Security objectives
The Nio Color 5MP will be used for displaying and viewing digital images. Therefore, ensuring the availability of the digital images has been identified as the primary security objective of this product.
Nevertheless, the availability, integrity, and confidentiality of information processed by the product relies on the non-mandatory security recommendations described below.
The lack of storage or processing of patient or personal information, combined with the limited (network) connectivity, results in the Nio Color 5MP entailing a low cybersecurity risk profile.
Security recommendations
The security measures listed below should be considered as a non-exhaustive list of possible security controls for the operating environment. The operating environment must not hinder the application of security measures on the product or force the device to operate in a lower security setting.
The operator shall maintain the necessary state-of-the-art policies, processes, standards and other security controls to incorporate, support and protect the product. This shall include the application of risk management (e.g. by implementing relevant standards).
The operating environment should provide physical security via security measures such as:
- Regulated and authenticated physical access enforced via suitable technical measures (e.g. badges)
- Physical security policy defining roles and access rights, including for physical access to the product
- Use of segregated, secure areas with appropriate access controls
The operating environment should include appropriate security controls such as:
- User access management (credentials for accessing software applications or devices, user access policy, etc.)
- Antivirus / anti-malware software
- Firewall
- Application whitelisting / system hardening
- Exclusive use of genuine software and ban of all illegitimate software and applications
- Session management measures (e.g. session timeouts)
The operating environment should provide control and security of network traffic via appropriate measures, such as:
- Network segmentation & network access control
- Traffic filtering
- Encrypted communication
Specifically for workstations connected to the product, appropriate security measures include:
- Operating system hardening and application whitelisting
- Use of strong passwords
- Install only software necessary for the intended use of the operating environment.
To ensure that the security posture of the operating environment and of the product itself remain at a suitable level, appropriate provisions regarding patch management should be in place, such as:
- The operating environment should support patching without compromising interoperability/compatibility
- The operator should have appropriate patch management processes to ensure that security patches for the product are deployed in a timely manner
- The operator should have appropriate patch management processes to ensure that the operating environment (e.g. operating systems, applications) is up-to-date in terms of security
