Diabetes Technology Society

Similar documents
Protection Profile for Connected Diabetes Devices (CDD PP) Extended Package: Moderate

Achilles System Certification (ASC) from GE Digital

Re: DTS Standard and Protection Profile for Connected Diabetes Device Security (DTSec)

SOC for cybersecurity

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Advanced Security Tester Course Outline

ISO/IEC/ IEEE INTERNATIONAL STANDARD. Systems and software engineering Architecture description

Standard Development Timeline

IoT & SCADA Cyber Security Services

TEL2813/IS2820 Security Management

UNCONTROLLED IF PRINTED

Google Cloud & the General Data Protection Regulation (GDPR)

ACCAB. Accreditation Commission For Conformity Assessment Bodies

Page 1 of 29 Protection Profile for Connected Diabetes Devices (CDD)

Agenda. Bibliography

Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Information technology Security techniques Information security controls for the energy utility industry

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Minimum Requirements For The Operation of Management System Certification Bodies

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

Cyber Risk and Networked Medical Devices

ISO27001:2013 The New Standard Revised Edition

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The University of Queensland

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

ISO/IEC Information technology Security techniques Code of practice for information security controls

An Overview of ISO/IEC family of Information Security Management System Standards

Advent IM Ltd ISO/IEC 27001:2013 vs

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Security Management Models And Practices Feb 5, 2008

Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Certification Report

April 28, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, MD 20852

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

FDA & Medical Device Cybersecurity

Protecting your data. EY s approach to data privacy and information security

Standard Development Timeline

Timber Products Inspection, Inc.

Frequently Asked Questions

Medical Device Cybersecurity: FDA Perspective

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Cybersecurity for Health Care Providers

THE POWER OF TECH-SAVVY BOARDS:

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

TEL2813/IS2621 Security Management

Security Standards for Electric Market Participants

PSEG Nuclear Cyber Security Supply Chain Guidance

Product Security Program

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

Certification Report

ISO/IEC INTERNATIONAL STANDARD

Cloud Security Standards

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

Certification Report

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Systems and software engineering Requirements for managers of information for users of systems, software, and services

Procurement Language for Supply Chain Cyber Assurance

Certification Requirements for High Assurance Systems

Data Curation Handbook Steps

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Certification Report

Security analysis and assessment of threats in European signalling systems?

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF INFOR- MATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

ISO 9001 Auditing Practices Group Guidance on:

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

2015 HFMA What Healthcare Can Learn from the Banking Industry

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Security and Privacy Governance Program Guidelines

The Honest Advantage

Certification Report

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

Security Policies and Procedures Principles and Practices

Below we ve highlighted several of the key points from the final guidance document.

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Cloud Security Standards and Guidelines

NCSF Foundation Certification

The NIS Directive and Cybersecurity in

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

CCISO Blueprint v1. EC-Council

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

This is a preview - click here to buy the full publication

What is ISO/IEC 27001?

Medical device security The transition from patient privacy to patient safety

General Framework for Secure IoT Systems

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

AUTHORITY FOR ELECTRICITY REGULATION

ASSURANCE CONTINUITY: CCRA REQUIREMENTS

Certification Report

Procedure for Network and Network-related devices

Conference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions

Transcription:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Diabetes Technology Society Standard for Wireless Diabetes Device Security (DTSec) May 23, 2016 Version 1.0 DTSEC-2016-08-001 DTSec Standard Version 1.0 May 23, 2016 Page 1 of 14

31 32 33 34 35 36 37 38 39 40 41 42 Legal Notice: Diabetes Technology Society (DTS) organized the development of this version of the Diabetes Technology Society Standard for Wireless Device Security (DTSec). As the holder of the copyright in the Diabetes Technology Society Standard for Wireless Device Security (DTSec), DTS retains the right to use, copy, distribute, translate or modify DTSec as it sees fit. 43 44 45 46 47 48 49 50 51 52 Foreword This version of DTSec (1.0) is a revised version based on suggestions from the DTSec working groups, steering committee, and the public (following a public review cycle). This standard and related Protection Profiles, which are managed by the DTSec Working Group (DWG), consists of scope of work, Protection Profile, and Assurance committees, all working under the auspices of Diabetes Technology Society. DTSec Standard Version 1.0 May 23, 2016 Page 2 of 14

