Iec Tr 80001-2-8-2016.Pdf

IEC TR 80001 2 8 Edition 1 0 201 6 05 TECHNICAL REPORT Application of risk management for IT networks incorporating medical devices – Part 2 8 Application guidance – Guidance on standards for establis[.]

IEC TR 80001 -2-8

Editio 1.0 2 16-0

Appl cation of risk management for IT-network s incorporating medical devices –

Part 2-8: Appl cation guidance – Guidance on standards for establ shing the

security capabi ities identified in IEC T R 80001-2-2

THIS PUBLICATION IS COPYRIGHT PROT CTED

Copyright © 2 16 IEC, Ge e a, Switzerla d

Al rig ts reserv d Unles oth rwise sp cifie , n p rt of this p blc tio ma b re ro u e or uti ze in a y form

or b a y me ns,ele tro ic or me h nic l in lu in p oto o yin a d microfim, with ut p rmis io in writin from

eith r IEC or IEC's memb r Natio al Commite in th c u try of th re u ster If y u h v a y q estio s a o t IEC

c p rig t or h v a e q iry a o t o tainin a ditio al rig tsto this p blc tio , ple se c nta t th a dres b low or

y ur lo al IEC memb r Natio al Commite for furth r informatio

Th Intern tio al Ele trote h ic l Commis io (IEC) is th le din glo al org nizatio th t pre ares a d p blsh s

Intern tio al Sta d rds for al ele tric l ele tro ic a d relate te h olo ies

Ab ut IEC publ c tio s

Th te h ic l c nte t of IEC p blc tio s is k pt u d r c nsta t re iew b th IEC Ple se ma e sure th t y u h v th

latest e itio , a c rig n a or a ame dme t mig t h v b e p blsh d

IEC Catalog e - webstore.ie c / catalog e

Th sta d-alo e a plc tio for c nsultin th e tire

biblo ra hic l informatio o IEC Inter natio al Sta d r ds,

Te h ic l Sp cific tio s, Te h ic l Re orts a d oth r

d c me ts Av ia le for PC, Ma OS, An r oid Ta lets a d

iPa

IEC publc tio s s arc - w w.ie c /se rc pub

Th a v n e se r ch e a les to fin IEC p blc tio s b a

v riety of crite a (r efer en e n mb r, te t, te h ic l

c mmite ,…) It also giv s informatio o pr oje ts, re la e

a d w ith r awn p blc tio s

Sta u to d te o al n w IEC p blc tio s Just Pu lsh d

d tais al n w p blc tio s rele se Av ia le o ln a d

also o c a mo th b emai

Ele to edia - ww w.ele to edia.org

Th w or l 's le din o ln dictio ary of ele tro ic a d

ele tr i al terms c ntainin 2 0 0 ter ms a d d finitio s in

En lsh a d Fre c , w ith e uiv le t terms in 15 a ditio al

la g a es Also k now n as th Inter natio al Ele tr ote h ic l

Vo a ulary (IEV) o ln

6 0 0 ele trote h ic l ter min lo y e tr i s in En lsh a d

Fre c e tr acte from th Terms a d Definitio s cla se of

IEC p blc tio s is u d sin e 2 0 Some e tr i s h v b e

c le te fr om e rler p blc tio s of IEC TC 3 , 7 , 8 a d

CIS R

IEC Cu tomer Serv ic Cente - webstore.ie c / cs

If y u w ish to giv us y our fe d a k o this p blc tio or

n e furth r as ista c ,ple se c nta t th Customer Servic

Ce tr e: csc@ie c

IEC TR 80001 -2-8

Editio 1.0 2 16-0

Appl cation of risk management for IT -network s incorporating medical devices –

Part 2-8: Appl cation guidance – Guidance on standards for establ shing the

security capabi ities identified in IEC T R 80001-2-2

CONTENTS

FOREWORD 4

INTRODUCTION 6

1 Sco e 9

2 Normative referen es 9

3 Terms an definition 10 4 Guidan e for esta l s in S C RITY C PABILITIE 13 4.1 General 13 4.2 Automatic logof – ALOF 14 4.3 Au it controls – AUDT 15 4.4 Authorization – AUTH 17 4.5 Config ration of sec rity fe tures – CNF 19 4.6 Cyb r sec rity prod ct upgrades – CSUP 21

4.7 HEALTH D TA de-identification – DIDT 2

4.8 Data b ckup an disaster recovery – DTBK 2

4.9 Emergen y ac es – EMRG 2

4.10 HEALTH D TA integrity an authenticity – IGAU 2

4.1 Malware detection/protection – MLDP 3

4.12 Node authentication – NAUT 3

4.13 Person authentication – PAUT 3

4.14 Ph sical locks on device – PLOK 3

4.15 Third-p rty comp nents in prod ct l fec cle ro dma s – RDMP 39 4.16 Sy tem an a plcation hardenin – SAHD 4

4.17 Sec rity g ides – SGUD 4

4.18 HEALTH D TA storage confidential ty – STCF 4

4.19 Tran mis ion confidential ty – TXCF 4

4.2 Tran mis ion integrity – TXIG 5

Bibl ogra h 51

Ta le 1 – ALOF controls 14 Ta le 2 – AUDT controls 16 Ta le 3 – AUTH controls 18 Ta le 4 – CNFS controls 2

