Documente Academic
Documente Profesional
Documente Cultură
VISOKA ŠKOLA
“INTERNACIONALNA POSLOVNO – INFORMACIONA
AKADEMIJA” TUZLA
ZBORNIK
RADOVA
Book of Proceedings
Dizajn/Design
Katarina Andrejaš
Urednici / Editors
Damir Bećirović
Haris Delić
Izdavač / Publisher
Internacionalna poslovno - informaciona akademija
1. Zoran Ereiz
RISK MANAGEMENT IN SOFTWARE PROJECTS: HOW RISKS ARE (NOT) MANAGED IN
SOFTWARE DEVELOPMENT PROJECTS.................................................................................. 7
6. Siniša Franjić
BITCOIN TRANSACTIONS ..................................................................................................... 59
7. Katarina Rojko
INNOVATIVE LEARNING AND TEACHING IN HIGHER EDUCATION SUPPORTED BY WEB
PLATFORMS AND APPLICATIONS ........................................................................................ 67
8. Benjamin Nurkić
INTRODUCING ELECTRONIC ELECTIONS WITHOUT ENFORCING THE JUDGMENTS OF THE
EUROPEAN COURT OF HUMAN RIGHTS – DIGITIZATION WITHOUT SUBSTANTIAL
DEMOCRATIZATION ............................................................................................................ 81
3
13. Edina Zahirović Vilašević, Haris Delić
SHARING ECONOMY LEGISLATION FROM A RENTAL REAL ESTATE PERSPECTIVE IN THE
FEDERATION OF BOSNIA AND HERZEGOVINA ENTITY ...................................................... 119
4
doc.dr. Haris Hamidović, dipl.ing.el.11 Review paper / Pregledni rad
dr.sc. Jasmina Kabil-Hamidović, dipl. defektolog logoped12
Edina Šehić, dipl. ing. inf. teh.13
Abstract
The need for effective cybersecurity to ensure medical device functionality and safety has become more
important with the increasing use of wireless, Internet and network connected devices, portable media, and
the frequent electronic exchange of medical device related health information. Cybersecurity incidents have
rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across
healthcare facilities. Such incidents may lead to patient harm because of delays in diagnoses and/or
treatment, errors in diagnoses and/or treatment, etc. In this paper it will be presented basic principles and
practices for medical device cybersecurity recommended by International Medical Device Regulators
Forum.
Keywords:Cybersecurity, Healthcare, Medical Device, IMDRF, Cyber Risks.
1. Introduction
Software systems used in the field of healthcare delivery generally might fall into one of two general
categories of safety critical systems:
1. Primary safety-critical software. This is software that is embedded as a controller in a system.
Malfunctioning of such software can cause a hardware malfunction, which might results in human
injury or even death.
2. Secondary safety-critical software. This is software that can indirectly result in an injury. An
example of such software might be health care management system. Failure of this system,
whereby an patient may not be treated properly (Sommerville, 2018).
Some authors are of the opinion that specification of security requirements for safety-critical systems is a
more challenging problem than specification for safety requirements. Sommerville states so „without a
reasonable level of security, one cannot be confident in a safety-critical systems’s availability, reliability,
and safety. If the system has been attacked and the software has been compromised in some way (for
example, if the software has been modified to include a worm), then the reliability and safety arguments no
longer hold. Errors in the development of a system can lead to security loopholes. If a system does not
respond to unexpected inputs or if array bounds are not checked, then attackers can exploit these weaknesses
to gain access to the system...“ (Sommerville, 2018).
The problem is further complicated as medical devices become more connected, considered in International
Medical Device Regulators Forum (IMDRF). This is evident as cybersecurity incidents have rendered
medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare
facilities worldwide. With a purpose to promote a globally harmonized approach to medical device
cybersecurity that at a fundamental level ensures the safety and performance of medical devices while
encouraging innovation, IMDRF proposed the document titled „Principles and Practices for Medical Device
41
Cybersecurity“ (IMDRF, 2019). In this paper we will briefly present some of the recommendations of this
guide.
3. NIST framework
The National Institute of Standard and Technology (NIST) has developed a “Framework for Improving
Critical Infrastructure Cybersecurity” which is a general framework applicable across critical infrastructure.
The NIST framework includes best practices that align with the concepts described in „Principles and
Practices for Medical Device Cybersecurity“ - document published by IMDRF (IMDRF, 2019). The five
core functions of the framework readily adapt to strengthen medical device cybersecurity and include:
identify, protect, detect, respond, and recover. Responsible stakeholders should consider (NIST, 2018):
42
• Identifying cybersecurity risks in the device’s design and operating environment;
• Protecting the device to reduce risk through various risk mitigations;
• Detecting if a device has been compromised due to a cybersecurity event;
• Responding using a previously-defined process to respond to a cybersecurity event; and
• Recovering using a previously-defined process to restore the device to normal operation following
a cybersecurity event.
5. Pre-market considerations
IMDRF draws particular attention to the fact that although medical device cybersecurity should be
considered over the total product life cycle, there are important elements that a manufacturer should address
during the design and development of a medical device prior to market entry. These pre-market elements
include:
• Designing security features into the product;
• The application of accepted risk management strategies;
• Security testing;
• Provision of useful information for users to operate the device securely; and
• The consideration of having a plan in place for post-market activities (IMDRF, 2019).
The foregoing is significant also because numerous studies have shown that the cost of correcting defects is
as much as 100 times less expensive early in the development life cycle than it is late in the development
life cycle. The costs probably greatly exceed the hundred to one ratio if one takes into account the cost of
recalls and trying to diagnose and repair defects in the field (not to mention the potential cost of human harm
or even death) (Vogel, 2010).
43
Figure 2. Cost of correcting defects
44
The manufacturer should consider if confidentiality risk
control measures are required to protect message
control/sequencing fields in communication protocols or
to prevent the compromise of cryptographic keying
materials.
Although secure software development principles are integral to secure device design, many current
software development life cycle models or standards do not incorporate these principles by default. The
IMDRF warns that „it is important for device manufacturers that develop medical device software to
recognize this deficiency and to incorporate these security principles into the development of their software“
45
(IMDRF, 2019). A similar conclusion was reached at the European Union Agency for Network and
Information Security - ENISA by conducting an analysis on privacy requirements in IT systems: „many
system developers are not familiar with privacy principles or technologies that implement them. Their work
usually focuses on realising functional requirements, where other demands—e.g. privacy or security
guarantees—fall short as a result“ (ENISA, 2014) (Hamidović, 2019).
6. Security testing
As Vogel states, software engineering for the medical device industry is not the same as software
engineering in other industries such as the consumer electronics industry. Product life cycles in the consumer
markets are often measured in months. Time to market often is more important than the reliability of the
software. In the medical device industry, it is not unusual for products to have product lifetimes exceeding
10 years. The safety and efficacy of medical devices trump time to market. (Vogel, 2010) One of the reasons
for this situation is the need for more detailed security testing. „The validation of the design phase of a
medical device requires security testing. Testing should take into consideration the context of use of the
device and its deployment environment. Application of software verification techniques are recommended
to minimize the risk of anomalies and ensure that the software complies with the specifications. It is also
important to ensure that the medical device is tested for known vulnerabilities that could be exploited. To
do this, the medical device should undergo a security assessment process or acceptance check (e.g. software
testing, attack simulation, etc.)“ (IMDRF, 2019).
IMDRF states some high-level considerations for medical device manufacturers:
• Perform target searches on software components/modules for known vulnerabilities or software
weakness. For example, security testing can include: static code analysis, dynamic analysis,
robustness testing, vulnerability scanning, software composition analysis.
• Conduct technical security analyses (e.g. penetration testing). These include: efforts to identify
unknown vulnerabilities and checks for unknown vulnerabilities, e.g. through fuzz testing; or
checks for alternative entry points, e.g. by reading hidden files, configuration, data streams or
hardware registers.
• Complete a vulnerability assessment. This, includes an impact analysis of the vulnerability on
other in-house products (i.e. variant analysis);, the identification of countermeasures; and the
remediation or mitigation of vulnerability (IMDRF, 2019).
46
8. Cybersecurity practices adopted by healthcare providers
According to a IMDRF recommendations with regard to medical device cybersecurity, it is important to
recognize that it is a shared responsibility and requires participation of all stakeholders, including healthcare
providers. Healthcare providers should consider adopting a risk management process to address the safety,
effectiveness and cybersecurity aspects of medical devices that are connected to their IT infrastructure. The
process should be applied at the:
• Initial development of the IT infrastructure;
• Integration of a new medical device into existing IT network; and
• Changing of operating systems or IT network or to the medical device itself (software and
firmware) with updates or modifications“ (IMDRF, 2019).
In order to carry out the above-mentioned risk management process, healthcare providers may refer to
relevant international standards such as, among others, ISO 27000 series in particular ISO 27799 for
adoption (IMDRF, 2019). ISO 27799 provides implementation guidance for the controls described in
ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing
health information security (ISO, 2016) (Hamidovic, Kabil, 2011).
