Many Personal Health Devices (PHDs) and Point-of-Care Devices (PoCDs) provide vital support for people living with chronic disease or experiencing a life-threatening medical event. Cybersecurity attacks on vulnerable devices may lead to the alteration of prescribed therapy (e.g., sleep apnoea breathing therapy, insulin therapy) or to information disclosure that results in insurance or identity fraud or in direct or indirect patient harm. Companies subject to a successful cybersecurity attack may suffer financial harm and a negative reputation.

Manufacturers of PHDs/PoCDs may be required to support application layer end-to-end information security. PHD/PoCD data exchange may be conducted over an untrusted transport. Also, a requirement may exist for multiple access control levels (e.g., restricted read access, restricted write access, full read access, full write access, full control access). Most PHDs/PoCDs have limited resources (e.g., processing power, memory, energy). Current standardized PHD/PoCD data exchange assumes the exchange is secured by other means, such as secure transport channel. This assumption requires that manufacturers define solutions by, for example, extensions or using mechanisms on the transport layer. Such solutions limit the usage of PHD/PoCD data exchange standards and restricts interoperability.

This standard is based on the PHD Cybersecurity Standards Roadmap findings (IEEE white paper [B10]) and defines a security baseline of application layer cybersecurity mitigation techniques for PHD/PoCD interfaces.² The mitigation techniques address an extended confidentiality, integrity, and availability (CIA) triad and allow manufacturers to implement the most appropriate algorithms. The mitigation techniques are not dependent on a specific risk management process. Instead they are applicable to any approach, including the vulnerability assessment described in IEEE Std 11073‑40101™ [B9]. In Figure 1, IEEE Std 11073‑40101 is depicted by the top row, and this standard is depicted by the bottom row.