EN ISO/IEEE 11073-40101:2022
(Main)Health informatics - Device interoperability - Part 40101: Foundational - Cybersecurity - Processes for vulnerability assessment (ISO/IEEE 11073-40101:2022)
Health informatics - Device interoperability - Part 40101: Foundational - Cybersecurity - Processes for vulnerability assessment (ISO/IEEE 11073-40101:2022)
Within the context of secure plug-and-play interoperability, cybersecurity is the process and capability of preventing unauthorized access or modification, misuse, denial of use, or the unauthorized use of information that is stored on, accessed from, or transferred to and from a PHD/PoCD. The process part of cybersecurity is risk analysis of use cases specific to a PHD/PoCD.
For PHDs/PoCDs, this standard defines an iterative, systematic, scalable, and auditable approach to identification of cybersecurity vulnerabilities and estimation of risk. This iterative vulnerability assessment uses the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) classification scheme and the embedded Common Vulnerability Scoring System (eCVSS). The assessment includes system context, system decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the remaining vulnerabilities are reduced to an acceptable level of risk.
Medizinische Informatik - Geräteinteroperabilität - Teil 40101: Grundlagen - Cybersicherheit - Prozess zur Schwachstellenanalyse (ISO/IEEE 11073-40101:2022)
Informatique de santé - Interopérabilité des dispositifs - Partie 40101: Fondamentaux - Cybersécurité - Processus pour l'évaluation de la vulnérabilité (ISO/IEEE 11073-40101:2022)
Dans le contexte de l'interopérabilité sécurisée de type prêt à l'emploi, la cybersécurité est le processus et la capacité d'empêcher l'accès ou la modification non autorisés, l'utilisation abusive, le déni d'utilisation ou l'utilisation non autorisée des informations qui sont stockées sur un PHD/PoCD, accessibles depuis celui-ci ou transférées vers et depuis celui-ci. La partie processus de la cybersécurité est l'analyse des risques des cas d'utilisation spécifiques à un PHD/PoCD.
Pour les PHD/PoCD, la présente norme définit une approche itérative, systématique, évolutive et auditable de l'identification des vulnérabilités en matière de cybersécurité et l'estimation des risques. Cette évaluation itérative des vulnérabilités utilise le schéma de classification STRIDE (usurpation d'identité, falsification, répudiation, divulgation d'informations, déni de service, élévation du privilège) et le Système d'évaluation des vulnérabilités courantes intégré (eCVSS). L'évaluation comprend le contexte du système, la décomposition du système, la notation avant atténuation, l'atténuation et la notation après atténuation et se répète jusqu'à ce que les vulnérabilités restantes soient réduites à un niveau de risque acceptable.
Zdravstvena informatika - Interoperabilnost naprav - 40101. del: Temeljno - Kibernetska varnost - Procesi ocenjevanja ranljivosti (ISO/IEEE 11073-40101:2022)
V okviru varne interoperabilnosti s takojšnjim učinkom (»vstavi in poženi«) je kibernetska varnost postopek in zmožnost preprečevanja nepooblaščenega dostopa ali spreminjanja, zlorabe, zavrnitve uporabe ali nepooblaščene uporabe informacij, ki so shranjene ali dostopne v osebnih zdravstvenih napravah/napravah na mestu oskrbe (PHD/PoCD) ali prenesene vanje ter iz njih. Procesni del kibernetske varnosti je analiza tveganja primerov uporabe, ki so značilni za osebne zdravstvene naprave/naprave na mestu oskrbe.
