ANSI TIR80001-2-2-2012 Application of risk management for IT-networks incorporating medical devices - Part 2-2 Guidance for the disclosure and communication of medical device secur.pdf

1、ANSI/AAMI/IEC TIR80001-2-2:2012Technical Information ReportApplication of risk management for IT-networks incorporating medical devices Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controlsAn ANSI Technical Report prepared by AAMI ANSI/AAMI/IEC

2、TIR80001-2-2:2012 Application of risk management for IT-networks incorporating medical devices Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls Approved 20 August 2012 by Association for the Advancement of Medical Instrumentation Approved 3

3、0 September 2012 by American National Standards Institute, Inc. Abstract: Step-by-step guide to help in the application of risk management when creating or changing a medical IT-network. Keywords: medical device, risk management, information technology, interoperability, IT-network Published by Asso

4、ciation for the Advancement of Medical Instrumentation 4301 N. Fairfax Drive, Suite 301 Arlington, VA 22203-1633 www.aami.org 2012 by the Association for the Advancement of Medical Instrumentation All Rights Reserved This publication is subject to copyright claims of ISO, ANSI, and AAMI. No part of

5、this publication may be reproduced or distributed in any form, including an electronic retrieval system, without the prior written permission of AAMI. All requests pertaining to this document should be submitted to AAMI. It is illegal under federal law (17 U.S.C. 101, et seq.) to make copies of all

6、or any part of this document (whether internally or externally) without the prior written permission of the Association for the Advancement of Medical Instrumentation. Violators risk legal action, including civil and criminal penalties, and damages of $100,000 per offense. For permission regarding t

7、he use of all or any part of this document, complete the reprint request form at www.aami.org or contact AAMI, 4301 N. Fairfax Drive, Suite 301, Arlington, VA 22203-1633. Phone: +1-703-525-4890; Fax: +1-703-525-1067. Printed in the United States of America ISBN 1570204616 AAMI Technical Information

8、Report A technical information report (TIR) is a publication of the Association for the Advancement of Medical Instrumentation (AAMI) Standards Board that addresses a particular aspect of medical technology. Although the material presented in a TIR may need further evaluation by experts, releasing t

9、he information is valuable because the industry and the professions have an immediate need for it. A TIR differs markedly from a standard or recommended practice, and readers should understand the differences between these documents. Standards and recommended practices are subject to a formal proces

10、s of committee approval, public review, and resolution of all comments. This process of consensus is supervised by the AAMI Standards Board and, in the case of American National Standards, by the American National Standards Institute. A TIR is not subject to the same formal approval process as a sta

11、ndard. However, a TIR is approved for distribution by a technical committee and the AAMI Standards Board. Another difference is that, although both standards and TIRs are periodically reviewed, a standard must be acted onreaffirmed, revised, or withdrawnand the action formally approved usually every

12、 five years but at least every 10 years. For a TIR, AAMI consults with a technical committee about five years after the publication date (and periodically thereafter) for guidance on whether the document is still usefulthat is, to check that the information is relevant or of historical value. If the

13、 information is not useful, the TIR is removed from circulation. A TIR may be developed because it is more responsive to underlying safety or performance issues than a standard or recommended practice, or because achieving consensus is extremely difficult or unlikely. Unlike a standard, a TIR permit

14、s the inclusion of differing viewpoints on technical issues. CAUTION NOTICE: This AAMI TIR may be revised or withdrawn at any time. Because it addresses a rapidly evolving field or technology, readers are cautioned to ensure that they have also considered information that may be more recent than thi

15、s document. All standards, recommended practices, technical information reports, and other types of technical documents developed by AAMI are voluntary, and their application is solely within the discretion and professional judgment of the user of the document. Occasionally, voluntary technical docu

16、ments are adopted by government regulatory agencies or procurement authorities, in which case the adopting agency is responsible for enforcement of its rules and regulations. Comments on this technical information report are invited and should be sent to AAMI, Attn: Standards Department, 4301 N. Fai

17、rfax Drive, Suite 301, Arlington, VA 22203-1633. ANSI Technical Report This AAMI TIR has been registered by the American National Standards Institute as an ANSI Technical Report. Publication of this ANSI Technical Report has been approved by the accredited standards developer (AAMI). This document i

18、s registered as a Technical Report series of publications according to the Procedures for the Registration of Technical Reports with ANSI. This document is not an American National Standard and the material contained herein is not normative in nature. Comments on this technical information report ar

19、e invited and should be sent to AAMI, Attn: Standards Department, 4301 N. Fairfax Drive, Suite 301, Arlington, VA 22203-1633. Contents Page Glossary of equivalent standards vi Committee representation . ix Background of AAMI adoption of IEC/TR 80001-2-2:2012 . x FOREWORD xi INTRODUCTION xiii 1 Scope

20、 . 1 2 Normative references 2 3 Terms and definitions 2 4 Use of SECURITY CAPABILITIES 6 4.1 Structure of a SECURITY CAPABILITY entry 6 4.2 Guidance for use of SECURITY CAPABILITIES in the RISK MANAGEMENT PROCESS . 7 4.3 Relationship of ISO 14971-based RISK MANAGEMENT to IT security RISK MANAGEMENT

21、7 5 SECURITY CAPABILITIES . 8 5.1 Automatic logoff ALOF 8 5.2 Audit controls AUDT 9 5.3 Authorization AUTH 9 5.4 Configuration of security features CNFS . 11 5.5 Cyber security product upgrades CSUP 11 5.6 HEALTH DATA de-identification DIDT . 11 5.7 Data backup and disaster recovery DTBK . 12 5.8 Em

22、ergency access EMRG . 12 5.9 HEALTH DATA integrity and authenticity IGAU 13 5.10 Malware detection/protection MLDP 13 5.11 Node authentication NAUT 13 5.12 Person authentication PAUT 14 5.13 Physical locks on device PLOK . 15 5.14 Third-party components in product lifecycle roadmaps RDMP . 15 5.15 S

23、ystem and application hardening SAHD 16 5.16 Security guides SGUD 16 5.17 HEALTH DATA storage confidentiality STCF . 17 5.18 Transmission confidentiality TXCF 17 5.19 Transmission integrity TXIG 18 6 Example of detailed specification under SECURITY CAPABILITY: Person authentication PAUT 18 7 Referen

24、ces . 19 8 Other resources 21 8.1 General 21 8.2 Manufacture disclosure statement for medical device security (MDS2) . 21 8.3 Application security questionnaire (ASQ) . 21 8.4 The Certification Commission for Healthcare Information Technology (CCHIT) 21 8.5 http:/www.cchit.org/get_certifiedHL7 Funct

25、ional Electronic Health Record (EHR) 21 8.6 Common criteria ISO/IEC 15408 . 22 9 Standards and frameworks 22 Annex A (informative) Sample scenario showing the exchange of security information . 23 Annex B (informative) Examples of regional specification on a few SECURITY CAPABILITIES 46 Annex C (inf

26、ormative) SECURITY CAPABILITY mapping to C-I-A-A 50 Bibliography 51 Table 1 Relationship of IT security and ISO 14971-based terminology 8 Table C.1 Sample mapping by a hypothetical HDO . 50 vi 2012 Association for the Advancement of Medical Instrumentation ANSI/AAMI/IEC TIR80001-2-2:2012 Glossary of

27、 equivalent standards International Standards adopted in the United States may include normative references to other International Standards. For each International Standard that has been adopted by AAMI (and ANSI), the table below gives the corresponding U.S. designation and level of equivalency to

28、 the International Standard. NOTE: Documents are sorted by international designation. The code in the US column, “(R)20xx” indicates the year the document was officially reaffirmed by AAMI. E.g., ANSI/AAMI/ISO 10993-4:2002/(R)2009 indicates that 10993-4, originally approved and published in 2002, wa

29、s reaffirmed without change in 2009. Other normatively referenced International Standards may be under consideration for U.S. adoption by AAMI; therefore, this list should not be considered exhaustive. International designation U.S. designation Equivalency IEC 60601-1:2005 ANSI/AAMI ES60601-1:2005/(

30、R)2012 Major technical variations IEC 60601-1:2005/A1:2012 ANSI/AAMI ES60601-1:2005/A1:2012 A1 identical IEC Technical Corrigendum 1 and 2 ANSI/AAMI ES60601-1:2005/C1:2009/(R)2012 (amdt) C1 identical to Corrigendum 1 any IEC National Committee interested in the subject dealt with may participate in

31、this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the t

32、wo organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have t

33、he form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinte

34、rpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national

35、 or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carr

36、ied out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Com

37、mittees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn

38、to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be

39、 held responsible for identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. However, a technical committee may propose the publication of a technical report when it has collected data of a different kind from that which is normall

40、y published as an International Standard, for example “state of the art“. IEC 80001-2-2, which is a technical report, has been prepared a Joint Working Group of subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC technical committee 62: Electrical equipment in m

41、edical practice and ISO technical committee 215: Health informatics. xii 2012 Association for the Advancement of Medical Instrumentation ANSI/AAMI/IEC TIR80001-2-2:2012 The text of this technical report is based on the following documents: Enquiry draft Report on voting 62A/783/DTR 62A/807/RVC Full

42、information on the voting for the approval of this technical report can be found in the report on voting indicated in the above table. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. Terms used throughout this technical report that have been defined in Clause 3 a

43、ppear in SMALL CAPITALS. The committee has decided that the contents of this publication will remain unchanged until the stability date indicated on the IEC web site under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be reconfirmed, with

44、drawn, replaced by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. IMPORTANT The color inside logo on the cover page of this publication indicates that it contains colors which are considered to be useful for the correct understanding of its cont

45、ents. Users should therefore print this document using a color printer. 2012 Association for the Advancement of Medical Instrumentation ANSI/AAMI/IEC TIR80001-2-2:2012 xiii INTRODUCTION IEC 80001-1, which deals with the application of RISK MANAGEMENT to IT-networks incorporating medical devices, pro

46、vides the roles, responsibilities and activities necessary for RISK MANAGEMENT. This technical report provides additional guidance in how SECURITY CAPABILITIES might be referenced (disclosed and discussed) in both the RISK MANAGEMENT PROCESS and stakeholder communications and agreements. The informa

47、tive set of common, high-level SECURITY CAPABILITIES presented here i intended to be the starting point for a security-centric discussion between vendor and purchaser or among a larger group of stakeholders involved in a MEDICAL DEVICE IT-NETWORK project. Scalability is possible across a range of di

48、fferent sized RESPONSIBLE ORGANIZATIONS as each evaluates RISK under the capabilities and decides what to include or not include according to its RISK tolerance and resource planning. This technical report might be used in the preparation of documentation designed to communicate product SECURITY CAP

49、ABILITIES and options. This documentation could be used by the RESPONSIBLE ORGANIZATION as input to their IEC 80001 PROCESS or to form the basis of RESPONSIBILITY AGREEMENTS among stakeholders. Other IEC-80001-1 technical reports will provide step-by-step guidance in the RISK MANAGEMENT PROCESS. Furthermore, the SECURITY CAPABILITIES encourage the disclosure of more detailed security controls perhaps those specified in one or more security standards as followed by the RESPONSIBLE ORGANIZATION or the MEDICAL-D