53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 Table of Contents Foreword... 2 1 INTRODUCTION... 4 1.1 Scope... 5 1.2 Role of DTSec in Medical Device Safety Risk Management... 6 1.3 ISO/IEC 15408... 8 1.4 Protection Profiles and Security Targets... 9 1.5 ISO 15408 Assurance Packages... 10 2 ASSURANCE PROGRAM... 12 2.1 Lab Accreditation... 12 2.2 Product Certification... 13 2.3 Evaluated Products List... 13 2.4 Protection Profile and Security Target Approval... 13 2.5 Assurance Maintenance Program... 13 DTSec Standard Version 1.0 May 23, 2016 Page 3 of 14

70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 1 INTRODUCTION The following section is non-normative, with the exception of statements that include the word shall in boldface italics. The purpose of DTSec is to establish a standard used to provide a high level of assurance that electronic products deliver the security protections claimed by their developers and required by their users. While this standard is initially targeted for networked life-critical devices, such as insulin pump controllers, used in the treatment of diabetes, there is nothing inherent in this standard that precludes its application to any medical product or component contributing to the protection of high value assets, resources, and functions. Indeed, while Diabetes Technology Society has a specific mission in diabetes-related electronic products, it is the express intent of this standard s authors that it can provide foundational work for effective cybersecurity standards across not only other medical device classes, but other connected devices and the broader Internet of Things. In order to meet the goal above, participants in the creation of this standard share the following objectives: 1. Enhance the likelihood that security evaluations of critical medical products are performed to high standards, including the ability to achieve highly assured protection and an overall contribution towards enhanced safety, privacy, and security for electronic product stakeholders, including product manufacturers, regulators, patients, and caregivers; 2. Increase the availability of critical electronic products that have been independently evaluated and certified to meet such high standards; 3. Reduce the use of ad-hoc, unreliable, and low assurance electronic product development and evaluation methods that increase risk to electronic product stakeholders; 4. Continuously improve the efficiency (cost and time) of the evaluation and certification of critical electronic products. Professional symposia that support DTSec: Diabetes Technology Society Annual Meeting MEDSec (Medical Cybersecurity and Privacy for the Internet of Medical Things) DTSec Standard Version 1.0 May 23, 2016 Page 4 of 14

109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 1.1 Scope This section describes the scope of the DTSec standard. Medical devices used for monitoring and managing diabetes provide life-saving benefits to patients and effective implementation options to healthcare providers. These devices include blood and continuous glucose monitors, insulin pumps, pens and other insulin delivery devices, and closed loop artificial pancreas systems. With ever-increasing connectivity and data exchange between these diabetes devices, other devices (such as smart phones), and the Internet, there is an increased risk to the safety and privacy of the patient and to the integrity of the healthcare provider. Following the general framework of establishing security standards for information and electronic systems (ISO/IEC 15408, described in the following section), the DTSec program calls for the specification of security requirements for wireless diabetes devices. These requirements are codified by the use of Protection Profiles and Security Targets (explained later in this document), but at a high level have the following objectives: To establish the general requirements for connected devices that meet the balanced needs for security and clinical application. To identify possible and potential threats related to the various components and interfaces of the connected devices, such as network, storage, software, connected peer devices, and cryptography. To define a set of generalized requirements that apply to families of similar devices (these are formed into the Protection Profile) To define a set of specific mandatory requirements, derived from the generalized requirements, corresponding to specific connecteddiabetes device products and components (these requirements are formed into the Security Target). To outline additional optional functional requirements for manufacturers to consider adding to their toolbox for future development. In addition to security functional requirements, the Protection Profiles and Security Targets specify assurance requirements to address the question of: How can I be sure that a wireless diabetes device actually delivers the security claimed in the functional requirements? Common assurance requirements are collected into an assurance package, described in more detail later in this document, and formally defined in the Protection Profiles and Security Targets themselves. In addition to the program for creation and approval of security requirements documents, this standard also defines the assurance program for evaluating and DTSec Standard Version 1.0 May 23, 2016 Page 5 of 14

