Health informatics — Device interoperability – Part 40101: Foundational — Cybersecurity — Processes for vulnerability assessment

This standard refers to cyber security measures for personal health devices and point-of-care devices. It defines an iterative, systematic, scalable, and auditable approach to identifying cyber security vulnerabilities and estimating risk. This iterative vulnerability assessment uses the STRIDE classification scheme (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) and the embedded Common Vulnerability Scoring System (eCVSS). The assessment includes system context, system decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the remaining vulnerabilities are reduced to an acceptable level of risk.

Main sections:

· Scope

· Purpose

· Risk management

· Software of unknown provenance

· Multicomponent system vulnerability assessment

· Threat modelling

· Scoring system

· Process for vulnerability assessment

· Annex A: (informative) Bibliography

· Annex B: (informative) STRIDE

· Annex C: (informative) embedded Common Vulnerability Scoring System

· Annex D: (informative) Microsoft TMT2Excel Macro

· Annex E: (informative) Example insulin delivery device vulnerability assessment