Ta le 5 – CSUP controls 2

Ta le 6 – DIDT controls 2

Ta le 7 – DTBK controls 2

Ta le 8 – EMRG controls 2

Ta le 9 – IGAU controls 2

Ta le 10 – MLDP controls 3

Ta le 1 – NAUT controls 3

Ta le 12 – PAUT controls 3

Ta le 13 – PLOK controls 3

Ta le 14 – RDMP controls 4

INTERNATIONAL ELECTROTECHNICAL COMMISSION

Part 2-8: Appl cation guidance – Guidance on standards for

establ shing the security capabi ities identified in IEC TR 80001-2-2

1) Th Intern tio al Ele trote h ic l Commis io (IEC) is a worldwid org nizatio for sta d rdizatio c mprisin

al n tio al ele trote h ic l c mmite s (IEC Natio al Commite s) Th o je t of IEC is to promote

intern tio al c -o eratio o al q estio s c n ernin sta d rdizatio in th ele tric l a d ele tro ic fields To

this e d a d in a ditio to oth r a tivities, IEC p blsh s Intern tio al Sta d rds, Te h ic l Sp cific tio s,

Te h ic l Re orts, Pu lcly Av ia le Sp cific tio s (PAS) a d Guid s (h re fer refere to as “IEC

Pu lc tio (s)”) Th ir pre aratio is e truste to te h ic l c mmite s; a y IEC Natio al Commite intereste

in th su je t d alt with ma p rticip te in this pre aratory work Intern tio al g v rnme tal a d n

n-g v rnme tal org nizatio s laisin with th IEC also p rticip te in this pre aratio IEC c la orates closely

with th Intern tio al Org nizatio for Sta d rdizatio (ISO) in a c rd n e with c n itio s d termin d b

a re me t b twe n th two org nizatio s

2) Th formal d cisio s or a re me ts of IEC o te h ic l maters e pres , as n arly as p s ible, a intern tio al

c nse sus of o inio o th rele a t su je ts sin e e c te h ic l c mmite h s re rese tatio from al

intereste IEC Natio al Commite s

3) IEC Pu lc tio s h v th form of re omme d tio s for intern tio al use a d are a c pte b IEC Natio al

Commite s in th t se se Whie al re so a le eforts are ma e to e sure th t th te h ic l c nte t of IEC

Pu lc tio s is a c rate, IEC c n ot b h ld resp nsible for th wa in whic th y are use or for a y

misinterpretatio b a y e d user

4) In ord r to promote intern tio al u iformity, IEC Natio al Commite s u d rta e to a ply IEC Pu lc tio s

tra sp re tly to th ma imum e te t p s ible in th ir n tio al a d re io al p blc tio s An div rg n e

b twe n a y IEC Pu lc tio a d th c r esp n in n tio al or re io al p blc tio sh l b cle rly in ic te in

th later

5) IEC itself d es n t pro id a y atestatio of c nformity In e e d nt c rtific tio b dies pro id c nformity

as es me t servic s a d, in some are s, a c s to IEC marks of c nformity IEC is n t resp nsible for a y

servic s c rie o t b in e e d nt c rtific tio b dies

6) Al users sh uld e sure th t th y h v th latest e itio of this p blc tio

7) No la i ty sh l ata h to IEC or its dire tors, emplo e s, serv nts or a e ts in lu in in ivid al e p rts a d

memb rs of its te h ic l c mmite s a d IEC Natio al Commite s for a y p rso al injury, pro erty d ma e or

oth r d ma e of a y n ture wh tso v r, wh th r dire t or in ire t, or for c sts (in lu in le al fe s) a d

e p nses arisin o t of th p blc tio , use of, or rela c u o , this IEC Pu lc tio or a y oth r IEC

Pu lc tio s

8) Ate tio is drawn to th Normativ refere c s cite in this p blc tio Use of th refere c d p blc tio s is

in isp nsa le for th c re t a plc tio of this p blc tio

9) Ate tio is drawn to th p s ibi ty th t some of th eleme ts of this IEC Pu lc tio ma b th su je t of

p te t rig ts IEC sh l n t b h ld resp nsible for id ntifyin a y or al su h p te t rig ts

The main task of IEC tec nical commit e s is to pre are International Stan ard However, a

tec nical commite may pro ose the publ cation of a tec nical re ort when it has col ected

data of a diferent kin from that whic is normal y publ s ed as an International Stan ard, for

example "state of the art"

IEC 8 0 1-2-8, whic is a tec nical re ort, has b en pre ared by s bcommite 6 A:

Common asp cts of electrical eq ipment u ed in medical practice, of IEC tec nical commite

6 : Electrical eq ipment in medical practice, an ISO tec nical commit e 215: He lth

informatic

1)

1)

This d c me t c ntains origin l material th t is © 2 13, Du d lk Institute of Te h olo y, Irela d Permis io is

gra te to ISO a d IEC to re ro u e a d circ late this material this b in with ut preju ic to th rig ts of

It is publ s ed as a double logo tec nical re ort.

The text of this tec nical re ort is b sed on the fol owin doc ments of IEC:

Ful information on the votin for the a proval of this tec nical re ort can b fou d in the

re ort on votin in icated in the a ove ta le In ISO, the stan ard has b en a proved by

14 P-memb rs out of 31 havin cast a vote

This publcation has b en drafed in ac ordan e with the ISO IEC Directives, Part 2

Terms u ed throu hout this tec nical re ort that have b en defined in Clau e 3 a p ar in

SMAL C PITALS

A l st of al p rts of the IEC 8 0 1 series, publs ed u der the general title Ap plcato ofrisk

ma ageme t for i n tworks incorp oratn me dical de ices, can b fou d on the IEC we site

The commite has decided that the contents of this publcation wi remain u c an ed u ti

the sta i ty date in icated on the IEC we site un er "htp:/we store.iec.c " in the data

related to the sp cific publ cation At this date, the publ cation wi b

The IEC 8 0 1-1 stan ard, the Ap p licato ofrisk ma a eme t to IT-n tworks incorp oratn

medical de vice s, provides the roles, resp n ibi ties an activities neces ary for RISK

MA A EMENT IEC TR 8 0 1-2-2, the Ap p licato of risk ma ageme t for IT-n tworks

incorp oratn me dical de vices – Part 2-2: G u ida ce forth dis losure a d communicato of

medical de ice securiy n e ds, risks a d co trols is a tec nical re ort that provides ad itional

g idan e in relation to how S C RITY C PABILITIE mig t b referen ed (dis losed an

dis u sed) in b th the RISK MA A EMENT PROCE S an sta eholder commu ication an

agre ments This tec nical re ort provides g idan e for the esta l s ment of e c of the

S C RITY C PABILITIE presented in IEC TR 8 0 1-2-2

IEC TR 8 0 1-2-2 contain an informative set of common, des riptive S C RITY C PABILITIE

inten ed to b the startin p int for a sec rity-centric dis u sion b twe n the ven or an

purc aser or amon a larger group of sta eholders in olved in a MEDIC L DEVICE IT-NE WOR

project Scala i ty is p s ible acros a ran e of dif erent sizes of RE PONSIBLE ORGA IZATIONS

(hen eforth cal ed he lth are delvery organization – HDOs) as e c evaluates RISK u in

the S C RITY CAPABILITIE an decides what to in lu e or not to in lu e ac ordin to their RISK

toleran e an avai a le resources This doc mentation can b u ed by HDOs as input to their

IEC 8 0 1 PROCE S or to form the b sis of RE PONSIBILITY A RE MENT amon sta eholders

Other IEC 8 0 1 tec nical re orts wi provide ste -by-ste g idan e in the RISK MA A EMENT

PROCE S IEC TR 8 0 1-2-2 S CU ITY C PABILITIE en ourage the dis los re of more detai ed

S C RITY CONTROLS This tec nical re ort identifies S CU ITY CONTROLS from k y sec rity

stan ard whic aim to provide g idan e to a RE PONSIBLE OR A IZATION when ada tin the

framework outl ned in IEC TR 8 0 1-2-2

The framework outl ned in IEC TR 8 0 1-2-2 req ires s ared resp n ibi ty b twe n HDOs

an MEDICAL DEVICE manufacturers (MDMs) Simi arly, this g idan e a pl es to b th

sta eholders, as a s ared resp n ibi ty, to en ure safe MEDIC L DEVICE IT networks In order

to bui d a sec re MEDIC L DEVICE IT network a joint efort from b th sta eholders is req ired

A S C RITY C PABILITY, as defined in IEC TR 8 0 1-2-2, re resents a bro d category of

tec nical, administrative an /or organizational S C RITY CONTROLS

2)

req ired to manage RISKS

to confidentialty, integrity, avai a i ty an ac ou ta i ty of data an s stems This doc ment

presents these categories of S C RITY CONTROLS pres rib d for a s stem an the o erational

en ironment to esta ls S CU ITY C PABILITIE to protect the confidentialty, integrity,

avai a i ty an ac ou ta i ty of data an s stems The S CU ITY CONTROLS s p ort the

maintenan e of confidential ty an the protection from mal ciou intru ion that mig t le d to

compromises in integrity or s stem/data avai a i ty The S C RITY CONTROLS for e c

S C RITY CAPABILITY can b ad ed to as the ne d arises

3)

Controls are inten ed to protect

b th data an s stems but sp cial atention is given to the protection of b th PRIV T D

ATA

an its s bset cal ed HEALTH DATA

In ad ition to providin a b sis for dis u sin

RIS

K an resp ctive roles an resp n ibi ties

toward RISK MA A EMENT, this re ort is inten ed to s p ly:

a) He lth Del very Organization (HDOs) with a catalog e of management, o erational an

administrative S C RITY CONTROLS to maintain the E F CTIVENE S of a S C RITY C PABILITY

for a MEDIC L DEVICE on a MEDIC L DEVICE IT-NE WOR ;

b) MEDIC L DEVICE man facturers (MDMs) with a catalog e of tec nical S C RITY CONTROLS

for the esta l s ment of e c of the 19 S CU ITY CAPABILITIE

2)