153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 certifying products against those requirements. The assurance program is defined later in this document. In summary, the DTSec scope includes a program for specifying security requirements for wireless diabetes devices and a program for generating independent assurance (by technical evaluation) that products meet the specified requirements. The remainder of this standard document provides more detailed information about these items and specific mandatory guidance for how this standard is applied. 1.2 Role of DTSec in Medical Device Safety Risk Management Numerous sources of commercial best practice guidance and regulations in the area of medical device safety promote the use of risk assessment as an overarching principle to properly and efficiently identify and mitigate risks to patient safety that may arise through the use of medical devices. It is commonly understood that cybersecurity threats are but one of the many factors that must be considered in this risk assessment. As medical devices are increasingly connected to networks, the risk associated with cyber threats grows. DTSec aims to provide manufacturers and regulators with an efficient, standardized approach to effectively manage safety risk attributable to cybersecurity threats. Specifically, the standard aims to provide, through evaluation, confidence that the medical device is able to protect itself against applicable security threats. Thus, DTSec becomes a valuable tool in the manufacturer s risk assessment arsenal. As an example of how DTSec may fit into a nation s medical device regulatory guidance, consider recent FDA guidance described in Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (issued October 2, 2014). The General Principles section within this guidance document lists five elements of a vulnerability and management approach in line with U.S. government regulations. For each element, we explain here how DTSec helps manufacturers meet the spirit of the guidance. 1. Identification of assets, threats, and vulnerabilities; DTSec leverages ISO 15408 (described more later in this document) to help developers identify and document, using the ISO 15408 standardized framework, the threats applicable to medical device products and components. The DTSec assurance-through-evaluation program (described in section 2 of this standard) helps developers identify vulnerabilities by augmenting the developer secure development lifecycle with independent vulnerability assessment by qualified cybersecurity test labs. 2. Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; DTSec Standard Version 1.0 May 23, 2016 Page 6 of 14

198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 DTSec helps to assess the impact of threats and vulnerabilities on device functionality and end users/patients by requiring developers to consider relevant threats and how they might impact safe clinical use. For example, if a patient with diabetes makes clinical decisions based on the readings from a wirelessly connected glucose monitor, then the developer must consider how cybersecurity threats borne over the wireless connection could potentially corrupt the integrity of these readings, leading to unsafe clinical decisions. This assessment leads to the inclusion of appropriate mitigating controls (security functional requirements) in the Security Target specification. DTSec also helps assess the impact of vulnerabilities discovered during the security evaluation program. For example, if a flaw in the wireless protocol is discovered, then evaluator will assess the exploitability of this vulnerability. If the vulnerability cannot be exploited to corrupt blood glucose data, this implies a reduced impact relative to a protocol vulnerability the evaluator would be able to exploit to corrupt blood glucose data. DTSec also helps stakeholders (manufacturers, regulators, end users, healthcare providers, payers, and independent cybersecurity experts) balance the need for security with essential clinical performance. This balance is struck as part of the process of authoring Protection Profiles and Security Targets, since this balance is necessarily product specific: a specific control may be acceptable for one type of product and completely unacceptable for another type of product. The applicable stakeholder group weighs cybersecurity risk against the risk that a control may hamper essential clinical performance. For example, while user authentication to a medical device may seem an obviously important protection against unauthorized tampering with the device, security functional requirements must ensure that such controls do not add undue safety risk by preventing the user from accessing lifecritical functionality. Indeed, DTSec s focus on product-specific security requirements ensures that these risk inputs will be rigorously considered by all relevant stakeholders rather than ignored or undervalued in an environment that has relied solely on product developers doing the right thing. Cybersecurity history teaches us that developers - whether because of economic pressures, lack of a complete picture of all risks, or other reasons - often do not strike the proper balance. 3. Assessment of the likelihood of a threat and of a vulnerability being exploited; DTSec helps to assess the likelihood of a vulnerability being exploited. As part of the vulnerability assessment requirement included in the Protection Profiles and Security Targets, the security evaluator will attempt to understand not only whether a vulnerability is exploitable but also what level of attack potential is required to exploit. Attack potential takes into consideration how much time is required to devise an exploit, what level of knowledge of the product s inner workings would be required, what kind of sophisticated equipment might be needed to exploit, etc. The attack potential helps developers assess the probability of a threat converting to DTSec Standard Version 1.0 May 23, 2016 Page 7 of 14