Ta standard opredeljuje iterativen, sistematičen, nadgradljiv in preverljiv pristop k določanju ranljivosti na področju kibernetske varnosti in ocenjevanju tveganja za osebne zdravstvene naprave/naprave na mestu oskrbe. Pri navedenem iterativnem ocenjevanju ranljivosti se uporabljata razvrstitvena shema STRIDE (Spoofing (slepljenje), Tampering (nedovoljeno spreminjanje), Repudiation (zavrnitev), Information Disclosure (razkritje podatkov), Denial of Service (zavrnitev storitve) in Elevation of Privilege (prisvojitev pravic)) in vdelani skupni sistem točkovanja ranljivosti (eCVSS). Ocena vključuje kontekst sistema, razčlenitev sistema, rezultat točkovanja pred ublažitvijo, ublažitev in rezultat točkovanja po ublažitvi ter se ponavlja, dokler stopnja tveganja za preostale ranljivosti ne postane sprejemljiva.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-julij-2022
Zdravstvena informatika - Interoperabilnost naprav - 40101. del: Temeljno -
Kibernetska varnost - Procesi ocenjevanja ranljivosti (ISO/IEEE 11073-40101:2022)
Health informatics - Device interoperability - Part 40101: Foundational - Cybersecurity -
Processes for vulnerability assessment (ISO/IEEE 11073-40101:2022)
Informatique de santé - Interopérabilité des dispositifs - Partie 40101: Fondamentaux -
Cybersécurité - Processus pour l'évaluation de la vulnérabilité (ISO/IEEE 11073-
40101:2022)
Ta slovenski standard je istoveten z: EN ISO/IEEE 11073-40101:2022
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EN ISO/IEEE 11073-
EUROPEAN STANDARD
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2022
ICS 35.240.80
English Version
Health informatics - Device interoperability - Part 40101:
Foundational - Cybersecurity - Processes for vulnerability
assessment (ISO/IEEE 11073-40101:2022)
Informatique de santé - Interopérabilité des dispositifs Medizinische Informatik - Geräteinteroperabilität - Teil
- Partie 40101: Fondamentaux - Cybersécurité - 40101: Grundlagen - Cybersicherheit - Prozess zur
Processus pour l'évaluation de la vulnérabilité Schwachstellenanalyse (ISO/IEEE 11073-40101:2022)
(ISO/IEEE 11073-40101:2022)
This European Standard was approved by CEN on 13 March 2022.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO/IEEE 11073-40101:2022 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
European foreword
This document (EN ISO/IEEE 11073-40101:2022) has been prepared by Technical Committee ISO/TC
215 "Health informatics" in collaboration with Technical Committee CEN/TC 251 “Health informatics”
the secretariat of which is held by NEN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2022, and conflicting national standards
shall be withdrawn at the latest by September 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEEE 11073-40101:2022 has been approved by CEN as EN ISO/IEEE 11073-
40101:2022 without any modification.
INTERNATIONAL ISO/IEEE
STANDARD 11073-40101
First edition
2022-03
Health informatics — Device
interoperability —
Part 40101:
Foundational — Cybersecurity
— Processes for vulnerability
assessment
Informatique de santé — Interopérabilité des dispositifs —
Partie 40101: Fondamentaux — Cybersécurité — Processus pour
l'évaluation de la vulnérabilité
Reference number
ISO/IEEE 11073-40101:2022(E)
© IEEE 2021
ISO/IEEE 11073-40101:2022(E)
© IEEE 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from IEEE at the address below.
Institute of Electrical and Electronics Engineers, Inc
3 Park Avenue, New York
NY 10016-5997, USA
Email: stds.ipr@ieee.org
Website: www.ieee.org
Published in Switzerland
ii
© IEEE 2021 – All rights reserved
ISO/IEEE 11073-40101:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted (see www.iso.org/directives).
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its
standards through a consensus development process, approved by the American National Standards
Institute, which brings together volunteers representing varied viewpoints and interests to achieve the
final product. Volunteers are not necessarily members of the Institute and serve without compensation.
While the IEEE administers the process and establishes rules to promote fairness in the consensus
development process, the IEEE does not independently evaluate, test, or verify the accuracy of any of the
information contained in its standards.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on
the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
ISO/IEEE 11073-40101 was prepared by the IEEE 11073 Standards Committee of the IEEE Engineering
in Medicine and Biology Society (as IEEE Std 11073-40101-2020) and drafted in accordance with its
editorial rules. It was adopted, under the “fast-track procedure” defined in the Partner Standards
Development Organization cooperation agreement between ISO and IEEE, by Technical Committee
ISO/TC 215, Health informatics.
