Medical Device Cybersecurity for Engineers and Manufacturers
معرفی کتاب «Medical Device Cybersecurity for Engineers and Manufacturers» نوشتهٔ Axel Wirth، منتشرشده توسط نشر Artech House Publishers در سال 2024. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
Medical Device Cybersecurityfor Engineers and Manufacturers, Second Edition Contents Foreword to the First Edition Foreword to the Second Edition 1 Why Secure Medical Devices? 1.1 The Inspiration for This Book: The Original First Edition Introduction 1.2 Why a Second Edition? 1.3 The Evolution of Cybersecurity in Healthcare 1.4 The Unique Role of Medical Devices 1.5 Regulatory Environment 1.6 Looking Ahead References 2 Establishing a Cybersecurity Focus Within Medical Device Manufacturers 2.1 Governance and Organization 2.2 Building a Security-Capable Organization 2.2.1 Implementation and Oversight 2.2.2 A Lifecycle Approach to Cybersecurity 2.2.3 Design and Implementation of Best Practices and Principles 2.2.4 Security Testing 2.2.5 PostMarket Management 2.2.6 Internal Training for Non-Cybersecurity Engineers and Managers 2.3 Communicating Cybersecurity Needs, Costs, and Risks to Senior Leadership 2.3.1 Lack of Common Understanding of Cybersecurity Risks 2.3.2 Lack of Context for the Risk and Its Tradeoffs 2.3.3 Talking to the Wrong Leader, That Is, Not the Decision-Maker 2.4 Security and Lifecycle Management Overview 2.4.1 Coordination Between the Four Lifecycles 2.5 Organizational Roles and Responsibilities 2.5.1 Roles and Responsibilities: Overview and Rationale 2.5.2 Role-Specific Training and Education 2.6 Regular Review of Security Maturity 2.6.1 Research on Maturity Models 2.6.2 Building Security in Maturity Model (BSIMM) 2.6.3 Software Assurance Maturity Model (SAMM) 2.6.4 CMMI 2.6.5 TMMi 2.6.6 Cybersecurity Capability Maturity Model 2.7 Conclusion References 3 Global Regulations, Standards, and Guidance 3.1 The Distinction Between Laws, Regulations, Standards, and Guidance 3.1.1 Laws 3.1.2 Regulations 3.1.3 Standards 3.1.4 Guidance (or Guidelines) 3.1.5 The Unenforceable 3.2 Who Is Writing and Enforcing Cybersecurity Regulatory Requirements? 3.2.1 Government Regulatory Bodies and Competent Authorities (A Sampling) 3.2.2 Other Government Actors (A Sampling) 3.2.3 Standards Development Organizations 3.2.4 Other Cybersecurity Guidance-Writing Stakeholders 3.3 Road to the Current State of Cybersecurity Regulatory Literature 3.4 A Cybersecurity Regulations, Standards, and Guidance Reference 3.4.1 General Medical Device Regulations and Standards 3.4.2 Medical Device General Design and Development Guidance and Standards 3.4.3 Medical Device General Software Design and Development Standards That Contain Cybersecurity Elements 3.4.4 Medical Device General Software Design and Development Guidances That Contain Cybersecurity Elements 3.4.5 Medical Device (and Broader Healthcare) Cybersecurity Standards 3.4.6 Medical Device Cybersecurity Guidance 3.4.7 General Cybersecurity Standards and Guidance 3.4.8 Industrial Control Cybersecurity Standards and Guidance 3.5 What Does the Future Hold? 3.5.1 Guidance: Medical Device Stand-Alone Software, Including Apps (including IVDMDs) (U.K.) 3.5.2 Ongoing Cybersecurity Work in Industry SDOs 3.5.3 Selling to the Federal Government 3.5.4 The Link to Healthcare Delivery References 4 Use Environments 4.1 Healthcare Facilities 4.1.1 Hospitals 4.1.2 Clinics, Labs, Testing Centers, Processing Centers, Your Corner Drug Store, and Best Buy 4.1.3 Responses and Next Steps 4.1.4 Cybersecurity in the HDO