Towards a Healthcare Cybersecurity Certification Scheme

The EU Cybersecurity Act introduces cybersecurity certification framework for ICT products, services and processes. Following ENISA's EUCC (the Common Criteria based European candidate cybersecurity certification scheme), we provide the Security Problem and identify Security Requirements of a h...

Full description

Saved in:
Bibliographic Details
Published in2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) pp. 1 - 9
Main Authors Hovhannisyan, Kristine, Bogacki, Piotr, Colabuono, Consuelo Assunta, Lofu, Domenico, Marabello, Maria Vittoria, Eugene Maxwell, Brady
Format Conference Proceeding
LanguageEnglish
Published IEEE 14.06.2021
Subjects
assurance level
Certification
Clinical diagnosis
common criteria
Computer crime
cybersecurity
Data analysis
Europe
Guidelines
healthcare
PACS
Picture archiving and communication systems
protection profile
security objectives
security problem definition
security requirements
Online AccessGet full text

Cover

More Information
Summary:The EU Cybersecurity Act introduces cybersecurity certification framework for ICT products, services and processes. Following ENISA's EUCC (the Common Criteria based European candidate cybersecurity certification scheme), we provide the Security Problem and identify Security Requirements of a healthcare specific product through a Protection Profile. We consult ENISA's reports to identify the most impactful assets in healthcare that should be prioritized for certification. We select a sub-category system of Clinical Information Systems, such as Picture Archiving and Communication System (PACS) for Protection Profile. Based on five use-cases of PACS, we define the Security Problem (assumptions, organizational security policies, threats) and we elaborate the Security Objectives. We, further, conduct a sector specific analysis of challenges and threats in healthcare sector to supplement the PACS specific threats. We detail Security Objectives from the Cybersecurity Act, and we offer a combination of these two elements, the broader scope of threats and objectives, as a baseline for future Protection Profiles of healthcare specific products. We further provide PACS specific Security Functional Requirements, and we conclude with a guideline for selecting suitable Security Assurance Requirements.
DOI:10.1109/CyberSA52016.2021.9478255