How to implement regulatory requirements
Reviewing prototypes against regulatory requirements
During the mediam project, we focused on the building blocks required to build healthcare services (IT, IoT, BMS) that are more dependable, safe and secure. ETSI EN 303 645 provides a detailed list of requirements for IoT in particular. However, a key lesson is that we need a technology layer that removes silos, instead of strengthening the current divide between IT/CISOs and biomedical engineers. That's the reason why we prototyped towards a better convergence of IoT and datacenter environments.
If we look back on the high level requirements analysed from regulations:
Regulatory requirement
Solution
Prototype status
Software patches and updates
scheduler + dependable DLU
Opensource + standard
User authN/authZ
IETF GNAP
Opensource + standard
Encryption
DIF KERI
Opensource + standard
Secure network communication
Ockam workers or HTTP message signature
Opensource + standard
Risk management
--
Not included in medIAM
Supply chain management
--
Not included in medIAM
Cybersecurity testing
--
Not included in medIAM
While we focused on the protocols, we suggested ways to also cover the organizational requirements:
doCRA's notion of duty of care for cyber risk management fits well with healthcare values. Threat management is of particular importance, and could be managed using opensource databases (CVE) and software (ex: https://github.com/Netflix/dispatch)
cybersecurity testing can be done by organisms such as BSI, which made insightful studies referenced in the litterature section
supplychain management is arguably the hardest part to cover, because it is very vast. However, we provided tools for end to end encryption, which removes the requirement to get messages through third parties. We also provided tools for dependable updates from those vendors and tested requirements based on a mock user interface.
Getting the full picture would require industrial use cases, such as those mentioned in the "designing new devices".
Last updated
Was this helpful?