Evaluating the Role of Security Assurance Cases in Agile Medical Device Development

TL;DR

This paper evaluates the effectiveness of Security Assurance Cases (SACs) in supporting cybersecurity risk management within agile medical device development, demonstrating their practical integration and compliance with industry standards.

Contribution

It presents an empirical case study of CASCADE, a method for building SACs in agile medical device development, highlighting adaptations and benefits.

Findings

SACs support 17 key use cases in medical device development.

Integration of SACs with risk assessments enhances safety assurance.

CASCADE-built SACs meet ISO 14971 standards.

Abstract

Cybersecurity issues in medical devices threaten patient safety and can cause harm if exploited. Standards and regulations therefore require vendors of such devices to provide an assessment of the cybersecurity risks as well as a description of their mitigation. Security assurance cases (SACs) capture these elements as a structured argument. Compiling an SAC requires taking domain-specific regulations and requirements as well as the way of working into account. In this case study, we evaluate CASCADE, an approach for building SAC in the context of a large medical device manufacturer with an established agile development workflow. We investigate the regulatory context as well as the adaptations needed in the development process. Our results show the suitability of SACs in the medical device industry. We identified 17 use cases in which an SAC supports internal and external needs. The connection to safety assurance can be achieved by incorporating information from the risk assessment matrix into the SAC. Integration into the development process can be achieved by introducing a new role and rules for the design review and the release to production as well as additional criteria for the definition of done. We also show that SACs built with CASCADE fulfill the requirements of relevant standards in the medical domain such as ISO 14971.