A list of all parts in the ISO/IEEE 11073 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
.
complete listing of these bodies can be found at www.iso.org/members.html
© IEEE 2021 – All rights reserved iii
IEEE Std 11073-40101™-2020
Health informatics—Device interoperability
Part 40101:
Foundational—Cybersecurity—
Processes for vulnerability assessment
Developed by the
IEEE 11073 Standards Committee
of the
IEEE Engineering in Medicine and Biology Society
Approved 24 September 2020
IEEE SA Standards Board
ISO/IEEE 11073-40101:2022(E)
Abstract: For Personal Health Devices (PHDs) and Point-of-Care Devices (PoCDs), an iterative,
systematic, scalable, and auditable approach to identification of cybersecurity vulnerabilities and
estimation of risk is defined by this standard. The standard presents one approach to iterative
vulnerability assessment that uses the Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege (STRIDE) classification scheme and the embedded
Common Vulnerability Scoring System (eCVSS). The assessment includes system context, system
decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the
remaining vulnerabilities are reduced to an acceptable level of risk.
Keywords: cybersecurity, embedded Common Vulnerability Scoring System, IEEE 11073-40101™,
medical device communication, Personal Health Devices, Point-of-Care Devices, STRIDE,
vulnerability assessment
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
All rights reserved. Published 8 January 2021. Printed in the United States of America.
IEEE is a registered trademark in the U.S. Patent & Trademark Office, owned by The Institute of Electrical and Electronics
Engineers, Incorporated.
Microsoft and Excel are registered trademarks of Microsoft Corporation in the United States and/or other countries.
Open Web Application Security Project and OWASP are registered trademarks of the OWASP Foundation, Inc.
PDF: ISBN 978-1-5044-7086-5 STD24423
Print: ISBN 978-1-5044-7087-2 STDPD24423
IEEE prohibits discrimination, harassment, and bullying.
For more information, visit https://www.ieee.org/about/corporate/governance/p9-26.html.
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission
of the publisher.
ISO/IEEE 11073-40101:2022(E)
Important Notices and Disclaimers Concerning IEEE Standards Documents
IEEE Standards documents are made available for use subject to important notices and legal disclaimers.
These notices and disclaimers, or a reference to this page (https://standards.ieee.org/ipr/disclaimers.html),
appear in all standards and may be found under the heading “Important Notices and Disclaimers Concerning
IEEE Standards Documents.”
Notice and Disclaimer of Liability Concerning the Use of IEEE Standards
Documents
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE SA) Standards Board. IEEE develops its standards
through an accredited consensus development process, which brings together volunteers representing varied
viewpoints and interests to achieve the final product. IEEE Standards are documents developed by volunteers
with scientific, academic, and industry-based expertise in technical working groups. Volunteers are not
necessarily members of IEEE or IEEE SA, and participate without compensation from IEEE. While IEEE
administers the process and establishes rules to promote fairness in the consensus development process,
IEEE does not independently evaluate, test, or verify the accuracy of any of the information or the soundness
of any judgments contained in its standards.
IEEE makes no warranties or representations concerning its standards, and expressly disclaims all warranties,
express or implied, concerning this standard, including but not limited to the warranties of merchantability,
fitness for a particular purpose and non-infringement. In addition, IEEE does not warrant or represent that
the use of the material contained in its standards is free from patent infringement. IEEE standards documents
are supplied “AS IS” and “WITH ALL FAULTS.”
Use of an IEEE standard is wholly voluntary. The existence of an IEEE Standard does not imply that there
are no other ways to produce, test, measure, purchase, market, or provide other goods and services related to
the scope of the IEEE standard. Furthermore, the viewpoint expressed at the time a standard is approved and
issued is subject to change brought about through developments in the state o
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.