IEEE Std 11073-40102-2020 pdf download – Health informatics—Device interoperability Part 40102:  Foundational—Cybersecurity— Capabilities for mitigation.
4.2 Confidentiality Confidentiality has been defined by the International Organization for Standardization in ISO/IEC 27002 [B12] as “ensuring that information is accessible only to those authorized to have access.” Minimizing disclosure of information to unauthorized individuals or systems is one cornerstone of information security. A confidentiality breach might take many forms, even if no information technology is involved, e.g., eavesdropping on conversations of others, looking over the shoulder to read information, looking into secret documents, injecting a computer virus, or using a Trojan horse that sends information to another person. In the context of PHD/PoCD, a confidentiality breach primarily means eavesdropping on information somewhere between the source (e.g., sensor) and the receiver (e.g., personal computer, physician’s computer, hospital server) or unauthorized access to stored information. To enforce confidentiality, the information could be encrypted during transmission (i.e., data in transit) and storage (i.e., data at rest) as well as requiring authentication and/or authorization within the request before transmission. Privacy is an important part of confidentiality, especially when it comes to protected health information (PHI). PHI is defined as individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium (45CFR160.103 [B1]). The U.S. Health Insurance Portability and Accountability Act (HIPAA) limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities (HHS [B7]). Similarly, the EU General Data Protection Regulation states that personal data shall be processed lawfully, fairly, and in a transparent manner; collected for specified, explicit, and legitimate purpose; and kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (Official Journal of the EU [B19]).