Development of a process assessment model for assessing security of IT networks incorporating medical devices against ISO/IEC 15026-4

Advancements in medical device design over the last number of years have allowed medical device manufacturers to add more complex functionality particularly through the use of software. Such advancements include the ability for devices to communicate wirelessly across networks, from device to device and over the Internet. However, with such advancements comes additional risks; these are security risks, vulnerabilities and threats. In the past twelve months, concern within the medical device community has led to the US Government calling upon the FDA to take responsibility of medical device security. In support of this, this position paper details a research proposal to address medical device security issues through the development of a Process Reference Model (PRM) and a Process Assessment Model (PAM) to assess the capability of the processes used to develop medical devices intended to be incorporated onto healthcare networks and also determine the product security capability through the development of security assurance cases created following the lifecycle process. Further, in support of IEC 80001-2-2, the output from this PRM will be an assurance case with a security assurance level, which will be used to communicate the security capabilities of the product between Medical Device Manufacturers (MDMs) and Healthcare Delivery Organisations (HDOs). The intent is to build a better awareness of vulnerability types, threats and related risks to assist in reducing the likelihood of harm resulting from a security risk.