(Security) Risk Management

undefined. (Security) Risk Management. Jolanda Oorthuizen, LivAssured 24th of May 2024.

[Audio] Welcome in the training on the procedure about Risk Management, My name is Jolanda Oorthuizen and I am your trainer but I will let an artificially created voice do the talking for me. You are signed up for this training as you have a role in the risk management procedure. Now lets go to the first slide of the training..

[Audio] We want to launch a product in America and get it listed with the FDA via a 510(k). To accomplish this, we need to submit a technical file to the FDA to show that our device is equivalent to a device which is already on the market in the USA. To show that our device is equally secure and safe to the device already on the market the FDA requires an extensive security risk management file in which security risks or also called cybersecurity risks are assessed. Safety risk management to assess the safety of our device we already did according to standard ISO 14971:2019. Also, for security risk management a standard exists, which is AAMI TIR57:2016/(R)2023. I have now integrated this standard in our current risk management procedure which now integrates security risk management and safety risk management..

[Audio] I assume for this presentation that the knowledge from safety risk management is still up to date, so you should recognize these steps. If not I recommend to go through the previous training slides first. These are the steps to be taken during each risk management process. As you can see there is a lot of overlap between the processes which run in parallel. Both follow the complete same structure starting from a risk management plan to the gathering of production and post-production information after the launch of the product to the market. But one regarding safety and the other regarding security..

[Audio] The arrows in the center show that a security risk can form a safety risk. If for instance the alarm station is hacked and thereby the sound is disabled it could be that the alarm station does not warn a caregiver during a seizure leading to death. There is also an arrow going in the other direction. A risk control for a safety risk can form a security risk. If for instance during an emergency a nurse or doctor should be able to easily access an interface of an MRI scanner without logging in to disable the device, this easy accessibility could pose a security risk. The other way around is also possible. To be able to close a security risk you make the interface of an MRI scanner not accessible for nurses or doctors by putting on a password. During an emergency they cannot shut down the device leading to a safety risk. As there is so much interaction and overlap between the two processes, I decided to put both security and safety risk management into one procedure..

[Audio] This is the new workflow in the procedure. You see not much has changed compared to when we only did safety risk management. It starts with making one risk management plan integrating security and safety risk management. I have updated the template to integrate security risk management..

[Audio] A threat identification document we already created to comply to the standard for health software and health IT systems safety, effectiveness and security EN 81001-5-1:2021 which is integrated in the software development procedure. The threat identification document is now also added to the risk management procedure and the contents needs to be expanded a little bit. I will get back to this later on what has changed..

[Audio] Risk Analysis, Risk Evaluation, risk control and residual risk evaluation is still performed in the Hazard Traceability Matrix but security risks are assessed in a separate tab of the excel. The format is still the same..

[Audio] Evaluation of overall residual risk acceptability is still performed in the risk management report but it is now separate for security risks and for safety risks. The last step of collecting production and post-production information stays the same. We already integrated in there that we collect data on cybersecurity related to our devices..

[Audio] Some new definitions or concepts have been added to our procedure. See the yellow and blue circles in this picture. Assets, Vulnerabilities, Threats and security risks. Lets start with security risk. Risk is still the same definition which is the combination of the probability of occurence of harm and the severity of that harm..

[Audio] The definition of harm has now changed to the definition in the AAMI standard. The black part comes from ISO14971. Physical injury or damage to the health of people or damage to property or the environment. The black and green part together are the definition from the AAMI standard. Physical injury or damage to the health of people, or damage to property or the environment or reduction in effectiveness, or breach of data and systems security. A reduction in effectiveness in this definition means a reduction in the ability to produce the intended result for the patient and the care provider. For our devices a reduction in effectiveness would be related to safety as a seizure which is not detected could lead to death. However, from now on, there will be risks managed in the security risk assessment that are not propagated to the safety risk management process. An example would be a risk of compromise of the confidentiality of protected health information that is not considered harm in the context ISO 14971, but clearly requires mitigation by the security risk management process. There are also business and reputation risks associated with a security compromise that are not considered harm in the safety sense..

