{"id":4245,"date":"2020-04-21T06:52:03","date_gmt":"2020-04-21T06:52:03","guid":{"rendered":"https:\/\/lorit-consultancy.com\/2020\/04\/iec-62304-part-4-cybersecurity-opening-the-flood-gates\/"},"modified":"2022-09-26T15:49:05","modified_gmt":"2022-09-26T13:49:05","slug":"iec-62304-part-4-cybersecurity-opening-the-flood-gates","status":"publish","type":"post","link":"https:\/\/lorit-consultancy.com\/de\/2020\/04\/iec-62304-part-4-cybersecurity-opening-the-flood-gates\/","title":{"rendered":"IEC 62304 \u2013 Part 4: Cybersecurity opening the flood gates"},"content":{"rendered":"<p>In this fourth and final part of our <a href=\"https:\/\/lorit-consultancy.com\/en\/standards\/medical-devices\/iec62304\/\" target=\"_blank\" rel=\"noopener\">IEC\/DIS 62304<\/a> blog series (Part 1:<a href=\"https:\/\/lorit-consultancy.com\/en\/2020\/03\/iec-62304-its-a-class-app\/\" target=\"_blank\" rel=\"noopener noreferrer\"> Its a class app<\/a>, Part 2: <a href=\"https:\/\/lorit-consultancy.com\/en\/2020\/04\/iec-62304-its-a-different-class-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">Its a different class<\/a>, Part 3: <a href=\"https:\/\/lorit-consultancy.com\/en\/2020\/04\/iec-62304-part-3-how-agile-are-you\/\" target=\"_blank\" rel=\"noopener noreferrer\">How agile are you?<\/a>) we look at the relationship between the forthcoming version of 62304 and the challenges of cybersecurity.<\/p>\n<p>Over the last 5 years cybersecurity has become one of the biggest global topics, but due to the development lifecycle times of international standards, <strong>standards struggle to match the pace of this market sector<\/strong>.<\/p>\n<p>There have been a number of updates in IEC\/DIS 62304 that start to address the challenges of cybersecurity. In the introduction of IEC\/DIS 62304 is clear that it does not duplicate well established standards for security, which on one hand is good but on the other where the problems start.<\/p>\n<h2><strong>Cybersecurity Standards<\/strong><\/h2>\n<p>There is an array of cybersecurity standards around the globe now and knowing which ones to use has become a bit of a minefield. The new Annex C does provide a very good comparison table, four entries are listed in Figure 1:<\/p>\n<table id=\"tablepress-25\" class=\"tablepress tablepress-id-25 dataTable no-footer\" role=\"grid\">\n<thead>\n<tr class=\"row-1 odd\" role=\"row\">\n<th class=\"column-1 sorting_disabled\" colspan=\"1\" rowspan=\"1\">Security standard<\/th>\n<th class=\"column-2 sorting_disabled\" colspan=\"1\" rowspan=\"1\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-hover\">\n<tr class=\"row-2 even\" role=\"row\">\n<td class=\"column-1\">AAMI TIR 57<\/td>\n<td class=\"column-2\">Provides guidance on methods to perform information SECURITY RISK MANAGEMENT for a MEDICAL DEVICE<br \/>\nin the context of the SAFETY RISK MANAGEMENT PROCESS required by ISO 14971.<\/td>\n<\/tr>\n<tr class=\"row-3 odd\" role=\"row\">\n<td class=\"column-1\">ISO\/IEC 15408-2<\/td>\n<td class=\"column-2\">ISO\/IEC 15408-2 defines the content and presentation of the security functional requirements to be assessed in<br \/>\na security EVALUATION using the ISO\/IEC 15408 series.<\/td>\n<\/tr>\n<tr class=\"row-4 even\" role=\"row\">\n<td class=\"column-1\">ISO 27799<\/td>\n<td class=\"column-2\">Defines guidelines to support the interpretation and implementation in health informatics of ISO\/IEC 27002<br \/>\nand is a companion to that standard. It specifies a set of detailed controls for managing health information<br \/>\nsecurity and provides health information SECURITY best practice guidelines.<\/td>\n<\/tr>\n<tr class=\"row-5 odd\" role=\"row\">\n<td class=\"column-1\">IEC 80001-2-2<\/td>\n<td class=\"column-2\">Creates a framework for the disclosure of security-related capabilities and RISKS necessary for managing<br \/>\nthe RISK in connecting MEDICAL DEVICES to IT-networks and for the security dialog that surrounds the<br \/>\nIEC 80001-1 RISK MANAGEMENT of IT-network connection.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Figure 1: Part of the cybersecurity standard comparison table<\/p>\n<h2 class=\"Default\"><b><span lang=\"EN-GB\">AAMI TIR 57 and ISO 14971<\/span><\/b><b><\/b><\/h2>\n<p class=\"Default\"><span lang=\"EN-GB\">In total the table C.1 lists 15 different security standards. Ultimately cybersecurity is a new and less well-known topic to many teams than software development. <a href=\"https:\/\/lorit-consultancy.com\/en\/standards\/medical-devices\/aamitir57\/\" target=\"_blank\" rel=\"noopener\">AAMI TIR 57<\/a> is a document referenced several times in <a href=\"https:\/\/lorit-consultancy.com\/en\/standards\/medical-devices\/iec62304\/\" target=\"_blank\" rel=\"noopener\">IEC\/DIS 62304<\/a> which is good as above all TIR 57 bases its processes on <a href=\"https:\/\/lorit-consultancy.com\/en\/standards\/medical-devices\/iso14971\/\" target=\"_blank\" rel=\"noopener\">ISO 14971<\/a> which is know to all in the industry (see Figure 2).<\/span><\/p>\n<p class=\"Default\"><a href=\"https:\/\/lorit-consultancy.com\/wp-content\/uploads\/2020\/04\/24-Relation-between-TIR-57-and-ISO-14971.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-4670\" src=\"https:\/\/lorit-consultancy.com\/wp-content\/uploads\/2020\/04\/24-Relation-between-TIR-57-and-ISO-14971-1024x579.png\" alt=\"\" width=\"1024\" height=\"579\" srcset=\"https:\/\/lorit-consultancy.com\/wp-content\/uploads\/2020\/04\/24-Relation-between-TIR-57-and-ISO-14971-1024x579.png 1024w, https:\/\/lorit-consultancy.com\/wp-content\/uploads\/2020\/04\/24-Relation-between-TIR-57-and-ISO-14971-768x434.png 768w, https:\/\/lorit-consultancy.com\/wp-content\/uploads\/2020\/04\/24-Relation-between-TIR-57-and-ISO-14971.png 1384w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>Figure 2: Relation between TIR 57 and ISO 14971<\/p>\n<p class=\"Default\"><span lang=\"EN-GB\">TIR 57 Annex D akin to ISO 14971 has a good summary of security risks that teams are new to the area can <b>use to start identifying potential threats and mitigations<\/b>. Also, good reading on the link between cybersecurity and the medical device sector is ISO\/PRF TR 24971 due out in July 2020, but the AAMI DIS version is already available.<\/span><\/p>\n<h2 class=\"Default\"><b><span lang=\"EN-GB\">Cybersecurity terminology<\/span><\/b><span lang=\"EN-GB\">\u00a0<\/span><\/h2>\n<p class=\"Default\"><span lang=\"EN-GB\">Additionally, there is often confusion over cybersecurity terminology and there are no new definitions listed in the IEC\/DIS 62304 glossary. Denial of service, threat and malware are listed in the body of the standard, would be helpful to add these cybersecurity terms to the terms and definitions section.<\/span><\/p>\n<p class=\"Default\"><span lang=\"EN-GB\">In our next medical device sector blog, we will look at the topic of <a href=\"https:\/\/lorit-consultancy.com\/en\/2020\/04\/post-market-surveillance-a-stich-in-time-saves-cybercrime\/\"><b>post market surveillance<\/b><\/a> in connection with amongst other things cybersecurity.<\/span><\/p>\n<p><strong><span lang=\"EN-GB\">By Alastair Walker, Consultant<\/span><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this fourth and final part of our IEC\/DIS 62304 blog series (Part 1: Its a class app, Part 2: Its a different class, Part 3: How agile are you?) we look at the relationship between the forthcoming version of 62304 and the challenges of cybersecurity. Over the last 5 years cybersecurity has become one [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":3841,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[87,92],"tags":[],"class_list":["post-4245","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-functional-safety","category-medical-devices"],"acf":[],"_links":{"self":[{"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/posts\/4245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/comments?post=4245"}],"version-history":[{"count":4,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/posts\/4245\/revisions"}],"predecessor-version":[{"id":5446,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/posts\/4245\/revisions\/5446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/media\/3841"}],"wp:attachment":[{"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/media?parent=4245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/categories?post=4245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lorit-consultancy.com\/de\/wp-json\/wp\/v2\/tags?post=4245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}