I'm sorry if this has been answered before, I can't seem to find it in the many topics and guidance documents I've read through.
I'm trying to integrate Cybersecurity risks into a Risk Management system built for ISO 14971 and IEC 62304.
How do you determine the severity of loss of confidentiality of medical information?
e.g. if an unauthorised, external person (e.g. a hacker) gained access to a medical complete medical record (not including/considering financial information, but including patient identifying information like name and addrees)? I don't think it is on the same level as death or limb amputation, but is it as severe as an electric shock or superficial laceration? Is it as serious as a first degree burn or abrasion? Does it not fall into the definition of harm (injury or damage to the health of people, or damage to property or the environment)?
Does it matter which condition the diagnosis is related to? People with HIV or mental illnesses face terrible stigma, so I assume this would be more harmful for unauthorised people to access information on this than a cancer diagnosis, which would be more harmful than exposure of a diagnosis of common cold.
Do you lessen the severity (or the occurrence of consequences) if the condition has obvious symptoms (like a missing limb) vs something that is easier to keep private?
Also, should identity theft be included and if so, how severe do you classify identity theft?
I think I understand how things like loss of data, changes to data or ability to remote control a product could lead to a harm that I have a severity score for already (like misdiagnosis, delayed diagnosis), but I'm struggling with this specific aspect.
Thanks in advance.
I'm trying to integrate Cybersecurity risks into a Risk Management system built for ISO 14971 and IEC 62304.
How do you determine the severity of loss of confidentiality of medical information?
e.g. if an unauthorised, external person (e.g. a hacker) gained access to a medical complete medical record (not including/considering financial information, but including patient identifying information like name and addrees)? I don't think it is on the same level as death or limb amputation, but is it as severe as an electric shock or superficial laceration? Is it as serious as a first degree burn or abrasion? Does it not fall into the definition of harm (injury or damage to the health of people, or damage to property or the environment)?
Does it matter which condition the diagnosis is related to? People with HIV or mental illnesses face terrible stigma, so I assume this would be more harmful for unauthorised people to access information on this than a cancer diagnosis, which would be more harmful than exposure of a diagnosis of common cold.
Do you lessen the severity (or the occurrence of consequences) if the condition has obvious symptoms (like a missing limb) vs something that is easier to keep private?
Also, should identity theft be included and if so, how severe do you classify identity theft?
I think I understand how things like loss of data, changes to data or ability to remote control a product could lead to a harm that I have a severity score for already (like misdiagnosis, delayed diagnosis), but I'm struggling with this specific aspect.
Thanks in advance.