Applying Security Assurance Cases for Cloud-based Systems in the Medical Domain

Abstract

Regulatory compliance is of major concern to medical software companies that are involved in developing safetycritical software whose failure could result in loss of life, significant property damage or damage to the environment. A common approach to demonstrate compliance with safety requirements is through assurance cases, which are structured arguments, supported by evidence, intended to justify that a system is acceptably assured. The usage of assurance cases to prove compliance for other properties other than safety like cybersecurity has been increasing. However there are no formal guidelines to follow when creating security assurance cases as there is for safety assurance cases. The purpose of our research is to simplify the process of creating security assurance cases for their products by creating a set of guidelines. By conducting a design science study at a Swedish cloud-based medical software company, we analyzed external needs regarding the best practices in cybersecurity, regulations and standards in the medical domain. Contrasting these with the company’s internal needs, we constructed a security assurance case for a part of their system based on the external and internal needs of the company. The guidelines were the outcome that emerged out of the case we created for the company.