unique, the tools and methods used to achieve the outcomes described by the framework will vary. By utilizing these framework processes an organization can leverage the framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. The framework is a risk-based approach to manage cybersecurity, and features the following components:
Framework: This control family consists of five concurrent and continuous functions as depicted in Figure 1. These functions— Identify, Protect, Detect, Respond, Recover— organize cybersecurity activities such as asset management, identity management and access control, and detection processes.
Figure 1: National Institute of Standards and Technology framework
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Article 32: Security of Processing— establish appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data being processed.
Article 35: Data Protection Impact Assessment— establish data protection impact assessment mechanism to assess the impact
A.5 Information Security: Establish management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.6 Organization of Information Security: Establish a management framework to initiate and control the implementation and operation of information security within the organization.
§164.306 Security Standard: Confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity or business associate creates, receives, maintains, or transmits.
Access Control
Awareness and Training
Data Security
Information Protection Processes and Procedures
Maintenance
Protective Technology
Articles 5 and 25: Rules and guidelines for applying data protection by design and by default.
Article 24: Data protection policies.
Article 30: Record of processing activities.
Article 32: Data encryption at rest and in transit.
Article 35 and 36: Documents for Data Protection Impact Assessment and prior consultation.
A.8 Asset Management: To identify organizational assets and define appropriate protection responsibilities.
A.9 Access Control: To limit access to information and information processing facilities.
A.10 Cryptography: Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
A.11 Physical and Environmental Security: Prevent unauthorized physical access,
A.12 Operational Security: Ensure correct and secure operations of information processing facilities.
A.13 Communications Security: Ensure protection of information in networks.
§164.306 Security Standard: Protection of ePHI against anticipated threats or hazards.
§164.308 Access Authorization: Implement policies and procedures for granting access to electronic protected health information and prevent security violations.
§164.310 Physical Safeguards: Implement policies and procedures for facility and workstation access controls to limit physical access to its electronic information systems
§164.312 Technical Safeguards: Implement access control policies for electronic information stored or in transit. Policies for right authentication. Mechanism to encrypt electronic protected health information.
Anomalies and Events
Security Continuous Monitoring
Detection Processes
Article 32: Security of Processing—establish appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data being processed.
A.12. Operations Security: Ensure that the IT systems, including operating systems and software, are protected against data loss. Additionally, record events and generate evidences that can be used to detect, track, and trace the loss of information.
§164.308 Administrative Safeguards: Implement policies and procedures to detect security violations.
Figure 2: Pre-Market Submission
In support of Pre-Market submission (illustrated in Figure 2), the table below describes what the medical manufacturer should do before the device is marketed and sold to customers. It is recommended that the manufacturer integrate risk management during the development of the medical device and provide documentation on submission for Food and Drug Act/FDA approval.
Response Planning
Communications
Analysis
Mitigation
Improvement
Articles 33 and 34: Guidelines and processes to notify in case of personal data breaches.
A.16 Information Security Incident Management: Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
§164.308 Administrative Safeguards: Data backup and contingency plan for retrieval of electronic protected health information.
§164.308 Administrative Safeguards: Implement policies and procedures to correct security violations.
Recovery Planning
Improvements
Communications
Article 32: Security of Processing—establish appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data being processed.
A.17. Information Security Aspects of Business Continuity Management: Ensure the continuity of information security management during disruptions and the availability of information systems.
§164.308 Administrative Safeguards: Disaster recovery plan to restore any loss of data.
§164.310 - Physical Safeguards: Data backup and storage for retrieval of protected health information. Contingency plan that allows facility access in support of restoration of lost data under the disaster recovery plan.
In support of the Post-Market phase (illustrated in Figure 1), the manufacturer must take action for a medical device after it is sold to the customers. The table below describes what the medical manufacturer should do after the device is marketed and sold to customers. It is recommended that manufacturers continually monitor cybersecurity for products already on the market to account for new threats and vulnerabilities.
Medical device interfaces may include hardwired connections and/or wireless communications (Wi-Fi, Ethernet, Bluetooth, USB, etc.) and it is important to consider how data transfer to and from the device is secured to prevent unauthorized access, modification, or replay.
The medical device manufacturer should consider protecting data that is stored on or transferred to/ from the device using encryption.
The medical device manufacturer should evaluate the system-level architecture to determine if design features are necessary to ensure data nonrepudiation (e.g., supporting an audit logging function). They should also consider risks to the integrity of the device such as unauthorized modifications to the device software and controls such as anti-malware to prevent viruses, spyware, ransomware, and other forms of malicious code being executed on the device
The medical device manufacturer should consider user access controls that validate who can use the device or allow granting of privileges to different user roles.
The medical device manufacturer should consider controls to prevent an unauthorized person from accessing the device (e.g., physical locks or physically restricting access to ports).
Medical device manufacturers should establish and communicate a process for implementation and deployment of regular updates. They must have a plan to respond to software updates or outdated operating environments outside their control.
The medical device manufacturer should consider design features that will allow the device to detect, resist, respond, and recover from cybersecurity attacks to maintain its essential performance.
