Cybersecurity Risk Control

Oct 24, 2024 | News |

Cybersecurity Risk ControlWith a freshly completed threat model in hand, you turn to your next task: create the corresponding cybersecurity risk assessment.  You identified some threat mitigations while constructing your threat model, perhaps making some design decisions intended to limit your attack surface and embed security by design.  Now it is time to apply further rigor to elucidate the risks associated with your identified threats and determine how to control those risks.

First, you will need to understand the composition of your medical device.  To do this you will need to create the Software Bill of Materials (SBOM), the list of “ingredients” in the device/system (see “Dropping the SBOM”).  This lists all software components used to create the medical device.

Second, you will need to identify the risk(s) corresponding to each threat in your threat model.  There are several inputs to consider for identifying risks:

  • Known Exploited Vulnerabilities – All known exploited vulnerabilities (see the CISA Known Exploited Vulnerabilities catalog) in software components must be eliminated from the medical device by design
  • Other vulnerabilities – all known vulnerabilities (see vulnerability databases listed below) must be assessed for risk to the medical device and either managed (e.g., eliminated by patching) or justified for keeping in the device (a written rationale documented in the cybersecurity risk assessment)
  • Unresolved anomalies – any software defect remaining in a medical device component could pose a weakness or vulnerability and must be assessed for safety and security risk to the medical device and either managed or justified for keeping in the device without treating

If the risk does not meet the security risk acceptability criteria defined in the cybersecurity risk management plan, security risk control measures should be applied if possible.  In considering potential risk controls, there are six options identified in SW96:

  • inherent security by design;
  • inherent security by manufacturing process;
  • protective threat mitigation measures added into the medical device;
  • protective threat mitigation measures added to the manufacturing process;
  • security risk disclosure (i.e., providing needed security information to users) and/or security risk transfer to users; and
  • where appropriate, security training to users.

Specific types of controls are suggested by the security capabilities of a medical device or network listed in IEC/TR 80001-2-2:2012, for example:

  • Authorization
  • Automatic logoff
  • Cybersecurity product upgrades
  • System and application hardening
  • etc.

If a security risk control measure is not feasible based on the device architecture or design, compensating controls may be recommended to the users.  A compensating control is a management, operational or technical safeguard or countermeasure deployed in lieu of, or in the absence of, risk control measures implemented as part of the device’s design to provide supplementary or comparable cyber protection for a medical device.

Cybersecurity risk control is intended to bring the security risk into range of the pre-established risk acceptability criteria.  Where a security risk cannot be sufficiently reduced a benefit-risk analysis may be conducted in which the residual security risk is compared to the benefits offered by the design aspect that causes the security risk.

For more information about medical device cybersecurity risk controls or assistance with your cybersecurity risk management needs, contact MEDIcept by emailing sales@medicept.com.

References

Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM), 2nd Edition.  NTIA Multistakeholder Process on Software Component Transparency Framing Working Group, 21 October 2021.  https://www.ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf.

Known Exploited Vulnerabilities Catalog, Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

CVE database, Cybersecurity and Infrastructure Security Agency and The MITRE Corporation, https://www.cve.org/.

National Vulnerability Database (NVD), National Institute of Standards and Technology, https://nvd.nist.gov/vuln/search.

ANSI/AAMI SW96:2023, “Standard for medical device security—Security risk management for device manufacturers”

IEC/TR 80001-2-2:2012, “Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls”

Gregg Van Citters – Senior Software Quality Engineer