# Control Justification Record (CJR)

**CJR-ID:** CJR-EMPump-003-ServicePort
**Status:** Approved
**Version:** 1.0

## 1. Device identification

| Field | Value |
|---|---|
| Device name and model | ExampleMed Volumetric Infusion Pump v3.2 |
| Manufacturer | ExampleMed Inc. |
| Device class (FDA) | Class II |
| Device archetype | Archetype 2 (embedded RTOS legacy) |
| MDS² reference | ExampleMed-IP3.2-MDS2-2024 |
| Asset inventory IDs | Asset register: pump-vlan-volumetric-ip32 |
| Deployment count | 240 units |
| Linked STRIDE-HC threat model | `stride-hc-templates/examples/infusion-pump.md` |
| Current MDRS score and tier | 8.175 → CRITICAL |

## 2. Standard control and constraint

### 2.1 Standard control that cannot be applied

Per-technician MFA-protected authentication for service-port (RS-232) access, with audit logging of session activity.

### 2.2 Constraint preventing standard control

**Service-mode password disclosed in technical manual or leaked.** The service-port credential for the v3.2 pump is documented in vendor manuals that have been disclosed publicly through historical product-recall correspondence and via third-party repair documentation.

### 2.3 Constraint detail

The RS-232 service-port credential (4-digit PIN) is documented in:
- ExampleMed Inc. service manual (general circulation among contracted biomedical staff).
- Multiple third-party repair sites which mirror the manual.
- Historical 2018 product-recall correspondence which made the credential available via FDA freedom-of-information requests.

The vendor cannot rotate the credential in deployed firmware (rotation requires firmware update under FDA clearance). Vendor advisory ExampleMed-2024-04 acknowledges the disclosure and recommends "physical access control commensurate with the criticality of the device".

The constraint is permanent in the deployed firmware and represents the highest-risk physical-access exposure on this pump fleet.

## 3. Threat addressed

### 3.1 STRIDE-HC mapping

- **R** — Repudiation (unattributed service-mode access)
- **T** — Tampering (configuration tampering via service port)
- **E** — Elevation of Privilege (service-mode credential abuse)

### 3.2 Threat scenario summary

**Physical/insider-attacker scenarios:**
- Unauthorised service-mode access by individual with physical proximity, using publicly available credential.
- Configuration tampering of pump parameters via service port.
- Vendor-impersonation social engineering using disclosed credential and forged work order.
- Exfiltration of pump configuration data to USB via service tool.

This is the principal residual risk scenario after CJR-EMPump-001-MFA (Pattern A upstream PAM) addresses the network-side access path. Pattern A does not protect the physical service port; this CJR documents the Pattern C compensating control that does.

### 3.3 Initial risk assessment (pre-control)

| Dimension | Score | Rationale |
|---|---|---|
| Likelihood | High | Credential publicly disclosed; required attacker capability is low (physical proximity + service tool). |
| Severity | High | Service-mode access enables therapy parameter modification, configuration tampering, and reset operations. |
| Detectability | Difficult | Pump generates no service-port event log; detection depends on human observation or upstream correlation. |

## 4. Compensating control(s) selected

### 4.1 Control description

**Pattern C — Inline hardware MFA shim at the RS-232 service port.** A small vendor-neutral hardware device sits inline between technician tooling and the pump's RS-232 service port. The shim:

- Presents a TOTP authentication challenge before passing any traffic to the pump.
- Records the entire serial session to non-volatile storage with timestamp, technician identity (resolved from TOTP factor binding), and full bidirectional traffic.
- Enforces tamper-evident sealing; tampering with the shim itself triggers a network-reachable alert.
- Falls back to disabled traffic on power loss or controller fault — an authenticated technician may bypass via a documented break-glass procedure escalated to InfoSec on-call.

The Pattern C device is currently a **research artifact** with a software-first reference design published in this repository (`mfa-shim/`). The deployment described in this CJR is at a single ICU pilot site (12 pumps) per the FDA-aware piloting plan documented in `mfa-shim/FDA-CONSIDERATIONS.md`.

This is **not** a cleared medical device; it is a security accessory deployed under the institutional research and quality improvement programme. Production-grade hardware procurement is on the 2027 plan.

In addition to Pattern C, this CJR documents the supporting policy controls:

- **Tamper-evident seal** on the service-port cover plate; monthly inspection logged.
- **Vendor-escort policy**: every vendor service activity must be accompanied by clinical engineering staff.
- **Pre-visit work order**: documented in change management with scope and identified service tooling.
- **Service activity audit reconciliation**: monthly reconciliation of vendor visits with PAM session records and pump shim logs.
- **Video surveillance** at pump location, retained 90 days.

### 4.2 Reference to Compensating Controls Playbook

Paper §3.3 Table 3, "Service-mode password disclosed" constraint. Pattern C described in §3.4.

### 4.3 How the control addresses the threat

- The publicly-disclosed credential alone is insufficient for service-mode access; the shim's TOTP gate must also be passed.
- TOTP factor is bound to individual technician identity, restoring per-user attribution and addressing Repudiation.
- Session recording at the shim provides evidentiary capability for post-hoc analysis of service activity.
- The supporting policy controls reduce the population of actors with even the opportunity to attempt the attack.

