ImageVerifierCode 换一换
格式:PDF , 页数:56 ,大小:411.47KB ,
资源ID:588945      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-588945.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS PD IEC TR 80001-2-8-2016 Application of risk management for IT-networks incorporating medical devices Application guidance Guidance on standards for establishing the security ca.pdf)为本站会员(fatcommittee260)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS PD IEC TR 80001-2-8-2016 Application of risk management for IT-networks incorporating medical devices Application guidance Guidance on standards for establishing the security ca.pdf

1、Application of risk managementfor IT-networks incorporatingmedical devicesPart 2-8: Application guidance Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2PD IEC/TR 80001-2-8:2016BSI Standards PublicationNational forewordThis Published Document is the UK

2、implementation of IEC/TR80001-2-8:2016.The UK participation in its preparation was entrusted by TechnicalCommittee CH/62, Electrical Equipment in Medical Practice, toSubcommittee CH/62/1, Common aspects of Electrical Equipment used inMedical Practice.A list of organizations represented on this commi

3、ttee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 2016.Published by BSI Standards Limited 2016ISBN 978 0 580 87358 4ICS 11.040.01

4、Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 31 May 2016.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD IEC/TR 80001-2-8

5、:2016IEC TR 80001-2-8 Edition 1.0 2016-05 TECHNICAL REPORT Application of risk management for IT-networks incorporating medical devices Part 2-8: Application guidance Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 INTERNATIONAL ELECTROTECHNICAL COMMIS

6、SION ICS 11.040.01 ISBN 978-2-8322-3412-9 Warning! Make sure that you obtained this publication from an authorized distributor. PD IEC/TR 80001-2-8:2016 2 IEC TR 80001-2-8:2016 IEC 2016 CONTENTS FOREWORD . 4 INTRODUCTION . 6 1 Scope 9 2 Normative references. 9 3 Terms and definitions 10 4 Guidance f

7、or establishing SECURITY CAPABILITIES 13 4.1 General . 13 4.2 Automatic logoff ALOF . 14 4.3 Audit controls AUDT . 15 4.4 Authorization AUTH 17 4.5 Configuration of security features CNFS . 19 4.6 Cyber security product upgrades CSUP 21 4.7 HEALTH DATA de-identification DIDT . 24 4.8 Data backup and

8、 disaster recovery DTBK . 25 4.9 Emergency access EMRG 27 4.10 HEALTH DATA integrity and authenticity IGAU . 28 4.11 Malware detection/protection MLDP 30 4.12 Node authentication NAUT . 32 4.13 Person authentication PAUT . 35 4.14 Physical locks on device PLOK . 37 4.15 Third-party components in pro

9、duct lifecycle roadmaps RDMP 39 4.16 System and application hardening SAHD 42 4.17 Security guides SGUD 44 4.18 HEALTH DATA storage confidentiality STCF . 47 4.19 Transmission confidentiality TXCF 48 4.20 Transmission integrity TXIG 50 Bibliography . 51 Table 1 ALOF controls . 14 Table 2 AUDT contro

10、ls . 16 Table 3 AUTH controls . 18 Table 4 CNFS controls . 20 Table 5 CSUP controls . 22 Table 6 DIDT controls 24 Table 7 DTBK controls . 26 Table 8 EMRG controls 28 Table 9 IGAU controls 29 Table 10 MLDP controls . 30 Table 11 NAUT controls . 33 Table 12 PAUT controls . 36 Table 13 PLOK controls .

11、38 Table 14 RDMP controls 40 Table 15 SAHD controls . 43 PD IEC/TR 80001-2-8:2016IEC TR 80001-2-8:2016 IEC 2016 3 Table 16 SGUD controls. 45 Table 17 STCF controls . 48 Table 18 TXCF controls . 49 Table 19 TXIG controls 50 PD IEC/TR 80001-2-8:2016 4 IEC TR 80001-2-8:2016 IEC 2016 INTERNATIONAL ELECT

12、ROTECHNICAL COMMISSION _ APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS INCORPORATING MEDICAL DEVICES Part 2-8: Application guidance Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 FOREWORD 1) The International Electrotechnical Commission (IEC) is a wo

13、rldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other

14、 activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the su

15、bject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions d

16、etermined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Co

17、mmittees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in wh

18、ich they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Public

19、ation and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is n

20、ot responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its techn

21、ical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC

22、Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subjec

23、t of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. However, a technical committee may propose the publication of a technical report when it has collected data of a diffe

24、rent kind from that which is normally published as an International Standard, for example “state of the art“. IEC 80001-2-8, which is a technical report, has been prepared by subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC technical committee 62: Electrical

25、equipment in medical practice, and ISO technical committee 215: Health informatics.1)_ 1)This document contains original material that is 2013, Dundalk Institute of Technology, Ireland. Permission is granted to ISO and IEC to reproduce and circulate this material, this being without prejudice to the

26、 rights of Dundalk Institute of Technology to exploit the original text elsewhere. PD IEC/TR 80001-2-8:2016IEC TR 80001-2-8:2016 IEC 2016 5 It is published as a double logo technical report. The text of this technical report is based on the following documents of IEC: Enquiry draft Report on voting

27、62A/1018/DTR 62A/1043A/RVCFull information on the voting for the approval of this technical report can be found in the report on voting indicated in the above table. In ISO, the standard has been approved by 14 P-members out of 31 having cast a vote. This publication has been drafted in accordance w

28、ith the ISO IEC Directives, Part 2. Terms used throughout this technical report that have been defined in Clause 3 appear in SMALL CAPITALS. A list of all parts of the IEC 80001 series, published under the general title Application of risk management for it-networks incorporating medical devices, ca