For th p rp se of c nsiste c thro g o t this re ort, th term S CURIT C N R LS refers to th te h ic l

a ministrativ a d org nizatio al c ntrols/safe u rds prescrib d to esta lsh S CURIT CA A ILITIE

3)

Th sele tio of S CURIT CA A ILITIE a d S CURIT C N R LS wi v ry d e to th div rsity of ME ICAL D VICE

pro u ts a d c nte t in relatio to e viro me t a d IN E D D U E Th refore, this te h ic l re ort is n t

This re ort presents the 19 S CU ITY CAPABILITIE , their resp ctive “req irement go l” an

“u er ne d” (identical to that in IEC TR 8 0 1-2-2) with a cor esp n in l st of S CU ITY

CONTROLS from a n mb r of sec rity stan ard The sec rity stan ard u ed for ma pin

S C RITY CONTROLS to S C RITY C PABILITIE in lu e

4)

• NIST SP 8 0-5 , Revision 4, Re comme ded Se curiy Controls for Federal Informato

Systems a d Organizato s

NIST Sp cial Publ cation 8 0-5 covers the ste s in the

RISK MA A EMENT Framework

that ad res S CU ITY CONTROL selection for federal information s stems in ac ordan e

with the sec rity req irements in Federal Information Proces in Stan ard (FIPS) 2 0

This in lu es selectin an initial set of b sel ne S C RITY CONTROLS b sed on a FIPS 19

worst case imp ct analy is, tai orin the b sel ne S C RITY CONTROLS, an s p lementin

the S C RITY CONTROLS based on an organizational as es ment of RISK The sec rity rules

cover 17 are s in lu in ac es control, in ident resp n e, bu ines contin ity, an

disaster recovera i ty

• ISO IEC 15 0 -2:2 0 , Informato tech olo y – Securiy tech ique s – Ev lu ato crie ria

for ITsecuriy – Part 2: Securiy functo al comp one nts

This stan ard defines the content an presentation of the sec rity fu ctional req irements

to b as es ed in a sec rity evaluation u in ISO IEC 15 0 It contain a comprehen ive

catalog e of predefined sec rity fu ctional comp nents that wi fulfi the most common

sec rity ne d of the mark tplace These are organized u in a hierarc ical stru ture of

clas es, fami es an comp nents, an s p orted by comprehen ive u er notes

This stan ard also provides g idan e on the sp cification of c stomized sec rity

req irements where no s ita le predefined sec rity fu ctional comp nents exist

• ISO IEC 15 0 -3:2 0 , Informato te ch olo y – Securiy te ch iques – Ev lu ato crie ria

for ITsecuriy – Part 3: Securiy as ura ce com p on nts

This stan ard defines the as uran e req irements of the evaluation criteria It in lu es the

evaluation as uran e levels that define a s ale for me s rin as uran e for comp nent

targets of evaluation (TOEs), the comp sed as uran e p ck ges that define a s ale for

me s rin as uran e for comp sed TOEs, the in ivid al as uran e comp nents from

whic the as uran e levels an p ck ges are comp sed, an the criteria for evaluation of

protection profi es an sec rity targets

This stan ard defines the content an presentation of the as uran e req irements in the

form of as uran e clas es, fami es an comp nents an provides g idan e on the

organization of new as uran e req irements The as uran e comp nents within the

as uran e fami es are presented in a hierarc ical order

• IEC 6 4 3-3-3:2 13, Industrial commu nicato n tworks – Network a d system secu riy –

Part 3-3: System se cu riy re uireme ts a d se cu riy le vels

This stan ard provides detai ed tec nical control s stem req irements (SRs) as ociated

with the seven fou dational req irements (FRs) des rib d in IEC TS 6 4 3-1-1 in lu in

definin the req irements for control s stem ca a i ty sec rity levels, SL-C (control

s stem) These req irements would be u ed by variou memb rs of the in u trial

automation an control s stem (IACS) commu ity alon with the defined zones an

con uits for the s stem u der con ideration (SuC) whi e develo in the a pro riate

control s stem target SL, SL-T(control s stem), for a sp cific as et

• ISO IEC 2 0 2:2 13, Informato tech olo y – Securiy tech ique s – Code of p ractce for

informato se curiy co trols

This stan ard outl nes g idelnes for organizational information sec rity stan ard an

information sec rity management practices in lu in the selection, implementation an

management of controls ta in into con ideration the organization's information sec rity

RISK en ironment s) It is desig ed to b u ed by organization that intend to:

4)

Th sele tio of se urity sta d rds use in this te h ic l re ort d es n t re rese t a e h ustiv lst of al

1) select controls within the PROCE S of implementin a MEDIC L DEVICE s stem b sed on

ISO IEC 2 0 1;

2) implement commonly ac e ted information S C RITY CONTROLS;

3) develo their own information sec rity management g idel nes

5)

