Towards a Healthcare Cybersecurity Certification Scheme

摘要

The EU Cybersecurity Act introduces cybersecurity certification framework for ICT products, services and processes. Following ENISA’s EUCC (the Common Criteria based European candidate cybersecurity certification scheme), we provide the Security Problem and identify Security Requirements of a healthcare specific product through a Protection Profile. We consult ENISA’s reports to identify the most impactful assets in healthcare that should be prioritized for certification. We select a sub-category system of Clinical Information Systems, such as Picture Archiving and Communication System (PACS) for Protection Profile. Based on five use-cases of PACS, we define the Security Problem (assumptions, organizational security policies, threats) and we elaborate the Security Objectives. We, further, conduct a sector specific analysis of challenges and threats in healthcare sector to supplement the PACS specific threats. We detail Security Objectives from the Cybersecurity Act, and we offer a combination of these two elements, the broader scope of threats and objectives, as a baseline for future Protection Profiles of healthcare specific products. We further provide PACS specific Security Functional Requirements, and we conclude with a guideline for selecting suitable Security Assurance Requirements.