244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 active exploit based on this potential. For example, a low potential exploit (one that can be accomplished without sophisticated equipment or knowledge) is likely to have a higher probability of exploit in practice than a high potential exploit that is beyond the technical and economic reach of most attackers. 4. Determination of risk levels and suitable mitigation strategies; DTSec helps to determine suitable mitigation strategies; as part of the protection profile and Security Target authoring process, the DWG, evaluators, and developers work together to ensure that the security functional requirements are carefully chosen to mitigate security threats while balancing overall safe clinical use. For example, it may be determined that a Bluetooth-connected diabetes device should use a simple pairing scheme (one that is not known to be as secure as other pairing schemes) in order to meet clinical usability requirements and to require documented physical security controls and user training, augmenting the technical pairing mechanism offered by the device, for an overall suitable security approach (as documented in the Security Target). 5. Assessment of residual risk and risk acceptance criteria. This is a central focus of the DTSec assurance program. During a security evaluation, the evaluator must determine whether residual risks are acceptable relative to the assurance requirements specified in the Security Target. For example, if a vulnerability exploit requires an attack potential that is higher than what is required in the Security Target, the evaluator will affirm that the residual risk associated with this vulnerability is acceptable. The evaluation process provides all relevant stakeholders, including the product manufacturer, its customers, healthcare providers, and regulators, with an independent expert assessment of these risks. 1.3 ISO/IEC 15408 To be effective for critical electronic devices, especially those that are network connected and may be subject to remote malicious attack, security standards must delve deeply into the processes and techniques for developing and deploying security technologies that provide high assurance of protection. A consortium of national governments came together in the mid 1990s to create a framework for specifying security requirements - for any electronic product, software component, or system - and evaluating vendor claims of conformance to the requirements. The framework that was developed is ISO/IEC 15408, known informally as the Common Criteria (CC), which remains the only internationally accepted, generally applicable product security framework. CC has been utilized to specify a wide variety of security functionality over almost two decades. Requirements are specified in two dimensions: functional requirements cover security features of a product or component, while assurance requirements provide the confidence those features DTSec Standard Version 1.0 May 23, 2016 Page 8 of 14

289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 actually do what they claim. CC is a powerful, scalable framework that permits comparability and consistency between the results of independent security evaluations that follow the standard s methodology. CC assurance requirements can be thought of as falling into two broad areas: product-independent, organizational requirements (e.g. life-cycle processes, configuration management controls, a process and common approach to design and specification, etc.) and product-dependent requirements (e.g. design and requirements artifacts specific to a particular system, functional test results, and vulnerability assessment). Security functional requirements vary widely across products and product components, depending on their threat profile. For example, the security functional requirements for a wireless insulin controller may include: authentication to ensure the controller is only operated by authorized users device and software authentication to ensure that only authentic, trustworthy devices and their constituent software/firmware are used to administer insulin data integrity and confidentiality to protect against corruption or other unauthorized access to commands sent between controller and pump data confidentiality to safeguard the personal data (privacy) of patients and other persons 1.4 Protection Profiles and Security Targets The CC provides for the creation of product-specific requirements specifications, against which individual commercial products or product components are evaluated. The two types of specifications are Protection Profiles (PP) and Security Targets (ST). PPs are intended to generalize the requirements for a wide range of similar products and represent the appropriate security and assurance requirements for a class of devices derived from a technical community of clinical and security experts. This enables the purchaser of a device to acquire a secure product by specifying that the device meet the requirements of the PP rather than detailing all requirements for each device purchase. STs, in contrast, provide specific requirements for a specific product or component from a specific manufacturer. For example, if there are numerous manufacturers of insulin pump controllers, all of which have similar security requirements, then a PP can be authored by a technical community of manufacturers and other stakeholders (e.g. caregivers, regulators, independent cybersecurity experts) to cover insulin pump controllers. A manufacturer can then tailor an ST from the PP. Evaluations are performed against STs. PPs shall be authored by DWG and used when significant efficiency is to be gained from a common security specification and to reduce the subsequent resources required to develop derived STs. DTSec Standard Version 1.0 May 23, 2016 Page 9 of 14