He lh informatc – Informato securiy ma a eme t in h alh usin ISO

IEC 2700 2

This stan ard defines g idel nes to s p ort the interpretation an implementation in he lth

informatic of ISO IEC 2 0 2 an is a comp nion to that stan ard

It sp cifies a set of detai ed controls for managin he lth information sec rity an provides

he lth information sec rity b st practice g idel nes By implementin this International

Stan ard, HDOs an other c stodian of he lth information wi b a le to en ure a

minimum req isite level of sec rity that is a pro riate to their organization's

circ mstan es an that wi maintain the confidential ty, integrity an avai a i ty of

p rsonal he lth information

APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS

Part 2-8: Appl cation guidance – Guidance on standards for

establ shing the security capabi ities identified in IEC TR 80001-2-2

This p rt of IEC 8 0 1, whic is a Tec nical Re ort, provides g idan e to He lth Del very

Organization (HDOs) an MEDIC L DEVICE

man facturers (MDMs) for the a pl cation of the

framework outlned in IEC TR 8 0 1-2-2 Managin the RISK in con ectin MEDIC L DEVICE to

IT-NE WOR S req ires the dis los re of sec rity-related ca a i ties an RISKS

IEC TR 8 0 1-2-2 presents a framework for this dis los re an the sec rity dialog that

s r ou d the IEC 8 0 1-1 RISK MA A EMENT of IT-NE WOR S IEC TR 8 0 1-2-2 presents an

informative set of common, des riptive sec rity-related ca a i ties that are u eful in terms of

gainin an u derstan in of u er ne d This re ort ad res es e c of the S CU ITY

CAPABILITIE an identifies S C RITY CONTROLS for con ideration by HDOs an MDMs d rin

RISK MA A EMENT activities, s p l er selection, device selection, device implementation,

o eration etc

It is not inten ed that the sec rity stan ard referen ed herein are ex au tive of al u eful

stan ard ; rather, the purp se of this tec nical re ort is to identify S C RITY CONTROLS, whic

exist in these p rtic lar sec rity stan ard (l sted in the introd ction of this tec nical re ort ,

that a ply to e c of the S CU ITY C PABILITIE

This re ort provides g idan e to HDOs an MDMs for the selection an implementation of

management, o erational, administrative an tec nical S C RITY CONTROLS to protect the

confidentialty, integrity, avai a i ty an ac ou ta i ty of data an s stems d rin

develo ment, o eration an disp sal

Al 19 S C RITY CAPABILITIE

are not req ired in every case an the identified

S CU I

TY

CAPABILITIE in lu ed in this re ort s ould not b con idered ex au tive in nature The

selection of S CU ITY C PABILITIE an S CU ITY CONTROLS s ould b b sed on the RISK

EV LU TION an the RISK toleran e with con ideration for protection of p tient SAF TY, l fe an

he lth INT N ED US , o erational en ironment, network stru ture an local factors s ould

also determine whic S C RITY CAPABILITIE are neces ary an whic S CU ITY CONTROLS

most s ita ly as ist in esta l s in that S CU ITY CAPABILITY

The folowin doc ments, in whole or in p rt, are normatively referen ed in this doc ment an

are in isp n a le for its a pl cation For dated referen es, only the edition cited a pl es For

u dated referen es, the latest edition of the referen ed doc ment (in lu in an

amen ments) a pl es

IEC 8 0 1-1:2 10, Ap p licato of risk ma ageme t for IT-n tworks incorp ratn medical

de ices – Part 1: Role s, resp onsib il ies a d actvi es

IEC TR 8 0 1-2-2:2 12, App licato of risk ma ageme t for IT-n tworks incorp oratn

medical de vice s – Part 2-2: G uida ce for th communicato of medical de ice securiy

n eds, risks a d co trols

6)

3 Terms and definitions

For the purp ses of this doc ment, the fol owin terms an definition a ply

3.1

DATA A D S ST MS SECU ITY

o erational state of a MEDIC L IT-NE WOR in whic information as ets (data an s stems) are

re sona ly protected from degradation of confidential ty, integrity, an avai a i ty

ph sical injury or damage to the he lth of p o le, or damage to pro erty or the en ironment,

or red ction in E F CTIVENE S, or bre c of D TA A DSYS EMS S C RITY

PRIV T D TA that in icates ph sical or mental he lth

Note 1 to e try: This term g n ric ly d fin s PRIV T D T a d it su set, H ALT D T , within this re ort to p rmit

users of this re ort to a a t it e siy to difere t priv c c mpla c laws a d re ulatio s For e ample, in Euro e,

th re uireme ts mig t b ta e a d refere c s c a g d to “Perso al Data” a d “Se sitiv Data”; in th USA,

H ALT D T mig t b c a g d to “Prote te He lth Informatio (PHI)” whie ma in a justme ts to te t as

n c s ary

3.6

INT N ED USE

INT N ED P R OSE

u e for whic a prod ct, PROCE S or service is inten ed ac ordin to the sp cification ,

in tru tion an information provided by the man facturer

3.7

IT-NE WORK

s stem or s stems comp sed of commu icatin nodes an tran mis ion l nks to provide

ph sical y l nk d or wireles tran mis ion b twe n two or more sp cified commu ication

cal brator, sofware, material or other simi ar or related article:

a) inten ed by the man facturer to b u ed, alone or in combination, for h man b in s for

one or more of the specific purp se(s) of:

