A Security Argument Pattern for Medical Device Assurance Cases

Medical device security is a growing concern for medical device manufacturers, healthcare delivery organisations and regulators in the industry. Increasingly, researchers are demonstrating exactly how vulnerable these devices are. In many cases, networked medical devices are regarded as a potential weak link within a healthcare IT network that could provide a means to expose the entire network to a malware attack. At present there is no formal method for implementing security risk management practices in the medical device industry. However, with new regulatory guidance being developed by the Food and Drug Administration (FDA), medical devices manufacturers will need to prove that their devices are secure. This paper presents a security case framework that is currently under development. The purpose of this framework is to provide medical device manufacturers and healthcare delivery organisations with a solution to assist both in establishing confidence in the security assurance of medical devices and to also maintain this confidence throughout the lifetime of the device.