Goal G1 0: Brute force attack mitig ated Context CON 3: Attacker attem pts to bru te force passwords Goal G 2: Detect bru te force attacks Solution , Sn 6: I m pl em en t ‘unsuccessfu l log in attem pt’ trol as defi ned in I EC 62443-3-3, SR 1 Solution 2, Sn6: I m pl em en t ‘Streng th of password-based auth en tication trol as defin ed in IEC 62443-3-3, SR _ 8) I n th i s exam pl e, l i g htl y shad ed com ponents ( CLAI M S , E VI D EN C E ) represen t com pon en ts th at n ot req ui re devel opm en t – 30 – A.2.4 Goal G1 3, G1 4: Denial of service attacks due to account lockout controls mitigated Context CON 5: Goal G 5: Solution SR I EC TR 80001 -2-9: 201 © I EC 201 Safety concerns i ntroduced d ue to security accou nt l ockout trols Accou nt l ockout m itig ated Sn7: I m plem en t ‘Au th enticator m an agem ent’ control as defin ed i n I EC 62443-3-3, IEC N OTE Waterm arked com pon en ts in thi s fi gu re represen t th ose from the pattern th at h ave n ot been devel oped from th e securi ty pattern for th i s parti cu l ar exam pl e Figure A.1 – Exemplar SECURITY PATTERN for PAUT I EC TR 80001 -2-9: 201 © I EC 201 A.3 A.3.1 – 31 – Exemplar SECURITY PATTERN for automatic logoff (ALOF) established for a thin client terminal system 9) Goal: Patient safety RISK with short session timeouts in OR mitig ated Context : The defau l t tim eou t of 30 m in g i ves a concern to a MEDI CAL DEVI CE u sed i n operatin g room (OR) wh ere m edical staff is busy with th e pati en t and less frequen tl y work on th e term i nal stati on causi n g it to tim eou t wh ile th e pati en t is sti ll bei n g treated Goal : Con trol session tim eou t based on location Solution : Defin e lon ger session tim eout, but onl y for system s located i n the OR Th is can be accepted because th is area has ph ysical access trol A.3.2 Goal: Patient safety RISK with restoring sessions in the OR and ICU mitig ated Context : Th e advan tag e of a th i n client solu tion is th e abi l ity to log off on one term in al station an d resu m e work on an oth er Bu t in an OR and i n tensi ve care un it (I CU ) setting th is cou ld l ead to safety concerns if for i nstance an an aesth etist is assisti n g i n two room s and th e system wou l d restore the sessi on of the wron g patien t Goal : Con trol sessions based on l ocati on Solution : Th in cli ent term inal stations such as el ectronic m edical record (EMR) system s i n an OR and I CU shou ld al ways present th e patient bei ng treated i n that room instead of com pl etel y restori ng th e session of th e user l ogg i ng in to th e system _ 9) I n th i s exam pl e, l i g htl y shad ed com ponents ( CLAI M S , E VI D EN C E ) represen t com pon en ts th at n ot req ui re devel opm en t – 32 – I EC TR 80001 -2-9:201 © I EC 201 IEC NOTE Waterm arked com pon ents i n th i s fi g u re represen t those from th e pattern that h ave n ot been devel oped from th e secu ri ty pattern for th i s parti cul ar exam pl e Figure A.2 – Exemplar SECURI TY PATTERN for ALOF I EC TR 80001 -2-9: 201 © I EC 201 A.4 – 33 – Exemplar SECURITY PATTERN for audit controls (AUDT) for a system or a device in a HDO facility such as a pharmacy system or an EMR, where multiple people require access to the same data set— Goal G6: Keep a correct audit trail of attending staff in the OR while sessions are kept open Context : Within th e OR, th e session is kept open an d locked to th e patient I f th e person wh o opened th e sessi on has to leave the OR (e g their sh ifts en ds) th ere shal l be a record of th e han dover wi th ou t cl osing the session Goal : Keep a correct log of people access th e m edical record Solution : Establ ish protocol wh ereby a chan ge i n m edical staff du ri n g a procedure sh al l be recorded in a text fiel d – 34 – I EC TR 80001 -2-9:201 © I EC 201 IEC NOTE I n th i s exam pl e, waterm arked n otati ons represen t com ponents of th e S EC U R I TY C ASE wh i ch were sh ared from a MDM Figure A.3 – Exemplar SECURITY PATTERN for AU DT I EC TR 80001 -2-9: 201 © I EC 201 – 35 – Bibliograph y [1 ] I EC 80001 -1 :201 0, Application of risk management for IT-networks incorporating [2] TR 80001 -2-1 :201 2, Application of risk management for IT-networks incorporating medical devices – Part 2-1: Step-by-step risk management of medical IT-networks – Practical applications and examples [3] I EC TR 80001 -2-8:201 6, Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 [4] I SO/I EC 5026-1 : 201 Systems and software engineering – Systems and software [5] I SO/I EC 5026-2: 201 Systems and software engineering – Systems and software assurance – Part 2: Assurance case [6] G SN Com m uni ty Standard Versi on , Consul tin g (York) http://www g oalstru cturi n gn otation i nfo/docu m ents/G SN _Standard pdf [7] HI M SS/N EM A Stan dard H N -201 3, Manufacturer Disclosure Statement for MEDICAL [8] I SO 4971 , Medical devices – Application of risk management to medical devices [9] I EC 60601 -1 : 2005, Medical electrical equipment – Part 1: General requirements for basic safety and essential performance [1 0] I SO/I EC 5408-2 , Information technology – Security techniques – Evaluation criteria [1 ] I EC 62443-3-3, Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels [1 2] Gri gorova, S , & Mai bau m , T S E (201 3, N ovem ber) Takin g a pag e from the l aw books: Consi deri n g evi dence weig ht i n evalu ati ng assurance case confidence I n Software Reliability Engineering Workshops (ISSREW), 2013 IEEE International Symposium on (pp 387-390) I EEE Definition : page 388] [1 3] FI PS, PU B "1 99 " Stan dards for Security Categ ori zati on of Federal I nform ation an d I nform ati on System s (2004) [1 4] Kell y, T P , & McDerm i d, J A (1 997) Safety Case Construction an d Reu se usin g Patterns 6th I nternation al Conference on Com puter Safety, Reli abil i ty and Security (SAFECOMP' 97) (pp 55-69) : Spri ng er London [1 5] I EC 80001 (all parts) , Application of risk management for IT-networks incorporating medical devices – Part 1: Roles, responsibilities and activities I EC assurance – Part 1: Concepts and vocabulary Ltd (201 ) , DEVICE Securit for IT security – Part 2: Security functional requirements medical devices _ I N TE RN ATI O N AL E LE C TR OTE C H N I C AL CO M M I S SI O N , ru e d e Vare m bé PO Box 31 CH -1 21 G e n e va S wi tze rl an d Te l : + 41 Fax: + 22 9 1 22 9 0 i n fo @ i e c ch www i e c ch

Ngày đăng: 17/04/2023, 11:52

Xem thêm:

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN