GODINA 3, BROJ 3 (2020) ISSN 2566-4522

VISOKA ŠKOLA
“INTERNACIONALNA POSLOVNO – INFORMACIONA
AKADEMIJA” TUZLA

ZBORNIK
RADOVA
Book of Proceedings

3. MEĐUNARODNA NAUČNA KONFERENCIJA O DIGITALNOJ

EKONOMIJI DIEC 2020
3RD INTERNATIONAL SCIENTIFIC CONFERENCE ON DIGITAL
ECONOMY DIEC 2020

TUZLA, JULI 2020.

1
 Programski odbor / Programme committee
dr. sc. Anida Zahirović Suhonjić, predsjednica (Internacionalna poslovno – informaciona
akademija Tuzla)
prof. dr. Enes Osmančević (Univerzitet u Tuzli)
dr. sc. Damir Bećirović (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Haris Hamidović (Internacionalna poslovno – informaciona akademija Tuzla)
prof. dr. Almir Peštek (Univerzitet u Sarajevu)
prof. dr. Lazar Radovanović (Univerzitet u Istočnom Sarajevu)
dr. sc. Silvana Tomić Rotim (Zavod za informatičku djelatnost Hrvatske)
doc. dr. Aleksandra Labus (Univerzitet u Beogradu)
doc. dr. Marina Stanić (Sveučilište J. J. Strossmayera u Osijeku)
doc. dr. Dino Arnaut (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Hadžib Salkić (Univerzitet “VITEZ” Vitez)
prof. dr. Jamila Jaganjac (Univerzitet “VITEZ” Vitez)
dr. sc. Nedret Kikanović (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Zlatan Begić (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Emir Džambegović (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Željka Pejić Benko (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Damir Šarić (Internacionalna poslovno – informaciona akademija Tuzla)
prof.dr.sc. Katerina Malić Bandur (Ekonomski fakultet Sveučilišta u Mostaru)
doc. dr. sc. Sandra Jelčić (Ekonomski fakultet Sveučilišta u Mostaru)
doc. dr. Katarina Rojko (Fakultet za informacijske študije Novo Mesto)
izv. prof. dr. sc. Ljiljana Zekanović – Korona (Sveučilište u Zadru)
izv. prof. dr. sc. Božena Krce Miočić (Sveučilište u Zadru)
doc. dr. sc. Vesna Kalajžić (Sveučilište u Zadru)
doc. dr. sc. Marijana Ražnjević Zdrilić (Sveučilište u Zadru)

Organizacioni odbor / Organizational committee

dr. sc. Damir Bećirović, predsjednik (Internacionalna poslovno – informaciona akademija
Tuzla)
Emina Šarić, dipl.oec. (Internacionalna poslovno – informaciona akademija Tuzla)
Admir Čavalić, MA ekonomije (Internacionalna poslovno – informaciona akademija Tuzla)
Haris Delić, BA prava (Internacionalna poslovno – informaciona akademija Tuzla)
Adnana Beganlić, MA inž. informatike (Internacionalna poslovno – informaciona akademija
Tuzla)

Dizajn/Design
Katarina Andrejaš

Grafički urednik / Graphic editor

Abdulah Smajić

Urednici / Editors
Damir Bećirović
Haris Delić

Izdavač / Publisher
Internacionalna poslovno - informaciona akademija

ISSN 2566 - 4514 (Print)

ISSN 2566 - 4522 (Online)
2
 SADRŽAJ

1. Zoran Ereiz
RISK MANAGEMENT IN SOFTWARE PROJECTS: HOW RISKS ARE (NOT) MANAGED IN
SOFTWARE DEVELOPMENT PROJECTS.................................................................................. 7

2. Dino Arnaut, Damir Bećirović

EMPOWERING SMES THROUGH BLOCKCHAIN BASED JUNIOR STOCK EXCHANGE ............. 15

3. Božidar Radenković, Artur Bjelica, Marijana Despotović - Zrakić, Zorica Bogdanović,

Dušan Barać, Aleksandra Labus, Tamara Naumović
MODERN COMMUNICATION MODELS WITH STAKEHOLDERS IN HEALTHCARE ECOSYSTEMS
............................................................................................................................................ 29

4. Haris Hamidović, Jasmina Kabil-Hamidović, Edina Šehić

MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES ................................................. 41