Acquisition Process 4.2 Home Care Environments 4.2.1 Nonobvious Risks in Home Healthcare 4.2.2 Device Security and Home Healthcare Infrastructure 4.3 Government and Military Agencies 4.4 Summary References 5 Supply Chain Management 5.1 Upstream Supply Chain Management 5.1.1 Counterfeit Electronic Components 5.1.2 TPSC 5.2 Security Criteria for ASLs 5.3 Software Bill of Materials 5.4 Build Integrity and Attestation 5.5 Downstream Supply Chain Management 5.6 Endemic and Pervasive Vulnerabilities References 6 Secure Development and Production for Medical Device Manufacturers 6.1 Introduction 6.2 Secure Lifecycle Diagram Overview 6.3 Securing Development Environments and Activities 6.4 Introduction to Vulnerability Scoring and Its Application During Early Lifecycle Activities 6.4.1 Mitigations 6.4.2 Threats Versus Vulnerabilities 6.4.3 Vulnerability-Related Terminology 6.4.4 Vulnerability Scoring 6.4.5 Scoring Rubrics 6.4.6 Alternative Approaches to Scoring 6.5 MDM Development Lifecycle Activities 6.5.1 Concept and Planning Activities 6.5.2 Development Planning 6.5.3 Requirements Analysis 6.5.4 Architectural Design and Detailed Design 6.5.5 Unit Implementation, Integration, and Testing 6.5.6 System Testing (V&V) 6.6 Transfer to Manufacturing and Related Security Considerations 6.6.1 Three Different Transfer Models 6.6.2 Production 6.6.3 Production-Line Functionality Left Enabled in a Shipped Device 6.6.4 Factory Service and Rework 6.6.5 Securing Production Infrastructure References 7 Documentation and Artifacts 7.1 Overview of Secure Development Deliverables 7.2 Security Risk Management Plan 7.3 Design Vulnerability Assessment 7.4 Risk Management Report 7.5 Interface Control Document 7.6 Cybersecurity Risk Assessment 7.7 SBOM Support Report 7.8 Software Component Risk Management Report 7.9 Unresolved Anomalies Risk Management Report 7.10 Cybersecurity Metrics Report 7.11 Cybersecurity Controls Report 7.12 Cybersecurity Testing Report 7.12.1 Fuzz Testing Report 7.12.2 Malformed User Inputs 7.12.3 Attack Surface Analysis 7.12.4 Vulnerability Scanning 7.12.5 Software Content Analysis of Executables 7.12.6 Static Analysis Report 7.12.7 Penetration Testing Report 7.13 SBOMs 7.13.1 Elements of an SBOM 7.13.2 SBOM Formats 7.14 Security Risk Management Report 7.15 Labeling 7.16 Marketing and Sales Supporting Materials 7.16.1 Security Considerations in the Sales Process 7.16.2 SBOMs in Sales 7.16.3 MDS2 7.16.4 Cybersecurity in Purchasing Contracts References 8 Medical Device Manufacturer Postmarket Lifecycle 8.1 Understanding Postmarket Regulatory and Customer Expectations 8.2 Streamlining Management of Postmarket Security Vulnerabilities 8.2.1 Sources of Postmarket Vulnerabilities 8.2.2 How Device Architecture Impacts Vulnerability Management 8.2.3 Designing Test Suites for Efficient Validation 8.2.4 Adopt a Software Sustaining Engineering Model to Speed Up Response 8.3 Meeting Postmarket Cybersecurity Objectives 8.3.1 Monitor for Cybersecurity Signals 8.3.2 Identify Potential Vulnerabilities and Assess Resulting Risks 8.3.3 Provide a Mechanism to Update Devices in the Field 8.3.4 Enable Management and Maintenance of the Device’s Security Posture 8.4 Product Recalls 8.5 Managing End of Life and End of Support 8.6 Conclusion References 9 Incident Response Planning 9.1 Incident Response Scenarios 9.2 Incident Response Plan 9.3 Information Sources 9.4 Investigation 9.5 Triage 9.6 Roles and Responsibilities 9.7 External Communications 9.7.1 Communicating Cybersecurity Risks to Patients 9.8 Mitigation Plan 9.9 