– diag osis, prevention, monitorin , tre tment or al eviation of dise se,

– diag osis, monitorin , tre tment, al eviation of or comp n ation for an injury,

– in estigation, re lacement, modification, or s p ort of the anatomy or of a

ph siological PROCE S,

– s p ortin or s stainin l fe,

– control of con e tion,

– disinfection of MEDIC L DEVICE ,

– providin information for medical or diag ostic purp ses by me n of in vitro

examination of sp cimen derived from the h man b d ; an

b) whic do s not ac ieve its primary inten ed action in or on the h man b d by

pharmacological, immu ological or meta ol c me n , but whic may b as isted in its

inten ed fu ction by s c me n

Note 1 to e try: Th d finitio of a d vic for in viro e amin tio in lu es, for e ample, re g nts, c lbrators,

sample c le tio a d stora e d vic s, c ntrol materials, a d relate instrume ts or a p ratus Th informatio

pro id d b su h a in viro dia n stic d vic ma b for dia n stic, mo itorin or c mp tibi ty p rp ses In some

jurisdictio s, some in viro dia n stic d vic s, in lu in re g nts a d th lk , ma b c v re b se arate

re ulatio s

Note 2 to e try: Pro u ts whic ma b c nsid re to b ME ICAL D VICE in some jurisdictio s b t for whic

th re isn t y t a h rmo ize a pro c , are:

– aids for disa le /h n ic p e p o le;

– d vic s for th tre tme tdia n sis of dise ses a d injuries ina imals;

– a c s ories for ME ICAL D VICE (se Note to e try 3)

– disinfe tio su sta c s;

– d vic s in orp ratin a imal a d h ma tis u s whic ma me t th re uireme ts of th a o e d finitio b t

are su je t to difere t c ntrols

Note 3 to e try: Ac es ories inte d d sp cific ly b ma ufa turers to b use to eth r with a ‘p re t’ ME ICAL

D VICE to e a le th t ME ICAL D VICE to a hie e its IN E D D P RPOS sh uld b su je t to th same GHT

pro e ures as a ply to th ME ICAL D VICE itself For e ample, a a c s ory wi b clas ifie as th u h it is a

ME ICAL D VICE in its own rig t This ma result in th a c s ory h vin a difere t clas ific tio th n th ‘p re t’

d vic

Note 4 to e try: Comp n nts to ME ICAL D VICE are g n raly c ntrole thro g th ma ufa turer’s q alty

ma a eme t system a d th c nformity as es me t pro e ures for th d vic In some jurisdictio s, c mp n nts

are in lu e in th d finitio of a ‘me ic l d vic ’

[SOURCE: IEC 8 0 1-1:2 10, 2.14]

3.9

MEDIC L IT-NE WORK

entity ac ou ta le for the u e an maintenan e of a MEDIC LIT-NE WORK

[SOURCE: IEC 8 0 1-1:2 10, 2.2 , modified – The notes have b en deleted

3.19

RISK MA AGEMENT

s stematic a pl cation of management p l cies, proced res an practices to the tasks of

analy in , evaluatin , control n , an monitorin RISK

[SOURCE: IEC 8 0 1-1:2 10, 2.2 ]

3.2

S F TY

fre dom from u ac e ta le RISK of ph sical injury or damage to the he lth of p o le or

damage to pro erty or the en ironment

[SOURCE: IEC 8 0 1-1:2 10, 2.3 ]

3.21

SEC RITY C P BILITY

bro d category of tec nical, administrative or organizational controls to manage RISKS to

confidential ty, integrity, avai a i ty an ac ou ta i ty of data an s stems

3.2

SEC RITY CONTROL

management, o erational, an tec nical controls (i.e safeg ard or cou terme s res)

pres rib d for an information s stem to protect the confidential ty, integrity, an avai a i ty of

the s stem an its information

ISO IEC 2 0 2 sp cifies a set of detai ed controls for managin information sec rity

ISO 2 7 9 sp cifies ad itional g idan e sp cifical y for he lth information sec rity an

provides he lth information sec rity b st practice g idel nes

4.2 Automatic logof – ALOF

Req irement go l: Red ce the RISK of u authorized ac es to HEALTH D TA from an

Authorized u er ses ion ne d to automatical y terminate or lock afer a

pre-set p riod of time This red ces the RIS

The local authorized IT administrator ne d to b a le to disa le the

fu ction an set the expiration time (in lu in s re n saver)

A s re n saver with s ort inactivity time or man al y ena led by a

s ortc t k y mig t b an ad itional fe ture This HEALTH DATA display

cle rin could b in o ed when no k y is pres ed for some s ort p riod

(e.g 15 s to several min tes) This would not log out the u er but would

red ce RISK of cas al viewin of information

It is desira le that cl nical u ers s ould not lose u commit ed work d e

to automatic logof Con ider detai ng c aracteristic u der ALOF that

distin uis b twe n (a) logof an (b) s re n lockin with res mption of

ses ion

Table 1 – ALOF controls

FMT SAE Se urity atrib te e piratio

FIA_U U User a th ntic tio

ISO IEC 15 0 -3 No a plc able S CURIT C N R LS

Table 1 (co tnued)