333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 The CC provides a large menu of common functional requirements, from which PP and ST authors may choose. Whenever possible, requirements should be selected from this menu. PP authors also have the freedom under the CC to define extended requirements to address requirements not explicitly listed in the standard. For example, embedded medical electronics may have requirements not initially conceived by the CC standards authors targeting general IT systems. The complete selection of requirements for PPs and STs must be carefully made based on the device threat model, including the functional attack vectors (local/physical, local network, wide-area network, supply chain, etc.) and the motivation and sophistication of attackers to which the product s security capabilities must be resistant. Security evaluation and certification performed under the auspices of this standard shall utilize international standard ISO/IEC 15408:2009 (general framework and specification of requirements) and ISO/IEC 18045:2005 (companion document to ISO 15408, covering evaluation methodology). 1.5 ISO 15408 Assurance Packages Assurance requirements can be grouped into a package that is reused across different PPs and STs. Standards bodies and developers can create customized assurance packages. For example, packages may vary the rigor of vulnerability assessment, depending upon the reasonably expected magnitude of anticipated threat (e.g. nation state vs. amateur hackers). Each assurance requirement originates from a particular assurance component, where each component includes a selection of related requirements in increasing levels of rigor, corresponding to the needs of increasing assurance. DWG may create a package that adopts more rigorous requirements for testing and vulnerability assessment activities that are tightly coupled to device implementation. However, because medical device manufacturers often follow a mature, high quality software development life-cycle process, such as one compliant to IEC 62304, an international and widely adopted standard for medical device software lifecycle processes, compliance (and associated audit) to IEC 62304 may be used as a cost-effective replacement for evaluation of organizational lifecycle-related assurance requirements for device software development. DTSec assurance packages shall be defined and included within any Protection Profiles authored under this standard. Security evaluation and certification for products and components performed under the auspices of this standard shall target an assurance package that satisfies the aims of protection against levels of attack potential consistent with assessed security risk of that product or component. The precise selection of an assurance package depends on numerous factors, including relative criticality, system tolerance to faults, and specific selection of assurance requirements. Lower level assurance evaluations shall be limited to general-purpose products components not responsible for life-critical functions or devices not at risk of exposure to moderate or higher potential attackers. DTSec Standard Version 1.0 May 23, 2016 Page 10 of 14

377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 1.6 Custom STs and the role of DWG in ST Development The primary initial audience for product evaluation is medical device manufacturers and their suppliers, although patients, doctors, regulators, device purchasers, and other stakeholders also will have an interest in the results of such evaluations. While DWG is expected to author PPs for major classes of diabetes-related medical devices with technical community input, suppliers of components that implement a subset of security functions required by these devices, such as SSL protocol, BTLE, and cryptographic libraries, are also encouraged to evaluate and certify these components against custom STs (approved by DWG) so that device manufacturers can efficiently incorporate them into a reduced scope and resource product evaluation. Component STs shall be carefully defined so that they use the same assurance level as the devices that will contain them, and functionality claims shall be consistent with the relevant parts of the PPs. This standard also allows for DWG-approved custom STs (not derived from any DWGapproved PPs) for complete CDD products, although this is generally discouraged unless the product fails to map to an existing DWG approved PP. In the same way that the PP follows a multi-stakeholder, risk-based approach to deriving an appropriate set of security threats, objectives, and requirements, a custom ST shall be carefully created so as to consider a maximum practical selection of DWG stakeholder perspectives (e.g. product developer, regulators, evaluators, caregivers, independent security experts, professional organizations, etc.). In addition, the development process for custom STs, like all other STs, should strive not to constrain product design and implementation freedom while defining, via a risk-based approach, the product s security objectives and requirements. DTSec Standard Version 1.0 May 23, 2016 Page 11 of 14

404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 2 ASSURANCE PROGRAM While a standardized documentary approach to specification and evaluation of security requirements is important, the actual evaluation of products against these requirements is the cornerstone of DTSec s approach to enhanced cybersecurity assurance. As such, DTSec governs the accreditation of independent testing labs that perform evaluations against this standard and the certification of lab results under this standard. 2.1 Lab Accreditation DWG shall publicize a list of independent labs approved by DWG to perform evaluations under DTSec. Labs that wish to provide evaluation services under DTSec must apply and be accepted into the program by DWG. Labs approved under DTSec shall be accredited against the ISO 17025 lab accreditation standard, under a scope that includes information technology security testing or similar designation. In addition, DWG reserves the right to accept or reject lab applications based on numerous factors, including but not limited to the lab s experience in information technology and vulnerability assessment, the reputation and international acceptance of the lab s ISO 17025 accrediting body, and the lab s prevailing evaluation costs and resource availability. Labs approved under DTSec shall be competent to perform vulnerability assessment consistent with AVA_VAN 1 requirements at AVA_VAN.4 or higher leveling, as described in ISO 15408 and ISO 18045. In addition, the lab must be capable of handling vulnerability assessment at these levels for a wide range of device software and hardware environments that are typical in the medical device industry. For example, some devices will run on simple microcontrollers with basic operating systems and small applications, while others may include sophisticated web interfaces and general-purpose operating systems and applications. Since such competence may not be included within the scope of the lab s accreditation, the lab must demonstrate its suitability during the application process to DWG. It is the responsibility of DWG to mandate and take reasonable steps to maximize effectiveness and consistency of AVA_VAN implementations across labs; however, DWG recognizes that vulnerability assessment is a function of evaluator skill and time invested, as well as specific device characteristics, and that perfect consistency (even with the same lab across different devices) is not realistic. DWG requires that labs 1 These are vulnerability analyses under the Common Criteria. DTSec Standard Version 1.0 May 23, 2016 Page 12 of 14

