The EU Cybersecurity Act introduces cybersecurity certification framework for ICT products, services and processes. Following ENISA's EUCC (the Common Criteria based European candidate cybersecurity certification scheme), we provide the Security Problem and identify Security Requirements of a healthcare specific product through a Protection Profile. We consult ENISA's reports to identify the most impactful assets in healthcare that should be prioritized for certification. We select a sub-category system of Clinical Information Systems, such as Picture Archiving and Communication System (PACS) for Protection Profile. Based on five use-cases of PACS, we define the Security Problem (assumptions, organizational security policies, threats) and we elaborate the Security Objectives. We, further, conduct a sector specific analysis of challenges and threats in healthcare sector to supplement the PACS specific threats. We detail Security Objectives from the Cybersecurity Act, and we offer a combination of these two elements, the broader scope of threats and objectives, as a baseline for future Protection Profiles of healthcare specific products. We further provide PACS specific Security Functional Requirements, and we conclude with a guideline for selecting suitable Security Assurance Requirements.
Towards a Healthcare Cybersecurity Certification Scheme / Hovhannisyan, K.; Bogacki, P.; Colabuono, C. A.; Lofù, D.; Marabello, M. V.; Eugene Maxwell, B.. - (2021), pp. 9478255.-9478255.9. (Intervento presentato al convegno 7th International Conference on Cyber Situational Awareness, Data Analytics and Assessment, CyberSA 2021 nel 2021) [10.1109/CyberSA52016.2021.9478255].
Towards a Healthcare Cybersecurity Certification Scheme
Lofù D.;
2021-01-01
Abstract
The EU Cybersecurity Act introduces cybersecurity certification framework for ICT products, services and processes. Following ENISA's EUCC (the Common Criteria based European candidate cybersecurity certification scheme), we provide the Security Problem and identify Security Requirements of a healthcare specific product through a Protection Profile. We consult ENISA's reports to identify the most impactful assets in healthcare that should be prioritized for certification. We select a sub-category system of Clinical Information Systems, such as Picture Archiving and Communication System (PACS) for Protection Profile. Based on five use-cases of PACS, we define the Security Problem (assumptions, organizational security policies, threats) and we elaborate the Security Objectives. We, further, conduct a sector specific analysis of challenges and threats in healthcare sector to supplement the PACS specific threats. We detail Security Objectives from the Cybersecurity Act, and we offer a combination of these two elements, the broader scope of threats and objectives, as a baseline for future Protection Profiles of healthcare specific products. We further provide PACS specific Security Functional Requirements, and we conclude with a guideline for selecting suitable Security Assurance Requirements.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