18.2.2 Compla c with se urity p lcies a d sta d rds

4.3 Audit controls – AUDT

Req irement go l: Define harmonized a pro c toward rel a ly au itin who is doin

what with HEALTH DATA, al owin HDO IT to monitor this u in publc

frameworks, stan ard an tec nolog

Our in u try agre d up n an HDO IT stron ly prefers Integratin the

He lth are Enterprise (IHE) au it trai profi e s p ort

Au it go l ( rom IHE): To al ow a sec rity oficer in an in titution to

au it activities, to as es complan e with a sec re domain’s p l cies,

to detect in tan es of non-compl ant b haviour, an to faci tate

detection of impro er cre tion, ac es , modification an deletion of

Protected He lth Information (PHI)

User ne d: Ca a i ty to record an examine s stem activity by cre tin au it trais

on a device to track s stem an HEALTH D TA ac es , modification, or

deletion

Sup ort for u e either as a stan -alone re ository (log in au it fies in

its own fi e s stem) or, when config red as s c , wi sen log ed

information to a se arate, HDO-managed central re ository

Au it cre tion an maintenan e s p orted by a pro riate au it review

to ls

Sec rin of audit data as a pro riate (esp cial y if they contain

p rsonal data themselves)

Au it data that can ot b edited or deleted

Au it data l k ly contain p rsonal data an /or HEALTH DATA an al

proces in (e.g ac es , storage an tran fer) s ould have a pro riate

controls

Table 2 – AUDT controls

A -16 Cros -org nizatio al a ditin

ISO IEC 15 0 -2 FA _A P Se urity a dit a tomatic resp nse

FA _GEN Se urity a dit d ta g n ratio

FA _ A Se urity a dit a alysis

FA _ A Se urity a dit re iew

FA _ EL Se urity a dit e e t sele tio

FA _ TG Se urity a dit e e t stora e

FCO_N O No -re u iatio of origin

SR 3.9 Prote tio ofa dit informatio

SR 6.1 Au it re u tio a d re ort g n ratio

Table 2 (co tnued)

Req irement go l: Fol owin the prin iple of data minimization, provide control of ac es to

HEALTH D TA an fu ction only as neces ary to p rform the tasks

req ired by the HDO con istent with the INT NDED US

User ne d: Avoidin u authorized ac es to data an fu ction in order to (1)

preserve s stem an data confidential ty, integrity an avai a i ty an

(2) remain within p rmited u es of data an s stems

As defined by HDO IT p l c an b sed on the authenticated in ivid al

u er’s identification, the authorization ca a i ty al ows e c u er to

only ac es a proved data an only p rform a proved fu ction on the

device

Authorized u ers in lu e HDO an service staf as defined by that

p l c

• MEDIC L DEVICE typical y s p ort a p rmis ion -b sed s stem

providin ac es to s stem fu ction an data a pro riate to the

role(s) of the in ivid al in the HDO (role-b sed ac es control,

RBAC) For example: OP RATORS can p rform their as ig ed tasks

u in al a pro riate device fu ction (e.g monitor or s an

p tients)

• Qual ty staf (e.g medical ph sicist can en age in al a pro riate

q al ty an as uran e testin activities

• Service staf can ac es the s stem in a man er that s p orts their

preventive maintenan e, pro lem in estigation, an pro lem

el mination activities

Authorization p rmits the RISK to efectively delver he lth are whi e (1)

maintainin s stem an data sec rity an (2) fol owin the prin iple of

a pro riate data ac es minimization Authorization can b managed

local y or enterprise-wide (e.g via central zed directory)

Where INT NDED US do s not p rmit the time neces ary for log in

onto an of of a device (e.g hig - hrou hput u e), the local IT Polc

can p rmit red ced authorization controls pres min adeq ac of

control ed an restricted ph sical ac es

Table 3 – AUTH controls

A -19 Ac es c ntrol for mo ie d vic s

9.1.2 Ac es to n tworks a d n twork servic s

9.2.1 User re istratio a d d -re istratio

9.2.2 User a c s pro isio in

9.2.3 Ma a eme t of privie e a c s rig ts

9.2.4 Ma a eme t of se ret a th ntic tio informatio of users

9.4.1 Informatio a c s restrictio

9.4.4 Use of privie e uti ty pro rams

Table 3 (co tnued)

ISO IEC 2 0 2

ISO 2 7 9

12.1.1 Do ume te o eratin pro e ures

13.1.3 Se re atio inn tworks

13.2.4 Co fid ntialty or n n-disclosure a re me ts

4.5 Configuration of s c rity fe ture – CNFS

Req irement go l: To al ow the HDO to determine how to uti ze the prod ct S CU ITY

C PABILITIE to me t their ne d for p l c an /or workflow

User ne d: The local authorized IT administrator need to b a le to select the u e

of the prod ct S CU ITY C PABILITIE or not to u e the prod ct S CU ITY

C PABILITIE This can in lu e asp cts of privi ege management

interactin with S CU ITY CAPABILITY control

Table 4 – CNFS controls

FMT SMF Sp cific tio of ma a eme t fu ctio s

FMT SMR Se urity ma a eme t roles

F A_LSA Limitatio o sc p of sele ta le atrib tes

Table 4 (co tnued)