Mitigation Rollout and Tracking 9.10 Coordinating with the ISAO During Incident Response 9.11 Incident Closure References 10 The Device Security Lifecycle for Healthcare Delivery Organizations 10.1 Pre-Procurement Phase 10.2 Procurement Phase 10.3 Deployment Phase 10.4 Operations Phase 10.5 Decommissioning Phase 10.6 Special Scenarios 10.7 Summary References 11 Implementing and Incorporating Security Solutions and Approaches in Medical Device Systems 11.1 Compliance and Infrastructure Management 11.2 Endpoint Security 11.2.1 Anti-Malware 11.2.2 Host Intrusion Detection and Prevention Systems 11.2.3 Cryptography 11.3 Perimeter and Network Security 11.3.1 Network Architecture 11.3.2 Firewalls 11.3.3 Intrustion Detection and Intrusion Prevention Systems 11.3.4 SSL Inspection 11.3.5 Security Deception (Honeypots) 11.3.6 Passive Network Monitoring 11.4 Cloud Security 11.5 Enterprise and Orchestration Tools 11.5.1 Data Loss Prevention 11.5.2 Security Management Tools 11.6 Securing Communication Mediums 11.6.1 Bluetooth Low Energy 11.6.2 Other Media 11.7 Hardware and Physical Interface Security 11.7.1 Hardware Hacking 101 11.7.2 Hardware Security Considerations 11.8 Other Security Considerations 11.8.1 Hardening Common OSs 11.8.2 Utilizing Smart Phones and Other Off-the-Shelf/“Bring-Your-Own” Devices in Medical Device Systems 11.8.3 Software as a Medical Device 11.8.4 Multiple Function Devices 11.8.5 “Unregulated” Devices 11.9 Conclusion: How Are MDMs Making Use of These Technologies? References 12 Applying Cryptography to Medical Device Systems 12.1 Overview: Cryptography for Medical Devices 12.2 Introduction to Algorithms and Keys 12.2.1 Secret Key Cryptography 12.2.2 Public Key Cryptography 12.2.3 Public Key Encryption with Ephemeral Keys 12.2.4 Protecting Keys 12.2.5 Hash Functions 12.3 Introduction to Certificates and Signatures 12.3.1 X.509 Certificates 12.3.2 CAs and Registration Authorities 12.3.3 Digital Signatures 12.3.4 Expiration and Revocation 12.4 Introduction to PKIs and Root of Trust 12.4.1 Hardware Security Modules 12.4.2 PKI 12.4.3 Maintaining a Root of Trust 12.4.4 Key Lifecycle Management 12.5 “Don’t Roll Your Own Crypto” 12.6 Introduction to Cryptographic Concepts: Conclusion 12.7 Designing Cryptography Solutions for Medical Device Use Cases 12.7.1 Regulators’ Expectations 12.7.2 Implementing Medical Device Cryptography 12.8 Cryptography in Low-Resource Devices 12.8.1 Implementing Key Exchange in Low-Resource Devices 12.8.2 Implementing Encryption in Low-Resource Devices 12.8.3 Implementing Authentication in Low-Resource Devices 12.8.4 Implementing Integrity in Low-Resource Devices 12.9 Further Medical Device Considerations 12.10 Cryptography—Conclusion References 13 Cybersecurity Failures, Myths, and Excuses 13.1 Notable Failures and Lessons Learned 13.1.1 The Classics 13.1.2 Failed Implementations 13.1.3 Cryptography Gone Wrong 13.1.4 Failures in Dealing with Regulators 13.2 Common Cybersecurity Myths and Excuses 13.3 In Closing References Afterword to the Second Edition Additional Resources General Education and Enablement Industry Organizations and Public-Private Partnerships Frameworks Lifecycle Practices Procurement Supply Chain Risk Management Risk and Vulnerability Management Incident Management and Forensics Patching and OTA Cryptography Artificial Intelligence and Machine Learning Testing Selected Topics MDM Cybersecurity Website Examples Glossary References About the Authors Contributors Index
دانلود کتاب Medical Device Cybersecurity for Engineers and Manufacturers