Extending the IIC IoT Security Maturity Model to Trustworthiness
The emphasis on medical device safety
demonstrates
how
trustworthiness
priorities depend on the context, including
the industry application. For medical
devices, safety, reliability and security are
prioritized in that order. This can lead to
reducing the priority of security Sub-
Domains that would be unacceptable in
many other situations.
The restrictions on product updates for
improvement ultimately derive from a
regulatory mandate to emphasize safety
over other trustworthiness aspects.
Incremental improvements to security or
reliability must be measured against the
potential safety (health) ramifications. For
example, if a hardware firmware update to
patch a low risk security issue has a 0.01%
failure rate, leading to the failure of the
device, that security patch will be rejected.
Institutional Culture Sub-Domain - For a
medical
device
manufacturer,
the
institutional dimension includes unique
considerations related to attitudes about
patient outcomes. There may be a number
of nuanced situations in which implanting a
device may not be the best course of
treatment. A manufacturer needs to be
mindful of such edge cases throughout its
product lifecycle – design, training,
marketing, etc.
Performance Measurement & Metrics
Governance Sub-Domain - This sub-domain
is required for regulatory purposes.
Extensive testing of performance and failure
rates are required as part of a product's
development process. Ultimately, the
manufacturer must prove to regulators that
the failure rates are low enough and the
probable health benefits still far outweigh
the risks of a surgery.
Continuous Improvement & Learning
Institutional Sub-Domain - In the context of
implantable
medical
devices,
a
manufacturer's
ability
to
perform
continuous improvement of a specific
product are limited, but continuous
improvement of processes is possible and is
valuable. Lengthy requirements for testing,
validation and regulatory approval of new
product versions increase the costs of
incremental improvements over time
relative to most other products.
Consequently, manufacturers tend to
prioritize getting products "right" the first
time and incorporating lessons learned into
designs for new, upcoming products. There
is less of an emphasis on patching and
upgrading for small performance or
functionality improvements relative to
typical consumer products.
September 2018
Training Institutional Sub-Domain - For a
medical device manufacturer, staffing
considerations
extend
beyond
the
immediate organization to the practitioners
who will ultimately implant and maintain the
devices. The trustworthiness of the device is
dependent in part on the competence of
those healthcare practitioners to provide the
patient care that is specific to that device.
This leads to a need to create a training
program and certification process for those
care
providers,
to
ensure
the
trustworthiness of the pacemaker when
implanted.
Analysis & Design Enablement Sub-Domain
- The operating environment in which a
pacemaker is deployed (e.g., implanted in a
person’s body) means that it is difficult to
- 113 -