5. Ines Grossi, Zlata Berkeš, Antonija Rimac Gelo

THE IMPACT OF NEW MEDIA IN PRACTICING CATHOLICISM: THE CASE STUDY OF
CROATIA’S CATHOLICS ........................................................................................................ 49

6. Siniša Franjić
BITCOIN TRANSACTIONS ..................................................................................................... 59

7. Katarina Rojko
INNOVATIVE LEARNING AND TEACHING IN HIGHER EDUCATION SUPPORTED BY WEB
PLATFORMS AND APPLICATIONS ........................................................................................ 67

8. Benjamin Nurkić
INTRODUCING ELECTRONIC ELECTIONS WITHOUT ENFORCING THE JUDGMENTS OF THE
EUROPEAN COURT OF HUMAN RIGHTS – DIGITIZATION WITHOUT SUBSTANTIAL
DEMOCRATIZATION ............................................................................................................ 81

9. Haris Hamidović, Amra Hamidović

THE ISSUE OF POSSIBLE USE OF CLOUD COMPUTING SERVICES BY BANKING SYSTEM
ENTITIES IN BOSNIA AND HERZEGOVINA ............................................................................ 89

10. Vjenceslav Arambašić, Josipa Živić, Ivan Sarić

MONEY LAUNDERING, TERRORIST FINANCING AND TAX EVASION USING
CRYPTOCURRENCIES ........................................................................................................... 95

11. Antonija Rimac Gelo, Zlata Berkeš, Ines Grossi

THE ROLE AND IMPACT OF SOCIAL MEDIA IN COMMUNICATION BY STATE INSTITUTIONS –
THE CROATIAN PARLIAMENT (SABOR).............................................................................. 103

12. Kasim Bajramović, Irhad Bajramović, Amar Bajramović

SYSTEM OF RADIO VOICE CONNECTIONS USING IN MINE ZD RMU "KAKANJ" D.O.O.
KAKANJ ............................................................................................................................. 109

3
13. Edina Zahirović Vilašević, Haris Delić
SHARING ECONOMY LEGISLATION FROM A RENTAL REAL ESTATE PERSPECTIVE IN THE
FEDERATION OF BOSNIA AND HERZEGOVINA ENTITY ...................................................... 119

14. Zlata Berkeš, Ines Grossi, Antonija Rimac Gelo

E-SERVICES IN THE PUBLIC AND LOCAL GOVERNMENT OPERATIONS: THE BUDGET
PAYMENT APPLICATION IN THE CITY OF BJELOVAR .......................................................... 129

15. Enaida Bejdić

DIGITAL TRANSFORMATION ............................................................................................. 137

16. Edib Smolo, Mirzet Šeho, Admir Čavalić

FINTECH AND ISLAMIC FINANCE: A CRITICAL APPRAISAL ................................................ 149

17. Robert Andrejaš, Sunčica Oberman Peterka, Jerko Glavaš

RANGE AND POSSIBILITIES OF MEDIA CONVERGENCE IN THE EXISTING ORGANIZATIONAL
DESIGN OF BIH CANTONAL RADIO-TELEVISIONS CASE STUDY - PROPOSAL FOR THE
REDESIGN OF THE ORGANIZATION OF TUZLA CANTON RADIO - TELEVISION ................... 159

18. Ines Popovac, Mario Kordić

THE PLACE AND ROLE OF NEW INFORMATION TECHNOLOGIES IN THE HEALTHCARE
SECTOR ............................................................................................................................. 177

19. Emin Mešić

ANALYSIS OF THE POTENTIAL RISKS OF MAINTAINING ONLINE TEACHING AND
DEVELOPING DEDICATED SOFTWARE ............................................................................... 183

20. Amina Duraković

INTERNET ADDICTION – WHAT HAVE WE DISCOVERED SO FAR? ..................................... 193

21. Robert Andrejaš, Sunčica Oberman Peterka, Jerko Glavaš

THE EFFECTS OF MULTIMEDIA ON THE VISIBILITY OF CULTURAL AND ART PROJECTS:
THREE CASE STUDIES ........................................................................................................ 201

4
doc.dr. Haris Hamidović, dipl.ing.el.11 Review paper / Pregledni rad
dr.sc. Jasmina Kabil-Hamidović, dipl. defektolog logoped12
Edina Šehić, dipl. ing. inf. teh.13

MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES

Abstract
The need for effective cybersecurity to ensure medical device functionality and safety has become more
important with the increasing use of wireless, Internet and network connected devices, portable media, and
the frequent electronic exchange of medical device related health information. Cybersecurity incidents have
rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across
healthcare facilities. Such incidents may lead to patient harm because of delays in diagnoses and/or
treatment, errors in diagnoses and/or treatment, etc. In this paper it will be presented basic principles and
practices for medical device cybersecurity recommended by International Medical Device Regulators
Forum.
Keywords:Cybersecurity, Healthcare, Medical Device, IMDRF, Cyber Risks.

1. Introduction
Software systems used in the field of healthcare delivery generally might fall into one of two general
categories of safety critical systems:
1. Primary safety-critical software. This is software that is embedded as a controller in a system.
Malfunctioning of such software can cause a hardware malfunction, which might results in human
injury or even death.
2. Secondary safety-critical software. This is software that can indirectly result in an injury. An
example of such software might be health care management system. Failure of this system,
whereby an patient may not be treated properly (Sommerville, 2018).
Some authors are of the opinion that specification of security requirements for safety-critical systems is a
more challenging problem than specification for safety requirements. Sommerville states so „without a
reasonable level of security, one cannot be confident in a safety-critical systems’s availability, reliability,
and safety. If the system has been attacked and the software has been compromised in some way (for
example, if the software has been modified to include a worm), then the reliability and safety arguments no
longer hold. Errors in the development of a system can lead to security loopholes. If a system does not
respond to unexpected inputs or if array bounds are not checked, then attackers can exploit these weaknesses
to gain access to the system...“ (Sommerville, 2018).
The problem is further complicated as medical devices become more connected, considered in International
Medical Device Regulators Forum (IMDRF). This is evident as cybersecurity incidents have rendered
medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare
facilities worldwide. With a purpose to promote a globally harmonized approach to medical device
cybersecurity that at a fundamental level ensures the safety and performance of medical devices while
encouraging innovation, IMDRF proposed the document titled „Principles and Practices for Medical Device

11Visoka škola „Internacionalna poslovno-informaciona akademija“ Tuzla, mr.haris.hamidovic@ieee.org

12Klinikaza bolesti uha, grla i nosa, Univerzitetski Klinički Centar Tuzla, jasminakabil@gmail.com
13Visoka škola „Internacionalna poslovno-informaciona akademija“ Tuzla, edina.salkanovic@gmail.com

41
Cybersecurity“ (IMDRF, 2019). In this paper we will briefly present some of the recommendations of this
guide.

2. Risks associated with cybersecurity

IMDRF emphasizes that „risks associated with cybersecurity threats and vulnerabilities should be
considered throughout all phases in the life of a medical device, from initial conception to end of support
(EOS). To effectively manage the dynamic nature of cybersecurity risk, risk management should be applied
throughout the total product life cycle (TPLC) where cybersecurity risk is evaluated and mitigated in the
design, manufacturing, testing, and post-market monitoring activities“ (IMDRF, 2019).
These recommendations are consistent with the best practices of software engineering, which state that there
are three stages of risk analysis and assessment used to identify system security requirements (Sommerville,
2018):
• Preliminary risk analysis At this stage, decisions on the detailed system requirements, the system
design, or the implementation technology have not been made. The aim of this assessment process
is to derive security requirements for the system as a whole.
• Life-cycle risk analysis This risk assessment takes place during the system development life cycle
after design choices have been made. The additional security requirements take account of the
technologies used in building the system and system design and implementation decisions.
• Operational risk analysis This risk assessment considers the risks posed by malicious attacks on
the operational system by users, with or without insider knowledge of the system.
When it comes to software development activities, the risk assessment and analysis processes used in
security requirements specification are variants of the generic risk-driven specification process. A risk-
driven security requirements process might be shown as in Figure 1.
Figure 1. Risk-driven security requirements process

Source: Sommerville, 2018

3. NIST framework
The National Institute of Standard and Technology (NIST) has developed a “Framework for Improving
Critical Infrastructure Cybersecurity” which is a general framework applicable across critical infrastructure.
The NIST framework includes best practices that align with the concepts described in „Principles and
Practices for Medical Device Cybersecurity“ - document published by IMDRF (IMDRF, 2019). The five
core functions of the framework readily adapt to strengthen medical device cybersecurity and include:
identify, protect, detect, respond, and recover. Responsible stakeholders should consider (NIST, 2018):
42
 • Identifying cybersecurity risks in the device’s design and operating environment;
• Protecting the device to reduce risk through various risk mitigations;
• Detecting if a device has been compromised due to a cybersecurity event;
• Responding using a previously-defined process to respond to a cybersecurity event; and
• Recovering using a previously-defined process to restore the device to normal operation following
a cybersecurity event.

4. Issue of global concern

Medical device cybersecurity is an issue of global concern, emphasize from IMDRF, because security
incidents can threaten the safety of patients in healthcare systems across the world:
• By causing diagnostic or therapeutic errors,
• By compromising the safe performance of a device,
• By affecting clinical operations, or
• By denying patient access to critical care (IMDRF, 2019).
IMDRF further draws attention that convergence of global healthcare cybersecurity efforts is necessary to
ensure that patient safety is maintained while encouraging innovation and allowing timely patient access to
safe and effective medical devices. For that reason, all stakeholders are encouraged to harmonize their
approaches to cybersecurity across the entire life cycle of the medical device. This includes:
• Harmonization across product design,
• Risk management activities throughout the life cycle of the device,
• Device labelling,
• Regulatory submission requirements,
• Information sharing, and
• Post- market activities (IMDRF, 2019).

5. Pre-market considerations
IMDRF draws particular attention to the fact that although medical device cybersecurity should be
considered over the total product life cycle, there are important elements that a manufacturer should address
during the design and development of a medical device prior to market entry. These pre-market elements
include:
• Designing security features into the product;
• The application of accepted risk management strategies;
• Security testing;
• Provision of useful information for users to operate the device securely; and
• The consideration of having a plan in place for post-market activities (IMDRF, 2019).
The foregoing is significant also because numerous studies have shown that the cost of correcting defects is
as much as 100 times less expensive early in the development life cycle than it is late in the development
life cycle. The costs probably greatly exceed the hundred to one ratio if one takes into account the cost of
recalls and trying to diagnose and repair defects in the field (not to mention the potential cost of human harm
or even death) (Vogel, 2010).
43
 Figure 2. Cost of correcting defects

Source: Griffiths, 2015

Security requirements should also be identified during the requirements capture stage of the life cycle design
process. Sources of security requirements and security risk control measures might include numerous
national and international standards, including the ISO 27000 family (IMDRF, 2019).
In order to provide concrete examples of security design considerations, the Table 1 outlines some design
principles that medical device manufacturers should consider in designing their product. IMDRF emphasizes
that this table is not meant to be an exhaustive list (IMDRF, 2019):
Table 1: Design principles for consideration in medical device design

Design Principle Description

The manufacturer should consider how the device would

interface with other devices or networks. Interfaces may
include hardwired connections and/or wireless
communications. Examples of interface methods include
Wi-Fi, Ethernet, Bluetooth and USB.

The manufacturer should consider how data transfer to

and from the device is secured to prevent unauthorized
access or modification. For example, manufacturers
should determine: how the communications between
devices/systems will authenticate each other; if encryption
is required; and if terminating communication sessions
Secure Communications after a pre-defined time is appropriate.

The manufacturer should consider if data that is stored on

– or transferred to or from – the device requires some
Data Confidentiality level of protection such as encryption.

44
 The manufacturer should consider if confidentiality risk
control measures are required to protect message
control/sequencing fields in communication protocols or
to prevent the compromise of cryptographic keying
materials.

The manufacturer should consider design controls that

take into account a device that communicates with a
system and/or device that is less secure (e.g., a device
connected to a home network or a legacy device).

The manufacturer should evaluate the system-level

architecture to determine if design controls are necessary
to ensure data non-repudiation (e.g., supporting an audit
Data Integrity logging function).

The manufacturer should consider user access controls

that validate who can use the device or allows granting of
privileges to different classes of users or allow users
access in an emergency. Examples of authentication or
access authorization include passwords, hardware keys or
User Access biometrics.

The manufacturer should consider how the device will be

updated to secure it against newly discovered
cybersecurity threats. For example, consideration could be
given to whether updates will require user intervention or
be initiated by the device.

The manufacturer should consider what connections will

be required to conduct updates and the authenticity of the
connection, update, or patch.
The manufacturer should consider how often a device will
need to be updated via regular and/or routine updates.

The manufacturer should consider how operating system

software, third-party software, or open source software
Software Maintenance will be updated or controlled.

The manufacturer should consider controls to prevent an

unauthorized person from accessing the device. For
example, controls could include physical locks or
Hardware or Physical Design disabling a USB port used only in service mode.

The manufacturer should consider design controls that

will allow the device to detect, resist, respond and recover
Reliability and Availability from cybersecurity attacks.
Source: IMDRF, 2019

Although secure software development principles are integral to secure device design, many current
software development life cycle models or standards do not incorporate these principles by default. The
IMDRF warns that „it is important for device manufacturers that develop medical device software to
recognize this deficiency and to incorporate these security principles into the development of their software“
45
(IMDRF, 2019). A similar conclusion was reached at the European Union Agency for Network and
Information Security - ENISA by conducting an analysis on privacy requirements in IT systems: „many
system developers are not familiar with privacy principles or technologies that implement them. Their work
usually focuses on realising functional requirements, where other demands—e.g. privacy or security
guarantees—fall short as a result“ (ENISA, 2014) (Hamidović, 2019).

6. Security testing
As Vogel states, software engineering for the medical device industry is not the same as software
engineering in other industries such as the consumer electronics industry. Product life cycles in the consumer
markets are often measured in months. Time to market often is more important than the reliability of the
software. In the medical device industry, it is not unusual for products to have product lifetimes exceeding
10 years. The safety and efficacy of medical devices trump time to market. (Vogel, 2010) One of the reasons
for this situation is the need for more detailed security testing. „The validation of the design phase of a
medical device requires security testing. Testing should take into consideration the context of use of the
device and its deployment environment. Application of software verification techniques are recommended
to minimize the risk of anomalies and ensure that the software complies with the specifications. It is also
important to ensure that the medical device is tested for known vulnerabilities that could be exploited. To
do this, the medical device should undergo a security assessment process or acceptance check (e.g. software
testing, attack simulation, etc.)“ (IMDRF, 2019).
IMDRF states some high-level considerations for medical device manufacturers:
• Perform target searches on software components/modules for known vulnerabilities or software
weakness. For example, security testing can include: static code analysis, dynamic analysis,
robustness testing, vulnerability scanning, software composition analysis.
• Conduct technical security analyses (e.g. penetration testing). These include: efforts to identify
unknown vulnerabilities and checks for unknown vulnerabilities, e.g. through fuzz testing; or
checks for alternative entry points, e.g. by reading hidden files, configuration, data streams or
hardware registers.
• Complete a vulnerability assessment. This, includes an impact analysis of the vulnerability on
other in-house products (i.e. variant analysis);, the identification of countermeasures; and the
remediation or mitigation of vulnerability (IMDRF, 2019).

7. Post-market management strategy

IMDRF emphasizes that as cybersecurity threats will continuously evolve, manufacturers should proactively
monitor, identify, and address vulnerabilities and exploits as part of their post-market management strategy.
A plan should be developed prior to market entry for ongoing monitoring of and response to emerging
cybersecurity threats. This plan should apply throughout the device’s life cycle. Items to consider as part of
this plan, developed prior to market entrance, should include:
• Post-market Vigilance: A plan to proactively monitor and identify newly discovered cybersecurity
vulnerabilities, assess their threat, and respond.
• Vulnerability Disclosure: A formalized process for gathering information from vulnerability
finders, developing mitigation and remediation strategies, and disclosing the existence of
vulnerabilities and mitigation or remediation approaches to stakeholders.
• Patching and Updates: A plan outlining how software will be updated to maintain ongoing safety
and performance of the device either regularly or in response to an identified vulnerability
(IMDRF, 2019).

46
8. Cybersecurity practices adopted by healthcare providers
According to a IMDRF recommendations with regard to medical device cybersecurity, it is important to
recognize that it is a shared responsibility and requires participation of all stakeholders, including healthcare
providers. Healthcare providers should consider adopting a risk management process to address the safety,
effectiveness and cybersecurity aspects of medical devices that are connected to their IT infrastructure. The
process should be applied at the:
• Initial development of the IT infrastructure;
• Integration of a new medical device into existing IT network; and
• Changing of operating systems or IT network or to the medical device itself (software and
firmware) with updates or modifications“ (IMDRF, 2019).
In order to carry out the above-mentioned risk management process, healthcare providers may refer to
relevant international standards such as, among others, ISO 27000 series in particular ISO 27799 for
adoption (IMDRF, 2019). ISO 27799 provides implementation guidance for the controls described in
ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing
health information security (ISO, 2016) (Hamidovic, Kabil, 2011).
The IMDRF guide recommends that in addition to adopting a risk management system, healthcare providers
should also adhere to the following general cybersecurity best practices to maintain the healthcare
provider’s overall security posture:
• Good physical security to prevent unauthorized physical access to medical device or network
access points;
• Access control measures (e.g. role based) to ensure only authorized personnel are allowed access
to network elements, stored information, services and applications;
• Network access control to limit medical device communication;
• Patch management practices that ensure timely security patch updates;
• Malware protection to prevent attacks;
• Session timeout to prevent unauthorized access to devices left unattended for extended period.
The implementation of these best practices should be placed in context with the clinical use of the device,
quotes from IMDRF (IMDRF, 2019).
IMDRF also states that it is crucial that healthcare providers take a holistic approach to prevent cybersecurity
incidents from occurring in their institutions. As such, healthcare providers are encouraged to provide the
following cybersecurity training:
• Basic training to create security awareness and introduce cyber hygiene practices among all users
(e.g. doctors, nurses, biomedical engineers, technicians, etc.);
• Training should also be extended to patients if the connected medical devices (e.g. home use
devices such as a continuous glucose monitor or portable insulin pump) are intended to be
operated by the patients themselves (IMDRF, 2019).

9. Patching
According to ISO / IEC 27002, information about technical vulnerabilities of information systems being
used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated
and appropriate measures taken to address the associated risk. Software patches should be applied when
they can help to remove or reduce information security weaknesses“ (ISO/IEC, 2013). Patients receive
medical care in professional healthcare facilities and in the home healthcare environment, and each use
environment is associated with unique considerations for patching. In the home healthcare environment, for
example, the user can be the patient, caregiver, trusted neighbor, or a family member. IMDRF guide
47
provides general guidance for patching and describe specific considerations for each use environment
(IMDRF, 2019).

10. Conclusion
Medical devices are becoming more advanced. Most contain software and connect to the internet, hospital
networks, mobile phone, or other devices to share information. It is important to make sure medical devices
are cyber secure. Anytime a medical device has software and relies on a wireless or wired connection,
vigilance is required. The software behind these products, like all technologies, can become vulnerable to
cyber threats, especially if the device is older and was not built with cybersecurity in mind, warns from the
US FDA.
Properly understanding the needs of society International Medical Device Regulators Forum, a voluntary
group of medical device regulators from around the world, produced guidance document to provide
fundamental concepts and considerations on the general principles and best practices to facilitate
international regulatory convergence on medical device cybersecurity. As they state from IMDRF this
document is designed to provide concrete recommendations to all responsible stakeholders on the general
principles and best practices for medical device cybersecurity (including in vitro diagnostic (IVD) medical
devices). In general, it outlines recommendations for medical device manufacturers, healthcare providers,
regulators, and users to: employ a risk-based approach to the design and development of medical devices
with appropriate cybersecurity protections; minimize risks that could arise from use of the device for its
intended purposes; and to ensure maintenance and continuity of critical device safety and effectiveness.

References:
1. ENISA. (2014). Privacy and Data Protection by Design – from policy to engineering.
European Union Agency for Network and Information Security – ENISA.
2. Griffiths, M. (2015). An Introduction to the Cost of Change and Technical Debt. Available
on: https://www.projectmanagement.com/articles/308195/An-Introduction-to-the-Cost-of-
Change-and-Technical-Debt. Date of access: 06.02.2020.
3. Hamidovic, H., Kabil, J. (2011). An Introduction to Information Security Management in
Health Care Organizations, ISACA Journal.
4. Hamidović, H. (2019). GDPR i pitanje tehničke zaštite ličnih podataka, Pravo i finansije.
No. 9. Pp. 90-93.
5. IMDRF. (2019). Principles and Practices for Medical Device Cybersecurity - Draft, The
International Medical Device Regulators Forum (IMDRF).
6. ISO. (2016). ISO 27799:2016, Health informatics — Information security management in
health using ISO/IEC 27002, International Organization for Standardization.
7. ISO/IEC. (2013). ISO/IEC 27002:2013, Information technology — Security techniques —
Code of practice for information security controls, International Organization for
Standardization / International Electrotechnical Commission.
8. NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity, National
Institute of Standards and Technology.
9. Sommerville, I. (2018). Software Engineering, Pearson.
10. Vogel, D. (2010). Medical device software verification, validation and compliance, Artech
House.

48