Health informatics - Device interoperability - Part 40102: Foundational - Cybersecurity - Capabilities for mitigation (ISO/IEEE 11073-40102:2022)

Within the context of secure plug-and-play interoperability, cybersecurity is the process and capability of preventing unauthorized access or modification, misuse, denial of use, or the unauthorized use of information that is stored on, accessed from, or transferred to and from a PHD/PoCD. The capability part of cybersecurity is information security controls related to both digital data and the relationships to safety and usability.
For PHDs/PoCDs, this standard defines a security baseline of application layer cybersecurity mitigation techniques for certain use cases or for times when certain criteria are met. This standard provides a scalable information security toolbox appropriate for PHD/PoCD interfaces, which fulfills the intersection of requirements and recommendations from National Institute of Standards and Technology (NIST) and the European Network and Information Security Agency (ENISA). This standard maps to the NIST cybersecurity framework [B15]; IEC TR 80001-2-2 [B8]; and the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) classification scheme. The mitigation techniques are based on the extended CIA triad (Clause 4) and are described generally to allow manufacturers to determine the most appropriate algorithms and implementations.

Medizinische Informatik - Geräteinteroperabilität - Teil 40102: Grundlagen - Cybersicherheit - Möglichkeiten zur Schadensbegrenzung (ISO/IEEE 11073-40102:2022)

Informatique de santé - Interopérabilité des dispositifs - Partie 40102: Fondamentaux - Cybersécurité - Capacités d'atténuation (ISO/IEEE 11073-40102:2022)

Dans le contexte de l'interopérabilité sécurisée de type prêt à l'emploi, la cybersécurité est le processus et la capacité d'empêcher l'accès ou la modification non autorisés, l'utilisation abusive, le déni d'utilisation ou l'utilisation non autorisée des informations qui sont stockées sur un PHD/PoCD, accessibles depuis celui-ci ou transférées vers et depuis celui-ci. La partie capacité de la cybersécurité est constituée de contrôles de sécurité de l'information liés à la fois aux données numériques et aux relations avec la sûreté et l'utilisabilité.
Pour les PHD/PoCD, la présente norme définit un référentiel de sécurité pour les techniques d'atténuation en matière de cybersécurité de la couche d'application pour certains cas d'utilisation ou pour les cas où certains critères sont remplis. La présente norme fournit une boîte à outils évolutive pour la sécurité de l'information, adaptée aux interfaces PHD/PoCD, qui répond à l'intersection des exigences et des recommandations du National Institute of Standards and Technology (NIST) et de l'Agence européenne chargée de la sécurité des réseaux et de l'information (ENISA). La présente norme met en correspondance le Référentiel de sécurité informatique du NIST [B15], l'IEC TR 80001-2-2 [B8] et le schéma de classification STRIDE (usurpation d'identité, falsification, répudiation, divulgation d'informations, déni de service, élévation du privilège). Les techniques d'atténuation sont fondées sur la triade CID étendue (Article 4) et sont décrites de manière générale afin de permettre aux fabricants de déterminer les algorithmes et les mises en œuvre les plus appropriés.

Zdravstvena informatika - Interoperabilnost naprav - 40102. del: Temeljno - Kibernetska varnost - Sposobnosti za ublažitev (ISO/IEEE 11073-40102:2022)

V okviru varne interoperabilnosti s takojšnjim učinkom (»vstavi in poženi«) je kibernetska varnost postopek in zmožnost
preprečevanja nepooblaščenega dostopa ali spreminjanja, zlorabe, zavrnitve uporabe ali nepooblaščene uporabe informacij, ki so shranjene ali dostopne v osebnih zdravstvenih napravah/napravah na mestu oskrbe (PHD/PoCD) ali prenesene vanje ter iz njih. Zmožnost pri kibernetski varnosti so kontrole informacijske varnosti v zvezi z digitalnimi podatki in razmerji do varnosti in uporabnosti. Za osebne zdravstvene naprave/naprave na mestu oskrbe ta standard določa varnostno osnovo za tehnike blažitve za kibernetsko varnost na namenski ravni programov za določene primere uporabe ali primere, ko so izpolnjena določena merila. Ta standard zagotavlja nadgradljiv komplet orodij za informacijsko varnost, ki je primeren za vmesnike osebnih zdravstvenih naprav/naprav na mestu oskrbe ter izpolnjuje skupne zahteve in priporočila Nacionalnega inštituta za standarde in tehnologijo (NIST) ter Evropske agencije za varnost omrežij in informacij (ENISA). Ta standard se uporablja vzporedno z okvirjem kibernetske varnosti NIST [B15]; standardom IEC TR 80001-2-2 [B8]; in razvrstitveno shemo STRIDE (Spoofing (slepljenje), Tampering (nedovoljeno spreminjanje), Repudiation (zavrnitev), Information Disclosure (razkritje podatkov), Denial of Service (zavrnitev storitve) in Elevation of Privilege (prisvojitev pravic)). Tehnike blažitve temeljijo na razširjeni triadi CIA (zaupnost, neokrnjenost, razpoložljivost, ang. confidentiality, integrity, availability) (točka 4) in so opisane na splošno, da lahko proizvajalci določijo najprimernejše algoritme in izvedbe.

General Information

Status
Published
Publication Date
29-Mar-2022
Withdrawal Date
29-Sep-2022
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
30-Mar-2022
Due Date
17-Jun-2024
Completion Date
30-Mar-2022

Buy Standard

Standard
EN ISO/IEEE 11073-40102:2022 - BARVE
English language
35 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-julij-2022
Zdravstvena informatika - Interoperabilnost naprav - 40102. del: Temeljno -
Kibernetska varnost - Sposobnosti za ublažitev (ISO/IEEE 11073-40102:2022)
Health informatics - Device interoperability - Part 40102: Foundational - Cybersecurity -
Capabilities for mitigation (ISO/IEEE 11073-40102:2022)
Informatique de santé - Interopérabilité des dispositifs - Partie 40102: Fondamentaux -
Cybersécurité - Capacités d'atténuation (ISO/IEEE 11073-40102:2022)
Ta slovenski standard je istoveten z: EN ISO/IEEE 11073-40102:2022
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO/IEEE 11073-
EUROPEAN STANDARD
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2022
ICS 35.240.80
English Version
Health informatics - Device interoperability - Part 40102:
Foundational - Cybersecurity - Capabilities for mitigation
(ISO/IEEE 11073-40102:2022)
Informatique de santé - Interopérabilité des dispositifs Medizinische Informatik - Geräteinteroperabilität - Teil
- Partie 40102: Fondamentaux - Cybersécurité - 40102: Grundlagen - Cybersicherheit - Möglichkeiten
Capacités d'atténuation (ISO/IEEE 11073-40102:2022) zur Schadensbegrenzung (ISO/IEEE 11073-
40102:2022)
This European Standard was approved by CEN on 13 March 2022.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO/IEEE 11073-40102:2022 E
worldwide for CEN national Members.

Contents Page
European foreword . 3

European foreword
This document (EN ISO/IEEE 11073-40102:2022) has been prepared by Technical Committee ISO/TC
215 "Health informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics”
the secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2022, and conflicting national standards
shall be withdrawn at the latest by September 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEEE 11073-40102:2022 has been approved by CEN as EN ISO/IEEE 11073-
40102:2022 without any modification.

INTERNATIONAL ISO/IEEE
STANDARD 11073-40102
First edition
2022-03
Health informatics — Device
interoperability —
Part 40102:
Foundational — Cybersecurity —
Capabilities for mitigation
Informatique de santé — Interopérabilité des dispositifs —
Partie 40102: Fondamentaux — Cybersécurité — Capacités
d'atténuation
Reference number
ISO/IEEE 11073-40102:2022(E)
© IEEE 2021
ISO/IEEE 11073-40102:2022(E)
© IEEE 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from IEEE at the address below.
Institute of Electrical and Electronics Engineers, Inc
3 Park Avenue, New York
NY 10016-5997, USA
Email: stds.ipr@ieee.org
Website: www.ieee.org
Published in Switzerland
ii
© IEEE 2021 – All rights reserved

ISO/IEEE 11073-40102:2022(E) )
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted (see www.iso.org/directives).
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its
standards through a consensus development process, approved by the American National Standards
Institute, which brings together volunteers representing varied viewpoints and interests to achieve the
final product. Volunteers are not necessarily members of the Institute and serve without compensation.
While the IEEE administers the process and establishes rules to promote fairness in the consensus
development process, the IEEE does not independently evaluate, test, or verify the accuracy of any of the
information contained in its standards.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on
the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
ISO/IEEE 11073-40102 was prepared by the IEEE 11073 Standards Committee of the IEEE Engineering
in Medicine and Biology Society (as IEEE Std 11073-40102-2020) and drafted in accordance with its
editorial rules. It was adopted, under the “fast-track procedure” defined in the Partner Standards
Development Organization cooperation agreement between ISO and IEEE, by Technical Committee
ISO/TC 215, Health informatics.
A list of all parts in the ISO/IEEE 11073 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
.
complete listing of these bodies can be found at www.iso.org/members.html
© IEEE 2021 – All rights reserved iii

IEEE Std 11073-40102™-2020
Health informatics—Device interoperability
Part 40102:
Foundational—Cybersecurity—
Capabilities for mitigation
Developed by the
IEEE 11073 Standards Committee
of the
IEEE Engineering in Medicine and Biology Society
Approved 24 September 2020
IEEE SA Standards Board
ISO/IEEE 11073-40102:2022(E)
Abstract: For Personal Health Devices (PHDs) and Point-of-Care Devices (PoCDs), a security
baseline of application layer cybersecurity mitigation techniques is defined by this standard for
certain use cases or for times when certain criteria are met. The mitigation techniques are based
on an extended confidentiality, integrity, and availability (CIA) triad and are described generally to
allow manufacturers to determine the most appropriate algorithms and implementations. A scalable
information security toolbox appropriate for PHD/PoCD interfaces is specified that fulfills the
intersection of requirements and recommendations from the National Institute of Standards and
Technology (NIST) and the European Network and Information Security Agency (ENISA). A
mapping of this standard to the NIST cybersecurity framework; IEC TR 80001-2-2; and the
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of
Privilege (STRIDE) classification scheme is defined.
Keywords: cybersecurity, IEEE 11073-40102™, medical device communication, mitigation
techniques, Personal Health Devices, Point-of-Care Devices

The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
All rights reserved. Published 8 January 2021. Printed in the United States of America.
IEEE is a registered trademark in the U.S. Patent & Trademark Office, owned by The Institute of Electrical and Electronics Engineers,
Incorporated.
PDF: ISBN 978-1-5044-7088-9 STD24424
Print: ISBN 978-1-5044-7089-6 STDPD24424
IEEE prohibits discrimination, harassment, and bullying.
For more information, visit https://www.ieee.org/about/corporate/governance/p9-26.html.
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission
of the publisher.
ISO/IEEE 11073-40102:2022(E)
Important Notices and Disclaimers Concerning IEEE Standards Documents
IEEE Standards documents are made available for use subject to important notices and legal disclaimers.
These notices and disclaimers, or a reference to this page (https://standards.ieee.org/ipr/disclaimers.html),
appear in all standards and may be found under the heading “Important Notices and Disclaimers Concerning
IEEE Standards Documents.”
Notice and Disclaimer of Liability Concerning the Use of IEEE Standards
Documents
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE SA) Standards Board. IEEE develops its standards
through an accredited consensus development process, which brings together volunteers representing varied
viewpoints and interests to achieve the final product. IEEE Standards are documents developed by volunteers
with scientific, academic, and industry-based expertise in technical working groups. Volunteers are not
necessarily members of IEEE or IEEE SA, and participate without compensation from IEEE. While IEEE
administers the process and establishes rules to promote fairness in the consensus development process, IEEE
does not independently evaluate, test, or verify the accuracy of any of the information or the soundness of
any judgments contained in its standards.
IEEE makes no warranties or representations concerning its standards, and expressly disclaims all warranties,
express or implied, concerning this standard, including but not limited to the warranties of merchantability,
fitness for a particular purpose and non-infringement. In addition, IEEE does not warrant or represent that
the use of the material contained in its standards is free from patent infringement. IEEE standards documents
are supplied “AS IS” and “WITH ALL FAULTS.”
Use of an IEEE standard is wholly voluntary. The existence of an IEEE Standard does not imply that there
are no other ways to produce, test, measure, purchase, market, or provide other goods and services related to
the scope of the IEEE standard. Furthermore, the viewpoint expressed at the time a standard is approved and
issued is subject to change brought about through developments in the state of the art and comments received
from users of the standard.
In publishing and making its standards available, IEEE is not suggesting or render
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.