Glossary: Terms and Definitions

Term Definition
Asset

Person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value.

Source: NICCS Glossary of Common Cybersecurity Terminology; AAMI TIR57:2016

Attack complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.

Source: CVSS v3.0 Specification

Attack vector Metric that reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.
Source: CVSS v3.0 Specification
Authentication

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Source: SP 800-53; SP 800-53A; SP 800-27; FIPS 200; SP 800-30; AAMI TIR57:2016

Authenticity Property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator (see Authentication)
Source: SP 800-53; SP 800-53A; CNSSI-4009; SP 800-39; AAMI TIR57:2016
Authorization Access privileges granted to a user, program, or process, or the act of granting those privileges.
Source: CNSSI-4009; AAMI TIR57:2016
Availability Ensuring timely and reliable access to and use of information Note 1 to entry: The phrase “use of information” encompasses delivery of intended functionality.
Source: SP 800-53; SP 800-53A; SP 800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542; AAMI TIR57:2016
Class I Medical Device Class of medical devices for which the FDA requires manufacturers to follow only general controls.
Class II Medical Device Class of medical devices for which the FDA requires manufacturers to follow both general controls and special controls
Class III Medical Device Class of medical devices for which the FDA requires manufacturers to follow general controls and obtain pre-market approval
Compensating Controls A safeguard or countermeasure deployed, in lieu of, or in the absence of controls designed in by a device manufacturer. These controls are external to the device design, configurable in the field, employed by a user, and provide supplementary or comparable cyber protection for a medical device.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Source: SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542; AAMI TIR57:2016
Controlled risk Type of risk that exists when there is sufficiently low (acceptable) residual risk of patient harm due to a device’s particular cybersecurity vulnerability.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Correction The repair, modification, adjustment, relabeling, destruction, or inspection (including patient monitoring) of a device without its physical removal from its point of use to some other location.
Source: 21 CFR Part 806
Cyber Attack An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Source: CNSSI-4009
Cyber Incident Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.
Source: CNSSI-4009
Cybersecurity The ability to protect or defend the use of cyberspace from cyber attacks.
Source: CNSSI-4009
Cybersecurity Risk Management Cybersecurity risk management reduces the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity. An effective cybersecurity risk management program incorporates both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices
Cybersecurity routine updates and patches Changes to a device to increase device security and/or remediate only those vulnerabilities associated with controlled risk of patient harm.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Cybersecurity Signal Any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device . A cybersecurity signal could originate from traditional information sources such as internal investigations, postmarket surveillance, or complaints, and/or security-centric sources such as CERTS (Computer/Cyber, Emergency Response/Readiness Teams), ISAOs and security researchers. Signals may be identified within the HPH Sector. They may also originate in another critical infrastructure sector (e.g., defense, financial) but have the potential to impact medical device cybersecurity.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Cyberspace A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
Source: CNSSI-4009
Data and systems security Operational state of a medical device in which information assets (data and systems) are reasonably protected from degradation of confidentiality, integrity, and availability. NOTE 1 to entry: Security, when mentioned in this document, should be taken to include data and systems security.
Source: ANSI/AAMI/IEC 80001-1:2010, 2.5, modified – “MEDICAL IT-NETWORK” has been replaced with “medical device” and Note 2 was redacted.]; AAMI TIR57:2016
Defense-in-Depth Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Source: CNSSI-4009; SP 800-53
Effectiveness Ability to produce the intended result for the patient and the care provider.
Source: ANSI/AAMI/IEC 80001-1:2010, 2.6, modified – “RESPONSIBLE ORGANIZATION” has been replaced with “care provider”; AAMI TIR57:2016
Emergency access Process or mechanism by which a device user can quickly and easily access the intended functionality in urgent (emergency) situations, bypassing the device’s established access controls; the ability of the device user to access the indented functionality in case of an emergency situation that requires immediate access to the medical device  NOTE 1 to entry: Other access methods (e.g., “break glass”) fall under this general definition but have varying levels of credentials and audit requirements.
Source: Adapted from HIMSS/NEMA Standard HN 1-2013 Manufacturer Disclosure Statement for Medical Device Security; AAMI TIR57:2016
Encryption Conversion of plaintext to ciphertext through the use of a cryptographic algorithm.
Source: FIPS 185; AAMI TIR57:2016
Event An observable occurrence in an information system or network.
Source: NICSS Glossary of Common Cybersecurity Terminology
Exploit An instance where a vulnerability or vulnerabilities have been exercised (accidently or intentionally) by a threat and could impact the safety and essential performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Exploit Code A program that allows attackers to automatically break into a system.
Source: SP 800-40
Harm Physical injury or damage to the health of people, or damage to property or the environment, or reduction in effectiveness, or breach of data and systems security.
Source: IEC 80001-1:2010, definition 2.8; AAMI TIR57:2016
Hazard Potential source of harm.
Source: ISO/IEC Guide 51:1999, definition 3.5; AAMI TIR57:2016
Hazardous situation Circumstance in which people, property, or the environment are exposed to one or more hazard(s). NOTE 1 to entry: See Annex E, ANSI/AAMI/ISO 14971:2007, for an explanation of the relationship between “hazard” and “hazardous situation.”
Source: ISO/IEC Guide 51:1999, definition 3.6; AAMI TIR57:2016
ICS-CERT Industrial Control Systems Emergency Response Team (ICS-CERT) operates within the National Cybersecurity and Integration Center (NCCIC), a division of the Department of Homeland Security’s Office of Cybersecurity and Communications (DHS CS&C). ICS-CERT’s mission is to guide a cohesive effort between government and industry to improve the cyber security posture of control systems within the nation’s critical infrastructure.
Source:
Incident An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.
Source: NICCS Glossary of Common Cybersecurity Terminology
Information security Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Source: SP 800-37; SP 800-53; SP 800-53A; SP 800-18; SP 800-60; CNSSI-4009; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542; AAMI TIR57:2016
Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. NOTE 1 to entry: Likelihood of occurrence combines an estimate of the likelihood that the threat event will be initiated with an estimate of the likelihood of impact (i.e., the likelihood that the threat event results in adverse impacts).
Source: CNSSI-4009, modified – the phrase “In Information Assurance risk analysis,” was removed; AAMI TIR57:2016
Likelihood of occurrence Weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability. NOTE 1 to entry: Likelihood of occurrence combines an estimate of the likelihood that the threat event will be initiated with an estimate of the likelihood of impact (i.e., the likelihood that the threat event results in adverse impacts).
Source:  CNSSI-4009, modified – the phrase “In Information Assurance risk analysis,” was removed; AAMI TIR57:2016
Malware A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.
Source: SP 800-83
Medical Device Security Informtion Sharing Council A shared interest and collaboration in encouraging the identification, mitigation, and prevention of cybersecurity threats to medical devices fosters a MOU between NH-ISAC, MDISS and FDA.
Source: https://nhisac.org/announcements/nh-isac-and-mdiss-sign-memorandum-of-understanding-mou-with-fda-around-collaboration-of-medical-device-cybersecurity/
Non-repudiation Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
Source: CNSSI-4009; SP 800-60
Password Protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.
Source: CNSSI-4009; AAMI TIR57:2016
Patient Harm Harm is the physical injury or damage to the health of people, or damage to property or the environment. Patient harm is defined as physical injury or damage to the health of patients, including death.  Risks to health posed by the device may result in patient harm. This guidance outlines the assessment of whether the risk16 of patient harm is sufficiently controlled or uncontrolled.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Personally identifiable information (PII) Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. NOTE 1 to entry: Personally identifiable information is a superset of Protected Health Information (PHI).
Source: NIST SP 800-30 Revision 1; AAMI TIR57:2016
Predisposing Condition A condition that exists within an organization, a mission/business process, enterprise architecture, or information system, including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, will result in undesirable consequences or adverse impact to organizational operations and assets, individuals, or other organization.
Source: NIST SP 800-30 Revision 1, ; AAMI TIR57:2016
Privilege A right granted to an individual, a program, or a process.
Source: CNSSI-4009
Remediation Action(s) taken to reduce an uncontrolled risk of patient harm posed by a device cybersecurity vulnerability to an acceptable level.   Remediation actions may include complete solutions to remove a cybersecurity vulnerability from a medical device or compensating controls that adequately mitigate the risk.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Removal The physical removal of a device from its point of use to some other location for repair, modification, adjustment, relabeling, destruction, or inspection.
Source: 21 CFR Part 806
Residual risk Risk remaining after risk control measures have been taken.
Source: ISO/IEC Guide 51:1999; AAMI TIR57:2016
Risk Combination of the probability of occurrence of harm and the severity of that harm.
Source: ISO/IEC Guide 51:1999, definition 3.2; AAMI TIR57:2016
Risk analysis Systematic use of available information to identify hazards and to estimate the risk. NOTE 1 to entry: Risk analysis includes examination of different sequences of events that can produce hazardous situations and harm.
Source: ISO/IEC Guide 51:1999, definition 3.10; AAMI TIR57:2016
Risk assessment Overall process comprising a risk analysis and a risk evaluation.
Source: ISO/IEC Guide 51:1999, definition 3.12; AAMI TIR57:2016
Risk control Process in which decisions are made and measures are implemented by which risks are reduced to, or maintained within, specified levels.
Source: ANSI/AAMI/ISO 14971, definition 2.19; AAMI TIR57:2016
Risk evaluation A process that is used to examine the estimated risk for each hazardous situation and then to use risk acceptability criteria to determine whether or not the estimated risk  is acceptable and to decide if risk reduction is required.
Source: ANSI/AAMI/ISO 14971, definition 2.21; AAMI TIR57:2016
Risk to health (1) A reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death; or (2) That use of, or exposure to, the product may cause temporary or medically reversible adverse health consequences, or an outcome where the probability of serious adverse health consequences is remote.
Source: FDA Recalls, Corrections and Removals (Devices)
Routine Servicing Any regularly scheduled maintenance of a device, including the replacement of parts at the end of their normal life expectancy, e.g., calibration, replacement of batteries, and responses to normal wear and tear. Repairs of an unexpected nature, replacement of parts earlier than their normal life expectancy, or identical repairs or replacements of multiple units of a device are not routine servicing.
Source: FDA Recalls, Corrections and Removals (Devices)
Safety Freedom from unacceptable risk.
Source: ISO/IEC Guide 51:1999, definition 3.1; AAMI TIR57:2016
Threat Any circumstance or event with the potential to adversely impact the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Threats exercise vulnerability, which may impact the safety and essential performance of the device.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Threat actor Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. NOTE 1 to entry: Synonymous with threat agent.
Source: NICCS Glossary of Common Cybersecurity Terminology; AAMI TIR57:2016
Threat analysis Examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.
Source: SP 800-27; AAMI TIR57:2016
Threat event Event or situation that has the potential for causing undesirable consequences or impact.
Source: SP 800-30; AAMI TIR57:2016
Threat modeling A methodology for optimizing Network/ Application/ Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Threat source Intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Source: FIPS 200; SP 800-53; SP 800-53A; SP 800-37
Top management Person or group of people who direct(s) and control(s) a manufacturer at the highest level.
Source: ISO 9000:2005, definition 3.2.7; AAMI TIR57:2016
Uncontrolled risk Type of risk that exists when there is unacceptable residual risk of patient harm due to inadequate compensating controls and risk mitigations.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Unique Device Identifcation (UDI) A UDI is a unique numeric or alphanumeric code that consists of two parts: – a device identifier (DI), a mandatory, fixed portion of a UDI that identifies the labeler and the specific version or model of a device, and – a production identifier (PI), a conditional, variable portion of a UDI that identifies one or more of the following when included on the label of a device:   ~ the lot or batch number within which a device was manufactured;   ~ the serial number of a specific device;   ~ the expiration date of a specific device;   ~ the date a specific device was manufactured;   ~ the distinct identification code required by §1271.290(c) for a human cell, tissue, or cellular and tissue-based product (HCT/P) regulated as a device.
Source: FDA UDI Basics
US-CERT The U.S. Cyber Emergency Response Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation’s Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.
Source: CNSSI-4009
Vulnerability A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.
Source: FDA Postmarket Management of Cybersecurity in Medical Devices (Dec 28, 2016)
Vulnerability disclosure policy

Organization’s policy and timeframe for disclosing vulnerabilities of which it has been made aware.

Source: