How to implement regulatory requirements

Reviewing prototypes against regulatory requirements

During the mediam project, we focused on the building blocks required to build healthcare services (IT, IoT, BMS) that are more dependable, safe and secure. ETSI EN 303 645 provides a detailed list of requirements for IoT in particular. However, a key lesson is that we need a technology layer that removes silos, instead of strengthening the current divide between IT/CISOs and biomedical engineers. That's the reason why we prototyped towards a better convergence of IoT and datacenter environments.

If we look back on the high level requirements analysed from regulations:

Regulatory requirement

Solution

Prototype status

Software patches and updates

scheduler + dependable DLU

Opensource + standard

User authN/authZ

IETF GNAP

Opensource + standard

Encryption

DIF KERI

Opensource + standard

Secure network communication

Ockam workers or HTTP message signature

Opensource + standard

Risk management

Not included in medIAM

Supply chain management

Not included in medIAM

Cybersecurity testing

Not included in medIAM

While we focused on the protocols, we suggested ways to also cover the organizational requirements:

doCRA's notion of duty of care for cyber risk management fits well with healthcare values. Threat management is of particular importance, and could be managed using opensource databases (CVE) and software (ex: https://github.com/Netflix/dispatch)
cybersecurity testing can be done by organisms such as BSI, which made insightful studies referenced in the litterature section
supplychain management is arguably the hardest part to cover, because it is very vast. However, we provided tools for end to end encryption, which removes the requirement to get messages through third parties. We also provided tools for dependable updates from those vendors and tested requirements based on a mock user interface.

Getting the full picture would require industrial use cases, such as those mentioned in the "designing new devices".

PreviousD5 - Final report NextNext steps

Last updated 3 years ago

Was this helpful?

How to implement regulatory requirements

Reviewing prototypes against regulatory requirements

If we look back on the high level requirements analysed from regulations:

Regulatory requirement

Solution

Prototype status

Software patches and updates

scheduler + dependable DLU

Opensource + standard

User authN/authZ

IETF GNAP

Opensource + standard

Encryption

DIF KERI

Opensource + standard

Secure network communication

Ockam workers or HTTP message signature

Opensource + standard

Risk management

Not included in medIAM

Supply chain management

Not included in medIAM

Cybersecurity testing

Not included in medIAM

While we focused on the protocols, we suggested ways to also cover the organizational requirements:

doCRA's notion of duty of care for cyber risk management fits well with healthcare values. Threat management is of particular importance, and could be managed using opensource databases (CVE) and software (ex: https://github.com/Netflix/dispatch)
cybersecurity testing can be done by organisms such as BSI, which made insightful studies referenced in the litterature section
supplychain management is arguably the hardest part to cover, because it is very vast. However, we provided tools for end to end encryption, which removes the requirement to get messages through third parties. We also provided tools for dependable updates from those vendors and tested requirements based on a mock user interface.

Getting the full picture would require industrial use cases, such as those mentioned in the "designing new devices".

PreviousD5 - Final report NextNext steps

Last updated 3 years ago

Was this helpful?