How to implement regulatory requirements
Reviewing prototypes against regulatory requirements
During the mediam project, we focused on the building blocks required to build healthcare services (IT, IoT, BMS) that are more dependable, safe and secure. ETSI EN 303 645 provides a detailed list of requirements for IoT in particular. However, a key lesson is that we need a technology layer that removes silos, instead of strengthening the current divide between IT/CISOs and biomedical engineers. That's the reason why we prototyped towards a better convergence of IoT and datacenter environments.
If we look back on the high level requirements analysed from regulations:
Regulatory requirement | Solution | Prototype status |
Software patches and updates | scheduler + dependable DLU | Opensource + standard |
User authN/authZ | IETF GNAP | Opensource + standard |
Encryption | DIF KERI | Opensource + standard |
Secure network communication | Ockam workers or HTTP message signature | Opensource + standard |
Risk management | -- | Not included in medIAM |
Supply chain management | -- | Not included in medIAM |
Cybersecurity testing | -- | Not included in medIAM |
While we focused on the protocols, we suggested ways to also cover the organizational requirements:
doCRA's notion of duty of care for cyber risk management fits well with healthcare values. Threat management is of particular importance, and could be managed using opensource databases (CVE) and software (ex: https://github.com/Netflix/dispatch)
cybersecurity testing can be done by organisms such as BSI, which made insightful studies referenced in the litterature section
supplychain management is arguably the hardest part to cover, because it is very vast. However, we provided tools for end to end encryption, which removes the requirement to get messages through third parties. We also provided tools for dependable updates from those vendors and tested requirements based on a mock user interface.
Getting the full picture would require industrial use cases, such as those mentioned in the "designing new devices".
Last updated