ISO IEEE 11073-40102 pdf download
ISO IEEE 11073-40102 pdf download Health informatics — Device interoperability — Part 40102: Foundational — Cybersecurity — Capabilities for mitigation
4. Information security
4.1 General Within the context of PHD/PoCD interfaces, security is most frequently used in reference to information security. It describes characteristics of information-processing and information-storing systems, which maximize confidentiality (see 4.2), integrity (see 4.3), and availability (see 4.4). These three core principles of information security are called the CIA triad. Information security helps protect from dangers and/or threats, avoid damage, and minimize risks. The extended CIA triad additionally includes non-repudiation (see 4.5) as a principle.
4.2 Confidentiality Confidentiality has been defined by the International Organization for Standardization in ISO/IEC 27002 [B12] as “ensuring that information is accessible only to those authorized to have access.” Minimizing disclosure of information to unauthorized individuals or systems is one cornerstone of information security. A confidentiality breach might take many forms, even if no information technology is involved, e.g., eavesdropping on conversations of others, looking over the shoulder to read information, looking into secret documents, injecting a computer virus, or using a Trojan horse that sends information to another person. In the context of PHD/PoCD, a confidentiality breach primarily means eavesdropping on information somewhere between the source (e.g., sensor) and the receiver (e.g., personal computer, physician’s computer, hospital server) or unauthorized access to stored information.
To enforce confidentiality, the information could be encrypted during transmission (i.e., data in transit) and storage (i.e., data at rest) as well as requiring authentication and/or authorization within the request before transmission. Privacy is an important part of confidentiality, especially when it comes to protected health information (PHI). PHI is defined as individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium (45CFR160.103 [B1]). The U.S. Health Insurance Portability and Accountability Act (HIPAA) limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities (HHS [B7]). Similarly, the EU General Data Protection Regulation states that personal data shall be processed lawfully, fairly, and in a transparent manner; collected for specified, explicit, and legitimate purpose; and kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (Official Journal of the EU [B19]).
4.3 Integrity In information security, integrity (also known as authenticity) means that data is not modified or deleted without authorization. Integrity is violated when information is changed by a user that is not authorized to do so. A security breach related to integrity might occur directly on the devices (e.g., because of a virus) and on the way from information source to receiver. Authentication technologies help ensure that the original data is not altered or deleted during the transfer. They also provide technological means to check if the data came from the right sender and not from a sender that only pretends to be the sender. This is achieved, for example, through electronic signatures and certificates.
4.4 Availability Information security availability means the information is available when it is needed by authorized users. The computing systems (physical and digital) used to store and process the information, the security controls used to protect it, and the communication channels used to access it have to be functioning correctly and reliably.
4.5 Non-repudiation Non-repudiation means an undeniable and immutable account about where the received information originates, where it is going, who is requesting it, and who is providing it, in such a way that no entity can deny what its contribution was to the overall activity. Non-repudiation can be achieved through electronic signatures and audit trails.
5. Security with safety and usability 5.1 High-level view Safety and usability play key roles as part of risk management and information security. Risk management views the PHD/PoCD holistically by considering the PHD/PoCD, users, intended use, interfaces, applied security, and environment to identify, describe, and reduce risks of the system (IEEE Std 11073-40101 [B9]). When viewing the PHD/PoCD as a black box, the relationship between the PHD/PoCD, security, safety, and usability is depicted in Figure 2 and is as follows: security is keeping what’s inside the box secure, safety is keeping what’s outside the box safe, and usability helps ensure interaction with what’s inside the box is as intended and meets user needs.