### 4.4 Why this control is appropriate

- **Equivalent or superior protection.** The shim provides authentication and audit at the physical port — capabilities the pump itself does not have. The combined posture is approximately equivalent to a device with native MFA and audit logging.
- **Independence.** The control is implemented in a separate hardware element; its security properties do not depend on the pump.
- **Proportionality.** Pump is at CRITICAL MDRS tier; the control is the strongest physical-access control reasonably achievable given the constraint.
- **Auditability.** Shim session logs, badge correlation, video, vendor-escort records — multiple corroborating sources support audit.

### 4.5 Implementation references

- Pattern C reference design: `mfa-shim/prototype/`
- Pilot deployment: 12 pumps in ICU bed positions 1A-12A (separate inventory record)
- TOTP factor binding: technician identity attested via clinical engineering badge system
- Session log retention: 90 days online at the shim, exported nightly to SIEM with 7-year archive
- Tamper-evident seal: serialised seal applied at deployment; monthly inspection logged in EAM
- Break-glass procedure: BG-PUMP-001 (clinical engineering on-call notification + InfoSec on-call concurrent)
- Video surveillance: ICU camera coverage records device locations; 90-day retention

## 5. Residual risk evaluation (ISO 14971 cl.8)

### 5.1 Risk after control deployment

| Dimension | Score | Rationale |
|---|---|---|
| Likelihood (residual) | Low | TOTP factor required in addition to disclosed PIN; population of actors with both proximity and TOTP is small and audited. |
| Severity (residual) | High | Unchanged — the harm potential if compromise occurs remains the same. |
| Detectability (residual) | Easy | Shim logs every session; video surveillance provides corroboration; audit reconciliation surfaces discrepancies. |

### 5.2 Residual risk acceptability

**Acceptable for the pilot deployment** under the legacy device research programme criteria (LMD-RISK-2026-001 and the research-artifact addendum LMD-RISK-2026-001A). The pilot is time-bounded (12 months) with quarterly review.

For broader deployment, the control's status as a research artifact rather than a cleared medical device is the governing constraint. See `mfa-shim/FDA-CONSIDERATIONS.md` for the regulatory analysis of broader deployment paths.

### 5.3 Risk acceptance authority

CISO (K. Williams), Director of Clinical Engineering (M. Robinson), and Chief Medical Information Officer (Dr T. Aiyer) jointly, dated 2026-04-10. Pilot scope is signed off by the institutional research and quality improvement committee.

## 6. Effectiveness rating

**Medium for the pilot deployment.** Pattern C addresses the primary disclosed-credential exposure but is itself a research-grade artifact. Validation:

- Test harness scenario `test-harness/attacker/05-eop-default-credential.py` confirms Pattern C prevents service-port credential abuse when the shim is operational and tamper-evident sealing is intact.
- Pilot operations review at 90 days will assess shim reliability, technician compliance with TOTP workflow, and any clinical-workflow impact.

A re-rating to High is contingent on (a) production hardware procurement and (b) FDA regulatory analysis confirming that inline insertion does not constitute a device modification requiring re-clearance.

## 7. Normative references

- ISO 14971:2019, cl.7.4 (Risk control measures)
- ISO 14971:2019, cl.8 (Residual risk evaluation)
- AAMI TIR57:2016, §6.3
- AAMI TIR97, §6.2 and §7 (Postmarket residual risk)
- HIPAA Security Rule, 45 CFR §164.310(b) (Workstation use — physical safeguards)
- HIPAA Security Rule, 45 CFR §164.312(d) (Person/entity authentication)
- HIPAA Security Rule, 45 CFR §164.312(b) (Audit controls)
- FDA 2023 Cybersecurity Guidance, §VII.A.4 and §VII.B (Postmarket compensating measures)
- NIST SP 800-82r3, IA-2, PE-3 (Physical access control)
- NIST SP 800-153 (Wireless local area network security)
- HSCC HIC-MaLTS (2023), Practice 5.4 (Physical security)

## 8. Approval and review

| Field | Value |
|---|---|
| Author | S. Patel, Senior Clinical Engineer |
| Reviewer (Clinical Engineering) | M. Robinson |
| Reviewer (InfoSec) | J. Chen |
| Approver (CISO) | K. Williams |
| Approver (Director of Clinical Engineering) | M. Robinson |
| Approver (CMIO) | Dr T. Aiyer |
| Approval date | 2026-04-10 |
| Effective date | 2026-05-15 (after pilot site preparation) |
| Next scheduled review | 2026-08-15 (90-day pilot review), then quarterly |
| Trigger conditions for early review | Shim component failure; tamper-evident seal violation; vendor advisory; FDA clarification on inline-device classification |

## 9. Linked records

| Record type | Reference |
|---|---|
| STRIDE-HC threat model | stride-hc-templates/examples/infusion-pump.md |
| MDS² disclosure | ExampleMed-IP3.2-MDS2-2024 |
| Pattern C reference design | mfa-shim/ |
| FDA regulatory analysis | mfa-shim/FDA-CONSIDERATIONS.md |
| Pilot operations review (90-day) | scheduled 2026-08-15 |
| Related CJRs | CJR-EMPump-001-MFA (Pattern A network-side), CJR-EMPump-002-Encryption |
| Test harness output | test-harness/results/empump-v32-2026-q1.csv |

## 10. Change log

| Version | Date | Author | Change summary |
|---|---|---|---|
| 1.0 | 2026-04-10 | S. Patel | Initial CJR for service-port PIN exposure on ExampleMed Volumetric Infusion Pump v3.2; introduces Pattern C compensating control under research-artifact pilot |