Cybersecurity and medical devices: Are the ISO/IEC 80001-2-2 technical controls up to the challenge?

ISO/IEC 80001 aims to provide a minimal level of cybersecurity however this research demonstrates that there are deficiencies in the standard and identifies the important aspects of cybersecurity that could be improved. This situation has arisen due to the rapidly evolving nature of the cybersecurity environment and the protracted time to revise and republish international standards. This research identified several areas that require urgent consideration, including Emergency Access, Health Data De-Identification, Physical Locks on Devices, Data Backup, Disaster Recovery, Third-Party Components in Product Lifecycle Roadmap, Transmission Confidentiality, and Transmission Integrity. The research will provide health delivery organisations implementing ISO/IEC 80001, assurance as to the level of protection supplied by the ISO/IEC 80001 standard, and the areas that may need enhancement to increase cybersecurity protection and consequently increase in patient safety. Further, the outcomes are expected to influence development of the related international standard, as the findings from this research are being provided to the International Organisations for Standardisation, TC215 Health Informatics, Joint Working Group 7, to inform the review of ISO/IEC 80001 currently in progress.