[Audio] Our severity table still stays the same. We already had severity rating for security in our risk management plan for NightWatch+ integrated according to the CIA Triad. Cia stands for Availability, Integrity and Confidentiallity. The CIA triad is a common model that forms the basis for the development of security systems. It was a little bit of a grey area before the implementation of the AAMI standard as I considered this rating as damage to the psychological health of a person falling in the black part of the definitiion of harm from iso 14971. Now it is more clear to say this severity rating does not perse relate to safety but to security risk..

[Audio] Next definition is threat. A threat is any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. That is a long sentence. Phrased in a different order it is any adverse impact through unauthorized access, destruction, disclosure, modification of information, and/or denial of service through an IT system on individuals or organizations or organizational operations or organizational assets. It is not only about patients and caregivers but also the organization where the device is used for instance a hospitals or a care home..

[Audio] The definition of threats talks about the effects on assets. But what are assets?.

[Audio] An asset is a person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value. So something that has value to collect like names, email addresses, bank numbers, social security numbers and passwords. What has been added to the threat identification document is to identify all assets for your device and define what would be the impact if they would be compromised. For instance, data which could be retrieved from our device is heart rate data. What would be the value of that? Other data which would be able to be collected is our seizure detection algorithm. What value would that have?.

[Audio] Another new term is threat event. So a threat is any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. The threat happening is called a threat event. A threat event is an event or situation that has the potential for causing undesirable consequences or impact. A "threat event" the threat happening, is considered to be a specific type of hazardous situation which should be filled in under hazardous situation in the hazard traceability matrix..

[Audio] Now we get to the last definition. Vulnerabilities. A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. See it as an easy access to the device or the data of a medical device through which assets can be collected. A "vulnerability" is considered to be a specific type of hazard which is a potential source of harm. Vulnerabilities you therefore put in the hazard column of the hazard traceability matrix..

[Audio] To recap. A vulnerability is a certain type of hazard. A threat event is a hazardous situation. Vulnerabilities in your device and the value of assets can be used to esitmate the probability. How likely is it that someone will put in the effort to retrieve the assets and how easy is it. The definition of harm has been expanded to include reduction in effectiveness or breach of data and system security. Severity of that harm is rated by the CIA Triade impact on confidentiality, integrity and Availabilty. Threats, vulnerabilities and Assets and their impact are identified in the threat identification document and that is used as an input for the hazard traceability matrix..

[Audio] As mentioned in the beginning a security risk can lead to a safety risk and a risk control for a safety control can lead to a security risk and visa versa. As you can imagine a conflict can exists between the two where you have to choose if we want to diminish the safety risk or the security risk. Our risk management Policy has been updated as well. As the purpose of a medical device is to make the health of people better, in case there is a conflict between a security risk control and safety risk control, the control of safety risk should get priority. We have now discussed all updated documents regarding risk management but two new documents also need to be created to aid the identification of threats..

[Audio] First document we need to create is a software bill of materials in which we define if there are any known vulnerabilities found in the national vulnerability database. This is especially of value if we would use generally available libraries or pieces of software. Most likely, as far as I can estimate, this column will be almost empty as we only use custom written software. But if we find any related vulnerabilities they will be input as a hazard in the traceability matrix..

[Audio] The second document we need to create is a security architecture document. We had software security architecture but this document is about the whole device including hardware. This document is created to easier identify any risks which may include those introduced by device reliance on hospital networks, cloud infrastructure, or other functions outside of the device. A security architecture, like a system architecture, defines the system and all end-to-end connections streaming data and assets into and/or out of the system. It contains information that demonstrates that the risks considered during the risk management process are adequately controlled, which, in turn, supports the demonstration of the safety and effectiveness of the medical device system..

[Audio] Last requirement from the standard is that persons performing security risk management tasks need to have the knowledge and experience appropriate to the tasks assigned to them. Top Management is responsible to ensure this. These should include knowledge of the particular medical device or similar medical devices and its intended use, operating environments, and the risk management process. Personnel should be knowledgeable in evaluating security threats and vulnerabilities have knowledge of security risk control technologies and be aware of past and emerging changes in the security risk landscape, both for medical devices, as well as general purpose computing systems. The team performing security risk management tasks should have experience with hardware and software architecture, design, and security test methods. Appropriate qualification records should be maintained..

[Audio] This is the end of this presentation. If you have any questions related to this training you can contact me directly. This video is followed by a short quiz..