29、n be found on the IEC website. The committee has decided that the contents of this publication will remain unchanged until the stability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be g120 reconfi

30、rmed, g120 withdrawn, g120 replaced by a revised edition, or g120 amended. A bilingual version of this publication may be issued at a later date. PD IEC/TR 80001-2-8:2016 6 IEC TR 80001-2-8:2016 IEC 2016 INTRODUCTION The IEC 80001-1 standard, the Application of risk management to IT-networks incorpo

31、rating medical devices, provides the roles, responsibilities and activities necessary for RISK MANAGEMENT. IEC TR 80001-2-2, the Application of risk management for IT-networks incorporating medical devices Part 2-2: Guidance for the disclosure and communication of medical device security needs, risk

32、s and controls is a technical report that provides additional guidance in relation to how SECURITY CAPABILITIES might be referenced (disclosed and discussed) in both the RISK MANAGEMENT PROCESS and stakeholder communications and agreements. This technical report provides guidance for the establishme

33、nt of each of the SECURITY CAPABILITIES presented in IEC TR 80001-2-2. IEC TR 80001-2-2 contains an informative set of common, descriptive SECURITY CAPABILITIES intended to be the starting point for a security-centric discussion between the vendor and purchaser or among a larger group of stakeholder

34、s involved in a MEDICAL DEVICE IT-NETWORK project. Scalability is possible across a range of different sizes of RESPONSIBLE ORGANIZATIONS (henceforth called healthcare delivery organizations HDOs) as each evaluates RISK using the SECURITY CAPABILITIES and decides what to include or not to include ac

35、cording to their RISK tolerance and available resources. This documentation can be used by HDOs as input to their IEC 80001 PROCESS or to form the basis of RESPONSIBILITY AGREEMENTS among stakeholders. Other IEC 80001 technical reports will provide step-by-step guidance in the RISK MANAGEMENT PROCES

36、S. IEC TR 80001-2-2 SECURITY CAPABILITIES encourage the disclosure of more detailed SECURITY CONTROLS. This technical report identifies SECURITY CONTROLS from key security standards which aim to provide guidance to a RESPONSIBLE ORGANIZATION when adapting the framework outlined in IEC TR 80001-2-2.

37、The framework outlined in IEC TR 80001-2-2 requires shared responsibility between HDOs and MEDICAL DEVICE manufacturers (MDMs). Similarly, this guidance applies to both stakeholders, as a shared responsibility, to ensure safe MEDICAL DEVICE IT networks. In order to build a secure MEDICAL DEVICE IT n

38、etwork a joint effort from both stakeholders is required. A SECURITY CAPABILITY, as defined in IEC TR 80001-2-2, represents a broad category of technical, administrative and/or organizational SECURITY CONTROLS2)required to manage RISKS to confidentiality, integrity, availability and accountability o

39、f data and systems. This document presents these categories of SECURITY CONTROLS prescribed for a system and the operational environment to establish SECURITY CAPABILITIES to protect the confidentiality, integrity, availability and accountability of data and systems. The SECURITY CONTROLS support th

40、e maintenance of confidentiality and the protection from malicious intrusion that might lead to compromises in integrity or system/data availability. The SECURITY CONTROLS for each SECURITY CAPABILITY can be added to as the need arises3). Controls are intended to protect both data and systems but sp

41、ecial attention is given to the protection of both PRIVATE DATA and its subset called HEALTH DATA. In addition to providing a basis for discussing RISK and respective roles and responsibilities toward RISK MANAGEMENT, this report is intended to supply: a) Health Delivery Organizations (HDOs) with a

42、catalogue of management, operational and administrative SECURITY CONTROLS to maintain the EFFECTIVENESS of a SECURITY CAPABILITY for a MEDICAL DEVICE on a MEDICAL DEVICE IT-NETWORK; b) MEDICAL DEVICE manufacturers (MDMs) with a catalogue of technical SECURITY CONTROLS for the establishment of each o

43、f the 19 SECURITY CAPABILITIES. _ 2)For the purpose of consistency throughout this report, the term SECURITY CONTROLS refers to the technical, administrative and organizational controls/safeguards prescribed to establish SECURITY CAPABILITIES. 3)The selection of SECURITY CAPABILITIES and SECURITY CO

44、NTROLS will vary due to the diversity of MEDICAL DEVICE products and context in relation to environment and INTENDED USE. Therefore, this technical report is not intended as a “one size fits all” solution. PD IEC/TR 80001-2-8:2016IEC TR 80001-2-8:2016 IEC 2016 7 This report presents the 19 SECURITY

45、CAPABILITIES, their respective “requirement goal” and “user need” (identical to that in IEC TR 80001-2-2) with a corresponding list of SECURITY CONTROLS from a number of security standards. The security standards used for mapping SECURITY CONTROLS to SECURITY CAPABILITIES include4): g120 NIST SP 800

46、-53, Revision 4, Recommended Security Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 covers the steps in the RISK MANAGEMENT Framework that address SECURITY CONTROL selection for federal information systems in accordance with the security requirements in F

47、ederal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline SECURITY CONTROLS based on a FIPS 199 worst-case impact analysis, tailoring the baseline SECURITY CONTROLS, and supplementing the SECURITY CONTROLS based on an organizational assessment of RISK. The

48、 security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability. g120 ISO IEC 15408-2:2008, Information technology Security techniques Evaluation criteria for IT security Part 2: Security functional components This standard defines the con

49、tent and presentation of the security functional requirements to be assessed in a security evaluation using ISO IEC 15408. It contains a comprehensive catalogue of predefined security functional components that will fulfil the most common security needs of the marketplace. These are organized using a hierarchical structure of classes, families and components, and supported by comprehensive user notes. This standard also pr

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1