Health informatics — Device interoperability – Part 40102: Foundational — Cybersecurity — Capabilities for mitigation

This standard defines a security baseline of application-layer cyber security mitigation techniques for certain use cases or for when certain criteria are met. It provides a scalable information-security toolbox appropriate for personal health device and point-of-care device interfaces, which fulfils the requirements and recommendations from the National Institute of Standards and Technology (NIST) and the European Network and Information Security Agency (ENISA).

This standard maps to the NIST cybersecurity framework [B15]; IEC TR 80001-2-2 [B8]; and the STRIDE classification scheme (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege). The mitigation techniques are based on the extended CIA triad (Clause 4) and are described generally to allow manufacturers to determine the most appropriate algorithms and implementations.

Main sections:

· Scope

· Purpose

· Word usage

· Normative references

· Definitions, acronyms, and abbreviations

· Information security

· Security with safety and usability

· Mitigation

· Information security controls

· Information security toolbox

· Annex A: (informative) Bibliography

· Annex B: (informative) Test vectors