Kristine Hovhannisyan, Piotr Bogacki, Consuelo Assunta Colabuono, Domenico Lofù, Maria Vittoria Marabello, Brady Eugene Maxwell

Published in

2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)


cybersecurity, certification, common criteria, protection profile, security problem definition, healthcare, PACS, security requirements, security objectives, assurance level,

Open Access



The EU Cybersecurity Act introduces cybersecurity certification framework for ICT products, services and processes. Following ENISA’s EUCC (the Common Criteria based European candidate cybersecurity certification scheme), we provide the Security Problem and identify Security Requirements of a healthcare specific product through a Protection Profile. We consult ENISA’s reports to identify the most impactful assets in healthcare that should be prioritized for certification. We select a sub-category system of Clinical Information Systems, such as Picture Archiving and Communication System (PACS) for Protection Profile. Based on five use-cases of PACS, we define the Security Problem (assumptions, organizational security policies, threats) and we elaborate the Security Objectives. We, further, conduct a sector specific analysis of challenges and threats in healthcare sector to supplement the PACS specific threats. We detail Security Objectives from the Cybersecurity Act, and we offer a combination of these two elements, the broader scope of threats and objectives, as a baseline for future Protection Profiles of healthcare specific products. We further provide PACS specific Security Functional Requirements, and we conclude with a guideline for selecting suitable Security Assurance Requirements.