Integrated Security, Safety, and Privacy Risk Assessment Framework for Medical Devices

The substantial improvements and innovations in communication networks and bio-medical technologies have led to the adoption of networked medical devices due to which the attack surface has increased profoundly. Numerous devices in practice were designed and developed years ago without security measures. In such a scenario, the role of regulatory bodies has become evident. The Food and Drug Administration (FDA) validates and approves devices before commercialization. In contrast, the European Union (EU) follows a decentralized approach and Notified Bodies (NB) for assuring high standards, safety and quality of medical devices being marketed in Europe. Once the device has gone through stringent regulations including good manufacturing practices, Quality Management System (QMS), labeling, clinical tests, performance standards, adequate storage and packaging practices, a declaration of conformity will be granted, which is a legal binding document stating that the device is conformant with applicable European requirements and can be marketed in Europe. However, such regulations lack a systematic methodology to determine unified security, safety and privacy risk that eventually influence the health of patients. To cover these gaps, this research proposes Integrated Safety, Security, and Privacy (ISSP) Risk Assessment Framework to determine the risk level of the device and required security controls. It is, then applied to a case scenario of an infusion pump and further evaluated by comparing it with current standards and practices. The comparison shows that the framework provides a unified approach to consider different types of risks associated with devices.