The IMDRF guide recommends that in addition to adopting a risk management system, healthcare providers
should also adhere to the following general cybersecurity best practices to maintain the healthcare
provider’s overall security posture:
• Good physical security to prevent unauthorized physical access to medical device or network
access points;
• Access control measures (e.g. role based) to ensure only authorized personnel are allowed access
to network elements, stored information, services and applications;
• Network access control to limit medical device communication;
• Patch management practices that ensure timely security patch updates;
• Malware protection to prevent attacks;
• Session timeout to prevent unauthorized access to devices left unattended for extended period.
The implementation of these best practices should be placed in context with the clinical use of the device,
quotes from IMDRF (IMDRF, 2019).
IMDRF also states that it is crucial that healthcare providers take a holistic approach to prevent cybersecurity
incidents from occurring in their institutions. As such, healthcare providers are encouraged to provide the
following cybersecurity training:
• Basic training to create security awareness and introduce cyber hygiene practices among all users
(e.g. doctors, nurses, biomedical engineers, technicians, etc.);
• Training should also be extended to patients if the connected medical devices (e.g. home use
devices such as a continuous glucose monitor or portable insulin pump) are intended to be
operated by the patients themselves (IMDRF, 2019).
9. Patching
According to ISO / IEC 27002, information about technical vulnerabilities of information systems being
used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated
and appropriate measures taken to address the associated risk. Software patches should be applied when
they can help to remove or reduce information security weaknesses“ (ISO/IEC, 2013). Patients receive
medical care in professional healthcare facilities and in the home healthcare environment, and each use
environment is associated with unique considerations for patching. In the home healthcare environment, for
example, the user can be the patient, caregiver, trusted neighbor, or a family member. IMDRF guide
47
provides general guidance for patching and describe specific considerations for each use environment
(IMDRF, 2019).
10. Conclusion
Medical devices are becoming more advanced. Most contain software and connect to the internet, hospital
networks, mobile phone, or other devices to share information. It is important to make sure medical devices
are cyber secure. Anytime a medical device has software and relies on a wireless or wired connection,
vigilance is required. The software behind these products, like all technologies, can become vulnerable to
cyber threats, especially if the device is older and was not built with cybersecurity in mind, warns from the
US FDA.
Properly understanding the needs of society International Medical Device Regulators Forum, a voluntary
group of medical device regulators from around the world, produced guidance document to provide
fundamental concepts and considerations on the general principles and best practices to facilitate
international regulatory convergence on medical device cybersecurity. As they state from IMDRF this
document is designed to provide concrete recommendations to all responsible stakeholders on the general
principles and best practices for medical device cybersecurity (including in vitro diagnostic (IVD) medical
devices). In general, it outlines recommendations for medical device manufacturers, healthcare providers,
regulators, and users to: employ a risk-based approach to the design and development of medical devices
with appropriate cybersecurity protections; minimize risks that could arise from use of the device for its
intended purposes; and to ensure maintenance and continuity of critical device safety and effectiveness.
References:
1. ENISA. (2014). Privacy and Data Protection by Design – from policy to engineering.
European Union Agency for Network and Information Security – ENISA.
2. Griffiths, M. (2015). An Introduction to the Cost of Change and Technical Debt. Available
on: https://www.projectmanagement.com/articles/308195/An-Introduction-to-the-Cost-of-
Change-and-Technical-Debt. Date of access: 06.02.2020.
3. Hamidovic, H., Kabil, J. (2011). An Introduction to Information Security Management in
Health Care Organizations, ISACA Journal.
4. Hamidović, H. (2019). GDPR i pitanje tehničke zaštite ličnih podataka, Pravo i finansije.
No. 9. Pp. 90-93.
5. IMDRF. (2019). Principles and Practices for Medical Device Cybersecurity - Draft, The
International Medical Device Regulators Forum (IMDRF).
6. ISO. (2016). ISO 27799:2016, Health informatics — Information security management in
health using ISO/IEC 27002, International Organization for Standardization.
7. ISO/IEC. (2013). ISO/IEC 27002:2013, Information technology — Security techniques —
Code of practice for information security controls, International Organization for
Standardization / International Electrotechnical Commission.
8. NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity, National
Institute of Standards and Technology.
9. Sommerville, I. (2018). Software Engineering, Pearson.
10. Vogel, D. (2010). Medical device software verification, validation and compliance, Artech
House.
48