Meet our Project Partner: The Open Group

Advancing Cybersecurity Assurance for Medical Devices with O-ETB and ACO As medical devices become more connected and software-driven, ensuring robust cybersecurity is essential, not only for protecting data, but for safeguarding patients and maintaining trust in digital health technologies. Within the MedSecurance project, The Open Group is addressing this challenge by developing practical support for automating cybersecurity assurance through the Open Evidential Tool Bus (O-ETB) and the Assurance Case Outline (ACO) Workbench.

O-ETB supports the systematic construction and maintenance of assurance cases that link high-level security and safety claims to concrete, verifiable evidence. In MedSecurance, thiscapability is being used to demonstrate how cybersecurity assurance can move beyond voluminous static documentation toward a more dynamic and sustainable practice that can evolve as devices, software updates, and threat landscapes change over time. By enabling and automating continuous alignment between claims and evidence, O-ETB helps device manufacturers and stakeholders maintain confidence in the cybersecurity posture of their products throughout the lifecycle.

Complementing O-ETB, the ACO Workbench provides a structured yet gentle way for assurance case authors to express claims, arguments, and evidence in a format that is both human-relatable and machine-processable. Grounded in Goal Structuring Notation (GSN) principles, O-ETB/ACO support principled mapping from regulatory and standards-based obligations into reusable argument patterns. In the context of MedSecurance, reuse makes it easier to scale cybersecurity assurance across product families and deployment scenarios,  while reducing duplication of assurance and certification effort and improving consistency. Together, O-ETB/ACO address several key objectives of MedSecurance: strengthening traceability from regulatory requirements to operational evidence; supporting repeatable and transparent conformity assessment aligned with EU MDR and MDCG guidance; and enabling a more integrated approach to safety and cybersecurity co-assurance.

Through this work, The Open Group is helping to show how medical device cybersecurity assurance can become more automated, systematic, resilient, and trustworthy to the benefit of manufacturers, regulators, healthcare providers, and ultimately, patients.