Evaluating the Role of Security Assurance Cases in Agile Medical Device Development
- URL: http://arxiv.org/abs/2407.07704v1
- Date: Wed, 10 Jul 2024 14:34:53 GMT
- Title: Evaluating the Role of Security Assurance Cases in Agile Medical Device Development
- Authors: Max Fransson, Adam Andersson, Mazen Mohamad, Jan-Philipp Steghöfer,
- Abstract summary: Cybersecurity issues in medical devices threaten patient safety and can cause harm if exploited.
Standards and regulations require vendors of such devices to provide an assessment of the cybersecurity risks as well as a description of their mitigation.
Security assurance cases (SACs) capture these elements as a structured argument.
- Score: 2.9790563467999247
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Cybersecurity issues in medical devices threaten patient safety and can cause harm if exploited. Standards and regulations therefore require vendors of such devices to provide an assessment of the cybersecurity risks as well as a description of their mitigation. Security assurance cases (SACs) capture these elements as a structured argument. Compiling an SAC requires taking domain-specific regulations and requirements as well as the way of working into account. In this case study, we evaluate CASCADE, an approach for building SAC in the context of a large medical device manufacturer with an established agile development workflow. We investigate the regulatory context as well as the adaptations needed in the development process. Our results show the suitability of SACs in the medical device industry. We identified 17 use cases in which an SAC supports internal and external needs. The connection to safety assurance can be achieved by incorporating information from the risk assessment matrix into the SAC. Integration into the development process can be achieved by introducing a new role and rules for the design review and the release to production as well as additional criteria for the definition of done. We also show that SACs built with CASCADE fulfill the requirements of relevant standards in the medical domain such as ISO 14971.
Related papers
- Controllable Safety Alignment: Inference-Time Adaptation to Diverse Safety Requirements [46.79887158348167]
The current paradigm for safety alignment of large language models (LLMs) follows a one-size-fits-all approach.
We propose Controllable Safety Alignment (CoSA), a framework designed to adapt models to diverse safety requirements without re-training.
arXiv Detail & Related papers (2024-10-11T16:38:01Z) - Law-based and standards-oriented approach for privacy impact assessment in medical devices: a topic for lawyers, engineers and healthcare practitioners in MedTech [0.0]
The adoption of non-binding standards like ISO and IEC can harmonize processes by enhancing accountability privacy by design.
The study advocates for leveraging both hard law and standards to systematically address privacy and safety in the design and operation of medical devices.
arXiv Detail & Related papers (2024-09-18T09:56:19Z) - Beyond One-Time Validation: A Framework for Adaptive Validation of Prognostic and Diagnostic AI-based Medical Devices [55.319842359034546]
Existing approaches often fall short in addressing the complexity of practically deploying these devices.
The presented framework emphasizes the importance of repeating validation and fine-tuning during deployment.
It is positioned within the current US and EU regulatory landscapes.
arXiv Detail & Related papers (2024-09-07T11:13:52Z) - Towards Understanding and Applying Security Assurance Cases for Automotive Systems [0.2417342411475111]
Security Assurance Cases (SAC) are structured bodies of arguments and evidence used to reason about security properties of a certain artefact.
SAC are gaining focus in the automotive domain as the need for security assurance is growing.
We created CASCADE, an approach for creating SAC which have integrated quality assurance.
arXiv Detail & Related papers (2024-09-05T12:34:23Z) - AIR-Bench 2024: A Safety Benchmark Based on Risk Categories from Regulations and Policies [80.90138009539004]
AIR-Bench 2024 is the first AI safety benchmark aligned with emerging government regulations and company policies.
It decomposes 8 government regulations and 16 company policies into a four-tiered safety taxonomy with granular risk categories in the lowest tier.
We evaluate leading language models on AIR-Bench 2024, uncovering insights into their alignment with specified safety concerns.
arXiv Detail & Related papers (2024-07-11T21:16:48Z) - Cross-Modality Safety Alignment [73.8765529028288]
We introduce a novel safety alignment challenge called Safe Inputs but Unsafe Output (SIUO) to evaluate cross-modality safety alignment.
To empirically investigate this problem, we developed the SIUO, a cross-modality benchmark encompassing 9 critical safety domains, such as self-harm, illegal activities, and privacy violations.
Our findings reveal substantial safety vulnerabilities in both closed- and open-source LVLMs, underscoring the inadequacy of current models to reliably interpret and respond to complex, real-world scenarios.
arXiv Detail & Related papers (2024-06-21T16:14:15Z) - Towards Continuous Assurance Case Creation for ADS with the Evidential
Tool Bus [0.4194295877935868]
An assurance case has become an integral component for the certification of safety-critical systems.
We report on our preliminary experience leveraging the tool integration framework Evidential Tool Bus (ETB) for the construction and continuous maintenance of an assurance case.
arXiv Detail & Related papers (2024-03-04T10:32:48Z) - Ring-A-Bell! How Reliable are Concept Removal Methods for Diffusion Models? [52.238883592674696]
Ring-A-Bell is a model-agnostic red-teaming tool for T2I diffusion models.
It identifies problematic prompts for diffusion models with the corresponding generation of inappropriate content.
Our results show that Ring-A-Bell, by manipulating safe prompting benchmarks, can transform prompts that were originally regarded as safe to evade existing safety mechanisms.
arXiv Detail & Related papers (2023-10-16T02:11:20Z) - CyMed: A Framework for Testing Cybersecurity of Connected Medical
Devices [0.18416014644193066]
Connected Medical Devices (CMDs) have a large impact on patients as they allow them to lead a more normal life.
There are many safety regulations which must be adhered to prior to a CMD entering the market.
While many detailed safety regulations exist, there are a fundamental lack of cybersecurity frameworks applicable to CMDs.
This paper describes a framework, CyMed, to be used by vendors and ens-users, which contains concrete measures to improve the resilience of CMDs against cyber attack.
arXiv Detail & Related papers (2023-10-05T15:05:16Z) - Leveraging Traceability to Integrate Safety Analysis Artifacts into the
Software Development Process [51.42800587382228]
Safety assurance cases (SACs) can be challenging to maintain during system evolution.
We propose a solution that leverages software traceability to connect relevant system artifacts to safety analysis models.
We elicit design rationales for system changes to help safety stakeholders analyze the impact of system changes on safety.
arXiv Detail & Related papers (2023-07-14T16:03:27Z) - On Medical Device Cybersecurity Compliance in EU [4.3695508295565775]
We review the new cybersecurity requirements in the light of currently available guidance documents.
We argue that these core concepts form a foundations for cybersecurity compliance in the European Union regulatory framework.
arXiv Detail & Related papers (2021-03-11T17:26:06Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.