ImageVerifierCode 换一换
格式:PDF , 页数:21 ,大小:621.73KB ,
资源ID:439164      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-439164.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ANSI UL 2900-2-1-2017 UL Standard for Safety Software Cybersecurity for Network-Connectable Products Part 2-1 Particular Requirements for Network Connectable Components of Healthca.pdf)为本站会员(eastlab115)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ANSI UL 2900-2-1-2017 UL Standard for Safety Software Cybersecurity for Network-Connectable Products Part 2-1 Particular Requirements for Network Connectable Components of Healthca.pdf

1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, STANDARD FOR SAFETY

2、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM ULUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL UL Standard for Safety for Software Cybersecurity for Network-Connectable Products, Par

3、t 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, UL 2900-2-1 First Edition, Dated September 1, 2017 Summary of Topics This is the First Edition of the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requi

4、rements for Network Connectable Components of Healthcare and Wellness Systems, ANSI/UL 2900-2-1 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical photocopying, recording, or otherwise with

5、out prior permission of UL. UL provides this Standard as is without warranty of any kind, either expressed or implied, including but not limited to, the implied warranties of merchantability or tness for any purpose. In no event will UL be liable for any special, incidental, consequential, indirect

6、or similar damages, including loss of prots, lost savings, loss of data, or any other damages arising out of the use of or the inability to use this Standard, even if UL or an authorized UL representative has been advised of the possibility of such damage. In no event shall ULs liability for any dam

7、age ever exceed the price paid for this Standard, regardless of the form of the claim. Users of the electronic versions of ULs Standards for Safety agree to defend, indemnify, and hold UL harmless from and against any loss, expense, liability, damage, claim, or judgment (including reasonable attorne

8、ys fees) resulting from any error or deviation introduced while purchaser is storing an electronic Standard on the purchasers computer system. SEPTEMBER 1, 2017 UL 2900-2-1 tr1UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL SEPTEMBER 1, 2017

9、 UL 2900-2-1 tr2 No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL SEPTEMBER 1, 2017 1 UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Component

10、s of Healthcare and Wellness Systems, First Edition September 1, 2017 This ANSI/UL Standard for Safety consists of the First Edition. The most recent designation of ANSI/UL 2900-2-1 as an American National Standard (ANSI) occurred on September 1, 2017. ANSI approval for a standard does not include t

11、he Cover Page, Transmittal Pages, and Title Page. Comments or proposals for revisions on any part of the Standard may be submitted to UL at any time. Proposals should be submitted via a Proposal Request in ULs On-Line Collaborative Standards Development System (CSDS) at https:/. ULs Standards for Sa

12、fety are copyrighted by UL. Neither a printed nor electronic copy of a Standard should be altered in any way. All of ULs Standards and all copyrights, ownerships, and rights regarding those Standards shall remain the sole and exclusive property of UL. COPYRIGHT 2017 UNDERWRITERS LABORATORIES INC. AN

13、SI/UL 2900-2-1-2017UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL SEPTEMBER 1, 2017 UL 2900-2-1 2 No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL CONTENTS INTROD

14、UCTION 1 Scope .4 2 Normative References .4 3 Glossary .5 DOCUMENTATION FOR PRODUCT, PROCESSES, AND USE 4 Product Documentation 5 5 Process Documentation5 6 Documentation for Product Use.5 6.1 Safety-related security considerations for product use.5 6.2 Instructions 6 SECURITY CONTROLS 7 General 6 8

15、 Access Control, User Authentication, and User Authorization .6 9 Remote Communication .6 10 Cryptography 6 11 Product Management.7 PRODUCT ASSESSMENT 12 Safety-Related Security Risk Management 7 12.1 Risk analysis7 12.2 Risk evaluation8 12.3 Risk control .8 12.4 Coverage of security analysis and te

16、sting 9 13 Known Vulnerability Testing 12 14 Malware Testing 12 15 Malformed Input Testing .12 16 Structured Penetration Testing .13 17 Software Weakness Analysis.14 18 Static Source Code Analysis 14 19 Static Binary and Bytecode Analysis 14 ORGANIZATIONAL ASSESSMENT 20 Lifecycle Security Processes

17、.14 20.1 Quality management processes 14 20.2 General procurement processes .14 20.3 Procurement risk management process .15 20.4 Product update release and patch management process 15 20.5 Decommissioning process .15 20.6 Packaging and shipment 16 SEPTEMBER 1, 2017 UL 2900-2-1 3UL COPYRIGHTED MATER

18、IAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL INTRODUCTION NOTE: This Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, is to be used

19、in conjunction with the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1. The requirements for network connectable components of healthcare systems are contained in this part 2 standard and UL 2900-1. Requirements of this Part 2 standard,

20、where stated, amend the requirements of UL 2900-1. Where a particular subclause of UL 2900-1 is not mentioned in UL 2900-2-1, the UL 2900-1 subclause applies. 1 Scope 1.1 This security evaluation standard applies to the testing of network connected components of healthcare systems. It applies to, bu

21、t is not limited to, the following key components: a) Medical devices; b) Accessories to medical devices; c) Medical device data systems; d) In vitro diagnostic devices; e) Health information technology; and f) Wellness devices. 2 Normative References 2.1 The Standard for Software Cybersecurity for

22、Network-Connectable Products, Part 1: General Requirements, UL 2900-1, shall be applied as specied in this standard. 2.2 The Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971:2007, shall be applied as specied in this standard. 2.3 The Standard for Medical Devi

23、ces Quality Management Systems Requirements for Regulatory Purposes, ISO 13485:2003, shall be applied as specied in this standard. 2.4 The Standard for Medical Device Software Software Life Cycle Processes, IEC 62304:2006, shall be applied as specied in this standard. SEPTEMBER 1, 2017 UL 2900-2-1 4

24、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 3 Glossary 3.1 BASIC SAFETY Freedom from unacceptable risk, for those risks that are not directly related to the intended use of the product 3.2 ESSENTIAL PERFORMANCE Performance, other than th

25、at related to BASIC SAFETY, whose loss or degradation beyond the limits specied by the MANUFACTURER results in an unacceptable risk. IEC 60601-1 Ed3.1 3.3 MANUFACTURER See VENDOR 3.4 RISK MANAGEMENT FILE Set of records and other documents that are produced by risk management EN ISO 14971: 2012 DOCUM

26、ENTATION FOR PRODUCT, PROCESSES, AND USE 4 Product Documentation 4.1 Product documentation shall meet the requirements of the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, except as noted in the clauses below. 4.2 5 Process Documentati

27、on 5.1 Process documentation shall meet the requirements of the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, except as noted in the clauses below. 6 Documentation for Product Use 6.1 Safety-related security considerations for product

28、use 6.1.1 Intended use of the product as indicated in the Risk Management File (RMF) 6.1.1.1 A statement of the products intended use shall be included in the Risk Management File. 6.1.1.2 Jurisdiction-specic denitions for intended use and indications for use shall be provided in the Risk Management

29、 File. 6.1.1.3 The products intended use statement shall indicate essential performance that may be impacted by security breach. SEPTEMBER 1, 2017 UL 2900-2-1 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 6.1.2 Environment in which the pr

30、oduct is intended to be used 6.1.2.1 The products assumptions regarding the environment within which it is intended to be operated shall be enumerated. 6.1.2.2 The products indications for use statement shall identify security capabilities and constraints relative to assumptions regarding the enviro

31、nment within which it is intended to be operated. 6.2 Instructions 6.2.1 Instructions on means to over-ride security measures when necessary for patient safety per 12.4.1.7 and 12.4.2.6 shall be communicated to intended stakeholders with security controls as described in the Risk Management File. SE

32、CURITY CONTROLS 7 General 7.1 The product shall comply with the requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 7, except as noted in the clauses below. 8 Access Control, User Authentication, and User Authoriza

33、tion 8.1 The product shall comply with the requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 8, except as noted in the clauses below. 9 Remote Communication 9.1 The product shall comply with the remote communicat

34、ion requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 9, except as noted in the clauses below. 10 Cryptography 10.1 The product shall comply with the cryptography requirements of the Standard for Software Cyberse

35、curity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 10, except as noted in the clauses below. SEPTEMBER 1, 2017 UL 2900-2-1 6UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 11 Product Management 11.1 The

36、product shall comply with the product management requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 11, except as noted in the clauses below. PRODUCT ASSESSMENT 12 Safety-Related Security Risk Management 12.1 Risk

37、 analysis 12.1.1 The product shall comply with the applicable requirements of the Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971, or the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, Section 1

38、2, Vendor Product Risk Management Process. NOTE: Information Technology network risks per the Standard for Application of Risk Management for IT-Networks Incorporating Medical Devices Part 1: Roles, Responsibilities and Activities, IEC 80001-1, should be considered as part of product risk management

39、. 12.1.2 A risk management le shall be constructed in accordance with the Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971, risk management process, and it shall specically include the following elements with regard to security: a) Security risk analysis; NOT

40、E: The security risk analysis should consider defense-in-depth also known as layer of protection analysis (LOPA) 1 . b) Security risk evaluation; c) Security risk control; NOTE: Security risk controls should consider a defense-in-depth strategy to minimize impact of a breach. d) Production and post-

41、production security information; e) Verication and validation of security risk controls; and NOTE: Validation demonstrates an implementation that satises system requirements. f) Analysis of the acceptability of residual security risk. 1 See the IEC 61511, Functional Safety Safety Instrumented System

42、s for the Process Industry Sector standards. SEPTEMBER 1, 2017 UL 2900-2-1 7UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 12.1.3 Processes for Quality Management (QM) shall reect: a) Allocation of adequate security resources to product dev

43、elopment; NOTE: Compliance can be determined by demonstrating compliance with Clauses 13-20 of this standard b) Establishing policies and criteria for security risk acceptability for the product based on applicable international, national or regional regulations; and c) Ongoing re-assessment of the

44、continued suitability of the security risk management process at planned intervals, including documentation of decisions and actions taken. 12.2 Risk evaluation 12.2.1 The risk evaluation shall be conducted in accordance with 12.3 and 12.4 in the Standard for Software Cybersecurity for Network-Conne

45、ctable Products, Part 1: General Requirements, UL 2900-1. 12.3 Risk control 12.3.1 The risk controls identied in Sections711oftheStandard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, and the security capabilities of the Application of Risk Man

46、agement for IT-Networks Incorporating Medical Devices Part 2-2: Guidance for the Disclosure and Communication of Medical Device Security Needs, Risks and Controls, IEC/TR 80001-2-2, shall be considered for risk management. 12.3.2 Any security measures contraindicated by the risk analysis are to be d

47、esignated as Not Applicable (NA) with justication(s) in the Risk Management File or explanation of alternative measures. 12.3.3 A security risk management plan shall be constructed and documented to reect the following processes, including rationale for any qualitative or quantitative measures used:

48、 a) Identication of assets, threats, and vulnerabilities; b) Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; c) Assessment of the likelihood of a threat and of a vulnerability being exploited; d) Determination of risk levels and suitable mitiga

49、tion strategies; and e) Assessment of residual risk and risk acceptance criteria. f) Security-relevant data logging when applicable 12.3.4 The vendor shall provide a risk management artifact to reect hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the product, including: a) A specic list of all cybersecurity risks that were considered in the design of the product; b) A specic list and justication

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1