ISO IEC 2 0 2

ISO 2 7 9

9.2.3 Ma a eme t of privie e a c s rig ts

9.2.4 Ma a eme t of se ret a th ntic tio informatio of users

9.4.1 Informatio a c s restrictio

9.4.4 Use of privie e uti ty pro rams

12.1.1 Do ume te o eratin pro e ures

12.2.1 Co trols a ainst malware

14.2.2 Systemc a g c ntrol pro e ures

14.2.3 Te h ic l re iew of a plc tio s afer o eratin platorm

c a g s

9.2.4 Ma a eme t of se ret a th ntic tio informatio of users

14.2.4 Restrictio s o c a g s to sofware p c a es

14.2.9 Systema c pta c testin

18.1.5 Re ulatio of cry to ra hic c ntrols

4.6 Cyber s c rity product upgra e – CSUP

Req irement go l: Cre te a u ified way of working In tal ation / Upgrade of prod ct

sec rity p tc es by on-site service staf , remote service staf, an

p s ibly authorized HDO staf (downlo da le p tc es)

User ne d: In tal ation of third p rty sec rity p tc es on medical prod cts as so n

as p s ible in ac ordan e with reg lation req irin :

• Hig est priority is given to p tc es that ad res hig -RISK

v lnera i ties as ju ged by o jective, authoritative, doc mented,

MDM v lnera i ty RISK EV LU TION

• The medical prod ct ven or an the he lth are provider are

req ired to as ure contin ed safe an ef ective cl nical fu ctional ty

of their prod cts Un erstan in of local MEDIC L DEVICE reg lation

(in general, MEDICAL DEVICE s ould not b p tc ed or modified

without expl cit writen in tru tion from the MDM)

• Adeq ate testin has to b done to dis over an u anticip ted side

efects of the p tc on the medical prod ct (p rforman e or

fu ctional ty) that might en an er a PATIENT

User, esp cial y HDO IT staf an HDO service, req ires pro ctive

information on as es ed/valdated p tc es

Table 5 (co tnued)

SA-8 Se urity e gin erin prin iples

SA-1 De elo er se urity testin a d e alu tio

12.2.1 Co trols a ainst malware

12.5.1 Instalatio of sofware o o eratio al systems

12.6.1 Ma a eme t of te h ic l v ln ra i ties

12.6.2 Restrictio s o sofware instalatio

14.1.1 Informatio se urity re uireme tsa alysis a d sp cific tio

14.2.2 System c a g c ntrol pro e ures

14.2.3

Te h ic l re iew of a plc tio s afer o eratin platorm

c a g s

14.2.4 Restrictio s o c a g s to sofware p c a es

14.2.5 Se ure system e gin erin prin iples

14.2.8 System se urity testin

14.2.9 System a c pta c testin

18.2.2 Compla c with se urity p lciesa d sta d rds

4.7 HEAL H DATA d -ide tific tion – DIDT

Req irement go l: Abi ty of eq ipment (a pl cation sofware or ad itional to l n ) to

directly remove information that al ows identification of p tient

Data s rub in prior to s ip in b ck to factory; arc itectin to al ow

remote service without HEALTH D TA ac es /exp s re; in- actory

Table 6 – DIDT controls

DM-1 Minimizatio of p rso aly id ntifia leinformatio

DM-2 Data rete tio a d disp sal

5.1.1 Polcies for informatio se urity

5.1.2 Re iew of th informatio se urity p lc

7.2.2 Informatio se urity aware es , e u atio a d trainin

1 2.6 Se urity of e uipme t a d as ets of premises

1 2.7 Se ure disp sal or re-use of e uipme t

12.1.4

Se aratio of d v lo me t, testin a d o eratio al

e viro me ts

14.3.1 Prote tio of test d ta

18.1.4 Priv c a d prote tio of p rso aly id ntifia le informatio

18.2.2 Compla c with se urity p lcies a d sta d rds

4.8 Data ba k p a d dis ster re ov ry – DTBK

Req irement go l: As ure that the he lth are provider can contin e bu ines afer damage

or destru tion of data, hardware, or sofware

User ne d: Re sona le as uran e that p rsistent s stem set in s an p rsistent

HEALTH D TA stored on prod cts can b restored afer a s stem fai ure

or compromise so that bu ines can b contin ed

NOT This re uireme t mig t n t b a pro riate for smaler, low-c st d vic s a d

c n, in pra tic , rely o th a i ty to c le t n w, rele a t d ta in th n xt a q isitio

c cle (e.g sh rtd ratio h art rate d ta lost d e to o c sio al wireles sig al los )

CP-9 Informatio system b c u

CP-10 Informatio system re o ery a d re o stitutio

CP-13 Altern tiv se urity me h nisms

IR-9 Informatio spi a e resp nse

IR-10 Inte rate informatio se urity a alysis te m

SI-1 System a d informatio inte rity p lc a d pro e ures