Table 8.
The identified standards relating to HIoT, BC, and IdM systems.
| Standards | Type | Assets/Scope | Considerations |
|---|---|---|---|
| NIST BC-based IdM [6] | Guide | BC (IdM) | Overview, guidelines, and issues about the Blockchain-based identity management systems. |
| NIST800-30 [10] | Standards | General | Conducting risk assessment. |
| NIST800-39 [11] | Standards | General | Managing information security risks. |
| OWASP [12] | Standards | HIoT (Medical Device) | Security controls include privacy impact assessment, security audit, perimeter defences, network controls, device security controls, and end-user interface controls. |
| TGA [12] | Guide | HIoT (Medical Device) | The Australian medical device cybersecurity guide, which includes cybersecurity principles and threat and risk assessment processes. |
| ISO27005 [13] | Standards | General | Information security risk management. |
| ISO27002 ISO 27002/27001 [14] | Best Practice | General | Information security, cybersecurity, and privacy protection—information security controls. |
| NIST800-37 [15] | Guide | General | Risk Management Framework for Information Systems and Organizations: A System Life-Cycle Approach for Security and Privacy. |
| NIST 800-53 [16] | Best Practice | General | NIST security and privacy controls. |
| NIST 800-53A [17] | Standards | General | Assessing security and privacy controls in information systems and organizations. |
| CIS controls [23] | Best Practice | General | A total of 18 security controls to mitigate security attacks. |
| PCI-DSS: Payment Card Industry Data Security [24] | Standards | General | It includes a set of requirements, such as maintaining a secure network, customer data protection, vulnerability management, access control, network monitoring, and information security policy. |
| EU Network and Information Security (NIS) directive [25] | Directive | General | Objectives to ensure security among EU countries. |
| ISO/IEC 29100 [26] | Standards | General | Privacy framework provides privacy terminologies, defines the actors and their roles in processing personally identifiable information (PII), identifies and describes privacy safeguarding considerations and principles. |
| ISO/IEC 15408-1 [26] | Standards | General | Evaluation criteria for IT security. |
| ISO 27018 [26] | Standards | HIoT (Cloud) | International standard for protecting personal identifiable information (PII) in cloud storage. |
| GDPR [27] and GDPR-DPIA [28] | Regulation | General (Data Protection) | The EU general data protection regulations that emphasize data-subject protection rights. Articles 76, 77, and 35 in GDPR mandate the conducting of a data protection impact assessment (DPIA)(i.e., privacy impact assessment (PIA)) within the security risk assessment. |
| PIPEDA and SHIEP [29] | Regulation | General (Data Protection) | The Canadian Personal Information Protection Electronic Document Act (PIPEDA) and the Saudi Health Information Exchange Policies (SHIEP). They emphasize data-subject privacy. |
| IEEE 802.15 [29] | Standards | HIoT (IoT) | Wireless Personal Area Network (WPAN) standards cover security and access control of low-range IoT devices. |
| ENISA [30] | Report | HIoT (general) | Smart hospitals security and resilience for smart health service and infrastructures. |
| CPC [31], PIPA [32], PDPA, PA1988 and FIA [33], | Regulation | General (Data Protection) | Chinese Classified Protection of Cybersecurity, Personal Information Protection Act of Korea, Malaysian Personal Data Protection, Australian Privacy Act 1988, and American Freedom of Information Act. They emphasize data-subject privacy. |
| ISO14971 [34] | Standards | HIoT (Medical Device) | Application of risk management to medical devices. |
| ISO24971 [35] | Standards | HIoT (Medical Device) | Guidance on the application of ISO 14971 risk management. |
| ISO80001 [36] | Standards | HIoT (Medical Device) | Application of risk management for IT networks incorporating medical devices. |
| FDA Cybersecurity in Medical Device [37] | Guide | HIoT (Medical Device) | FDA Pre- and Post-market considerations of cybersecurity in medical devices, threat modelling, and risk management. |
| IEC 62304 [38] | Best Practice | HIoT (Medical Device) | Medical device software—software life-cycle processes show the security requirements. |
| AAMI TIR57 [39] | Guide | HIoT (Medical Device) | Principles for medical device security and risk management. Provides guidance on methods to perform information security risk management for a medical device in the context of the safety risk management process required by ISO 14971. |
| IMDRF [40] | Guide | HIoT–Medical Device | Principles and best practices for medical device cybersecurity. |
| MITRE rubric [41] | Report | HIoT (Medical Device) | Rubric for applying Common Vulnerability Scoring System (CVSS) to medical devices. |
| EU Directive 2017/745 and 2017/746 [42] | Regulation | HIoT (Medical Device) | The European Medical Device Regulation (EU MDR): standards of safety, security, and quality of medical devices within the EU. |
| ICE60601 [43] | Standards | HIoT (Medical Device) | Assessment to guarantee the compliance to EU MDR. |
| NISTIR 8228 [44] | Standards | HIoT (IoT) | Covers IoT device capabilities, security, privacy considerations, and challenges, as well as recommendations on how to mitigate security risks. Covers three main aspects: device security protection, data security protection, and individual privacy protection. |
| NIST SP 800-213 [45] | Standards | HIoT (IoT) | IoT device cybersecurity guidance identifies the IoT device cybersecurity requirements. |
| NIST8200 [46] | Standards | HIoT (IoT) | Interagency report on the status of international cybersecurity standardization for the Internet of Things (IoT). It covers IoT applications, including Health IoT, cybersecurity risks and threats, cybersecurity areas, and standard landscape for IoT cybersecurity. |
| NISTIR8259 [47] | Standards | HIoT (IoT) | Foundational cybersecurity activities for IoT device manufacturers. Cybersecurity risks related to IoT. |
| NISTIR8259A [48] | Standards | HIoT (IoT) | Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices, as well as device data, systems, and ecosystems. |
| ISO/IEC 27400 [49] | Standards | HIoT (IoT) | Cybersecurity–IoT security and privacy guidelines. This guide provides guidelines on the risks, principles, and controls for the security and privacy of Internet of Things (IoT) solutions. |
| ETSI EN 303645:European Standards [50] | Standards | HIoT (IoT) | Cybersecurity for Consumer Internet of Things: Baseline Requirements. It shows the baseline requirements in order to protect IoT user security. |
| GSMA [51] | Standards | HIoT (IoT) | IoT security guidelines show the IoT models, challenges, privacy considerations, and IoT risks assessment. |
| HIPAA [52] | Regulations | HIoT (Health Data) | Privacy rules for health data and identifiable health information. |
| HL7 [53] | Standards | HIoT (Health Data) | Standards to exchange health data in electronic health records. |
| IEC 81001-5-1 [54] | Best Practice | HIoT (Health Software) | Guidelines on the product life cycle of health software and health IT systems safety, effectiveness, and security. |
| IEC 82304-1 [55] | Standards | HIoT (Health Software) | ISO standards concerning the safety and security of health software products. |
| ISO/IEC 9798 part 1 and part 2 [56,57] | Standards | IdM | Entity authentication standards and specifications for mechanisms using authenticated encryption algorithms. |
| ISO/IEC 29115 [58] | Standards | IdM | Security techniques–entity authentication assurance framework. |
| NIST800-63-3 [59] | Standards | IdM | Digital identity guidelines. Shows models and digital identity risk management. |
| EIDAS [60] | Regulation | IdM | EU regulation on electronic identification. eIDAS (electronic identification, authentication and trust services) was legislated to ensure secure cross-border transactions within the EU. |
| IEEE 2410 SBP [61] | Standards | IdM | Standard for Biometric Privacy (SBP) provides private identity assertion. |
| ISO/IEC 24760 part 1 and part 2 [62] | Standards | IdM | A framework for identity management. |
| EU Blockchain Observatory and Forum [63,64,65,66] | Report | BC | Several reports about BC applications and regulations in the healthcare and public services. |
| ESMA [67] | Report | BC | Report titled “The Distributed Ledger Technology Applied to Securities Markets.” It discusses risks, benefits, and DLT issues. |
| ISO/TR 23455 [68] | Standards | BC | Blockchain and Distributed Ledger technologies—overview of interactions between Smart Contracts in Blockchain and Distributed Ledger technology systems. It covers different platforms, such as Ethereum, Bitcoin, and Hyperledger Fabric. |
| NIST IR 8403 [69] | Guide | BC (IdM) | Guidelines of access-control part of BC-IdM systems. |
| W3C [70] | Standards | BC (IdM) | Decentralized Identifier (DID), Verifiable Credentials (VC), and Verifiable Presentations technical standards by W3C, which facilitate the connection between entities without a central party. |
| DIDAuth [71] | Standards | BC (IdM) | Authentication framework to unsure the DID ownership. |
| Decentralized Identity Foundation (DIF) standards. [72] | Standards | BC (IdM) | Identifiers, DID authentication, claims and credentials technical standards for decentralized identity management systems. |
| Ethereum DID [73] | Standards | BC (IdM) | Ethereum decentralized digital identity technical standards. |
| ERC-721 [74,75] | Standards | BC (IdM) | Ethereum non-fungible token standards. |
| DKMS [76] | Standards | BC (IdM) | Decentralized cryptographic key management systems standards. |
| NISTIR 8301 [77] | Guide | BC (IdM) | Guidelines of tokens in BC-IdM systems. |