COI Report – Part VII
Page
286 of
425 for which the organisation did not have sight of the source codes and performance criteria. c) As suggested by Dan, there should be consistent safety reviews of applications and systems throughout
their life cycle and use, with penetration testing builtin as part of the safety review. This would enable necessary mitigation measures to betaken once vulnerabilities are found.
39.2.2 Evaluation and certification 828. In addition, we recommend that when it comes to the acquisition of anew software or products for CII systems and b) critical applications
and systems used for storing, processing or accessing sensitive information such as patient data,
829. CII owners must require the vendor/developer to obtain security certification for the products/systems in accordance with international, national or industry-recognised standards such as ISO/IEC 15408 67
, FIPS 140-2 68
, IEC
62443 69
etc. This could be done byway of, for example, IHiS including in their tender specifications that the health informatics applications/systems which protect patient data are certified in accordance with ISO/IEC 15408.
67
ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation.
68
FIPS (Federal Information Processing Standard) PUB 140-2 is the benchmark for validating the effectiveness of cryptographic hardware. If a product has a FIPS PUB 140-2
certificate, it has been tested and formally validated by the US. and Canadian Governments.
69
ISO/IEC 62443 specifies the process requirements for the secure development of products used in industrial automation and control systems.
