Abstract:Cybersecurity issues in medical devices threaten patient safety and can cause harm if exploited. Standards and regulations therefore require vendors of such devices to provide an assessment of the cybersecurity risks as well as a description of their mitigation. Security assurance cases (SACs) capture these elements as a structured argument. Compiling an SAC requires taking domain-specific regulations and requirements as well as the way of working into account. In this case study, we evaluate CASCADE, an approach for building SAC in the context of a large medical device manufacturer with an established agile development workflow. We investigate the regulatory context as well as the adaptations needed in the development process. Our results show the suitability of SACs in the medical device industry. We identified 17 use cases in which an SAC supports internal and external needs. The connection to safety assurance can be achieved by incorporating information from the risk assessment matrix into the SAC. Integration into the development process can be achieved by introducing a new role and rules for the design review and the release to production as well as additional criteria for the definition of done. We also show that SACs built with CASCADE fulfill the requirements of relevant standards in the medical domain such as ISO 14971.

What problem does this paper attempt to address?

The main problem that this paper attempts to solve is: in the agile development process, how to create and maintain Security Assurance Cases (SACs) for medical devices to ensure that these devices comply with relevant regulations and standards, and can effectively manage cybersecurity risks, thereby safeguarding the safety of patients. Specifically, the paper explores the following two research questions: 1. **RQ1: The applicability of SAC in medical device development** - Research on the applicability of SAC in medical device development, especially whether it can effectively support internal and external requirements. For example, can SAC help manufacturers prove that their products comply with relevant regulations (such as FDA guidelines, ISO 14971, etc.), and provide sufficient evidence to support safety and compliance statements. 2. **RQ2: The integration of SAC in the agile development process** - Research on how to integrate the creation and maintenance of SAC into the agile development process. For example, how to continuously update and validate SAC during the iterative development process to ensure that it always reflects the latest state of the system and does not become invalid due to frequent changes. To answer these questions, the author conducted a case study, focusing on evaluating the application of the CASCADE method in a large - scale medical device manufacturer. The research results show that SAC is feasible in the medical device industry and can be successfully integrated into the agile development process by introducing new roles and rules. ### Main findings - **Application scenarios of SAC**: The research identified 17 specific scenarios for using SAC, covering multiple aspects such as compliance, evaluation, planning, and monitoring. For example, SAC can be used to prove the safety of products to regulatory agencies, and can also help project managers evaluate whether the safety of products has reached the release standards. - **Overlap with regulations**: The research found that SACs constructed by the CASCADE method have significant overlap with key regulations and guidance documents in the medical field (such as ISO 14971, ISO 62304, MDCG guidelines, etc.). This indicates that SAC can effectively meet the requirements of these regulations. - **SAC and safety**: The research also explored how SAC combines with safety, especially when dealing with the relationship between safety and cybersecurity. For example, SAC can distinguish safety - critical safety statements by introducing a "risk assessment matrix", thereby better managing and evaluating potential risks. In conclusion, this paper demonstrates the value of SAC in medical device development through empirical research and proposes specific methods for integrating it into the agile development process.

Evaluating the Role of Security Assurance Cases in Agile Medical Device Development

Towards Understanding and Applying Security Assurance Cases for Automotive Systems

Security Assurance Cases -- State of the Art of an Emerging Approach

How do practitioners perceive assurance cases in safety-critical software systems?

Security Assurance Cases for Road Vehicles: an Industry Perspective

Guidance on the Safety Assurance of Autonomous Systems in Complex Environments (SACE)

ACCESS: Assurance Case Centric Engineering of Safety-critical Systems

How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?

Threat Assessment and Risk Analysis (TARA) for Interoperable Medical Devices in the Operating Room Inspired by the Automotive Industry

Leveraging Traceability to Integrate Safety Analysis Artifacts into the Software Development Process

Challenges of Scaled Agile for Safety-Critical Systems

CyMed: A Framework for Testing Cybersecurity of Connected Medical Devices

Model Based System Assurance Using the Structured Assurance Case Metamodel

Cybersecurity and medical devices: A practical guide for cardiac electrophysiologists

Challenges with the Application of Cyber Security for Airworthiness (CSA) in Real-World Contexts

Case study — Risk management for medical devices (based on ISO 14971)

Embracing Cybersecurity Risk Management in the Industry of Medical Devices

Automating Semantic Analysis of System Assurance Cases using Goal-directed ASP

A Methodology for Automating Assurance Case Generation

Managing Security Evidence in Safety-Critical Organizations