scope:

Users of personal health devices (PHD) have implicit expectations on convenience, connectivity, accessibility of their data, and security. They expect to connect PHDs to their mobile devices, view their data in the cloud, and easily share with their clinicians or care providers. In some cases, the users themselves are taking action to build connections between PHDs, mobile devices, and the cloud to create the desired system. While many manufacturers are working on solving PHD connectivity with proprietary solutions, there is a lack of a standardized approach to providing secure Plug & Play interoperability.

The ISO/IEEE 11073 PHD family of standards, Bluetooth Special Interest Group profiles and services specifications, and the Continua Design Guidelines were developed to specifically address Plug & Play interoperability of PHDs (e.g., physical activity monitor, pulse oximeter, sleep apnoea breathing therapy equipment, insulin delivery device, continuous glucose monitor) with an emphasis on an optimized exchange protocol typically for small battery-powered devices. In this context, that means:

• "Interoperability" is the ability of client components to communicate and share data with service components in an unambiguous and predictable manner as well as to understand and use the information that is exchanged [1] and

• "Plug & Play" is all the user has to do is make the connection-the systems automatically detect, configure, and communicate without any other human interaction [2].

Within the context of "secure" Plug & Play interoperability, cybersecurity is the process and capability of preventing unauthorized access, modification, misuse, denial of use, or the unauthorized use of information that is stored on, accessed from, or transferred to and from a PHD. This PHD Cybersecurity Standards Roadmap describes cybersecurity for transport independent applications and information profiles of PHDs. These profiles define data exchange, data representation, and terminology for communication between agents (e.g., pulse oximeter or sleep apnoea breathing therapy equipment) and connected devices (e.g., health appliances, set top boxes, cell phones, and personal computers). This Standards Roadmap provides the background related to PHD cybersecurity, a detailed risk analysis of use cases specific to PHD device types, and the recommended controls to be adopted for a future enhancement of PHD data exchange standards.

This Standards Roadmap is concerned with the machine-to-machine interface to and from the PHD. Currently not in scope is the cybersecurity of the physical device (e.g., physical tampering), the user interface (UI), and the direct-to-cloud interface.