There is no process in place for security risk assessment. Following a proper security-by-design approach in system and software engineering is not an easy task. Due to time and cost constraints, this activity is often neglected, with profound consequences on the general security posture of the system engineering output. On medical devices, this is a quite relevant aspect, potentially leading to critical impact.
The scenario has focused on the design process for the integration between the Laboratory Information System and medical devices performing the lab analysis. The Security-by-design Framework supported the deployment of a new Point of Care Testing. It was used to perform iterations of risk analysis (following the MEHARI methodology) over the integration design of the laboratory to extract security controls to be applied to the laboratory before actual implementation. Related regulations and standards: GDPR, ISO 27001, ISO 27799:2008, ISO 14971, ISO 13485.
The SDSP enables a precise risk assessment for designers, pinpointing security controls to be implemented to improve the security posture. The tool is very precise, and it can be used in security-by-design processes not only for medical devices, but also for complex networks and systems, provided a sufficient amount of data is collected beforehand.
"The theory about running risk assessment is clear, but is rarely fully applied. Streamlining the assessment and supporting it with a software tool, as SDSP does, really helps when you want to check if a new medical device introduces vulnerabilities when integrated into the hospital network." Head of Technological Innovation Unit of the Clinical Engineering Department at Fondazione Policlinico Gemelli