445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 document their assessment work and make themselves available to auditing and informal observation during evaluations by the DWG. 2.2 Product Certification If a product passes evaluation by a DTSec-approved lab, the lab must submit an Evaluation Technical Report to DWG. The report must provide enough detail to satisfy DWG that the evaluation of the product against the ST was performed to a high standard, especially with respect to AVA_VAN vulnerability assessment. A product shall not be considered certified under DTSec until the evaluation report is formally accepted by DWG and the product is listed under the DTSec evaluated products list. 2.3 Evaluated Products List Any products that have successfully passed an evaluation under DTSec and whose evaluation results have been certified by DWG shall be listed under a publicly disclosed DTSec evaluated products list. However, if certified products are subsequently reported to contain vulnerabilities that conflict with the applicable ST requirements, DWG reserves the right to remove those products from the evaluated products list until the vulnerabilities are remediated to a level of acceptable residual risk, as originally intended and agreed upon in the ST by its developers and DWG. DWG reserves the right to remove products from the evaluated products list if they suffer from a large volume of recurring vulnerabilities, even if all reported vulnerabilities have been remediated; similarly, a lab that has successfully evaluated a product that suffers from such recurring vulnerabilities may be subject to removal from the list of approved labs. 2.4 Protection Profile and Security Target Approval DWG shall author and publish PPs, incorporating public review and feedback prior to their formal acceptance and use to derive any STs. An ST shall be used for any evaluations performed under DTSec. Public review and formal publication under DTSec of STs are encouraged but not required. An ST shall be reviewed and approved by DWG before it may be used in any evaluation under DTSec. 2.5 Assurance Maintenance Program When a product developer wishes to gain reuse of a product certification for new versions of the product (hardware and/or software changes), then the developer must submit an assurance maintenance request form, which documents the differences between the certified product and the new, modified product. If the changes are sufficiently minor, as determined via risk assessment performed by evaluator in coordination with the product developer and DWG, DWG may accept the DTSec Standard Version 1.0 May 23, 2016 Page 13 of 14

486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 form without any further actions and simply append the new product version information to the applicable entry in the evaluated products list. Product developers should notify DWG of high severity vulnerabilities that could be exploited to subvert the asserted security functional requirements in evaluated products. Developers should include a plan to mitigate such problems. If such vulnerabilities, whether reported by developers or third parties, are not adequately and promptly mitigated, DWG reserves the right to remove the product from the evaluated products list. Because the overall impact of vulnerabilities and their potential mitigations in specific products vary greatly, this standard does not include guidance for when DWG may take this action. DWG would consider the perspective of all stakeholders, including developers, regulators, patients, and caregivers. DWG advocates prompt mitigation of vulnerabilities (e.g. via an authorized software update if such updates are supported by the manufacturer) that may directly impact patient safety. Notification of DWG regarding vulnerabilities in evaluated products should not be treated as higher priority than the clinical mitigation required for patient safety. Recognizing that threat actors and techniques rapidly evolve, DWG reserves the right to request the submission of an assurance maintenance request form to specifically address new threats that the DWG and/or applicable DTSec-approved labs feel may invalidate an active approval. The above process for product modifications will be used by DWG to determine, by working with appropriate stakeholders including the developer, whether product changes and re-evaluation are necessary. DWG reserves the right to institute random audits of the developer by DWG personnel and/or DTSec-approved labs in order to obtain assurance that the new product satisfies the original requirements documented in the applicable ST or in an approved ST that has minor revisions from an ST that was previously applied in a full evaluation of the earlier revision product. Such audits aim to sample requirements compliance and require a small percentage of the cost and time of a full evaluation. If a product developer cannot support the audit activities for any reason or if the changes documented in the assurance maintenance request form are deemed sufficiently major by DWG, then DWG reserves the right to require a full revalidation of the new product. DWG and its accredited labs will enter into agreements as needed in order to meet confidentiality requirements of vendors bringing their products into evaluation against this standard. This standard does not stipulate a lifetime or expiration for product evaluations; a product evaluation shall remain in effect as long as it continues to meet the assurance maintenance requirements defined herein. DTSec Standard Version 1.0 May 23, 2016 Page 14 of 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback