Continuous security patch delivery and risk management for medical devices

2020 IEEE International Conference on Software Architecture Companion (ICSA-C) Pub Date : 2020-03-01 DOI:10.1109/ICSA-C50368.2020.00043

H. V. Stockhausen, M. Rose

{"title":"Continuous security patch delivery and risk management for medical devices","authors":"H. V. Stockhausen, M. Rose","doi":"10.1109/ICSA-C50368.2020.00043","DOIUrl":null,"url":null,"abstract":"This paper is a case study describing our practical experience in the area of cybersecurity for medical devices. We describe how Siemens Healthineers uses a continuous security patch delivery model in a regulated market across 15+ business lines which cover our huge portfolio of imaging modalities, laboratory and point-of-care instruments. The case study addresses how we have implemented a continuous security patch delivery strategy. The strategy embraces a systematic way of product-specific vulnerability evaluations based on design knowledge and operator-oriented risk communication which are the novel aspects of this work. Focusing on the ‘real’ cybersecurity risks in the early phase of the continuous delivery process leads to reduced cost for post-market management of medical devices. The paper also describes how this dynamic, continuous and highly automated approach is intended to satisfy the current and future demands of the National Telecommunications and Information Administration (NTIA) the existing FDA post-market guidance and the upcoming revision of the FDA pre-market guidance on cybersecurity to provide operators with a “software bill of material” (SBOM).","PeriodicalId":202587,"journal":{"name":"2020 IEEE International Conference on Software Architecture Companion (ICSA-C)","volume":"531 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE International Conference on Software Architecture Companion (ICSA-C)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSA-C50368.2020.00043","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

This paper is a case study describing our practical experience in the area of cybersecurity for medical devices. We describe how Siemens Healthineers uses a continuous security patch delivery model in a regulated market across 15+ business lines which cover our huge portfolio of imaging modalities, laboratory and point-of-care instruments. The case study addresses how we have implemented a continuous security patch delivery strategy. The strategy embraces a systematic way of product-specific vulnerability evaluations based on design knowledge and operator-oriented risk communication which are the novel aspects of this work. Focusing on the ‘real’ cybersecurity risks in the early phase of the continuous delivery process leads to reduced cost for post-market management of medical devices. The paper also describes how this dynamic, continuous and highly automated approach is intended to satisfy the current and future demands of the National Telecommunications and Information Administration (NTIA) the existing FDA post-market guidance and the upcoming revision of the FDA pre-market guidance on cybersecurity to provide operators with a “software bill of material” (SBOM).

查看原文本刊更多论文

医疗设备的持续安全补丁交付和风险管理

本文是一个案例研究，描述了我们在医疗设备网络安全领域的实践经验。我们介绍了西门子健康工程师如何在15多个业务线的监管市场中使用持续的安全补丁交付模式，这些业务线涵盖了我们庞大的成像模式、实验室和护理点仪器产品组合。案例研究讨论了我们如何实现持续的安全补丁交付策略。该策略包含了一种基于设计知识和面向操作人员的风险沟通的系统的特定产品脆弱性评估方法，这是本工作的新颖方面。在持续交付过程的早期阶段关注“真正的”网络安全风险，可以降低医疗器械上市后管理的成本。该文件还描述了这种动态、持续和高度自动化的方法如何满足国家电信和信息管理局(NTIA)现有的FDA上市后指南和即将修订的FDA上市前网络安全指南的当前和未来需求，以向运营商提供“软件材料清单”(SBOM)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE International Conference on Software Architecture Companion (ICSA-C)

自引率

0.00%

发文量