BS PD ISO TR 80001-2-7-2015 Application of risk management for IT-networks incorporating medical devices Application guidance Guidance for Healthcare Delivery Organizations (HDOs) .pdf

1、BSI Standards PublicationApplication of risk management for IT-networksincorporating medical devices Application guidancePart 2-7: Guidance for Healthcare Delivery Organizations (HDOs) on how to self-assess their conformance with IEC 80001-1PD ISO/TR 80001-2-7:2015National forewordThis Published Doc

2、ument is the UK implementation of ISO/TR 80001-2-7:2015.The UK participation in its preparation was entrusted by TechnicalCommittee CH/62, Electrical Equipment in Medical Practice, to Sub-committee CH/62/1, Common aspects of Electrical Equipment used inMedical Practice.A list of organizations repres

3、ented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 2015.Published by BSI Standards Limited 2015ISBN 978 0 580 8

4、3412 7ICS 11.040.01, 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 31 March 2015.Amendments/corrigenda issued since publicationDate Text affectedPUBLI

5、SHED DOCUMENTPD ISO/TR 80001-2-7:2015 ISO 2015Application of risk management for IT-networks incorporating medical devices Application guidance Guidance for Healthcare Delivery Part 2-7: Organizations (HDOs) on how to self-assess their conformance with IEC 80001-1Application du management du risque

6、aux rseaux des technologies de linformation contenant les dispositifs mdicaux Conseils pour les applications Partie 2-7: Directives de prestation de soins de sant organisations sur la faon de sauto-valuer leur conformit avec la norme IEC 80001-1TECHNICAL REPORTISO/TR 80001-2-7Reference number ISO/TR

7、 80001-2-7:2015(E)First edition 2015-04-01ISO/TR 80001-2-7:2015(E)ii ISO 2015 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2015All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechan

8、ical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11F

9、ax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandPD ISO/TR 80001-2-7:2015ISO/TR 80001-2-7:2015(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Assessment Method . 24.1 Prerequisites . 24.2 Assessment Method Overview 24.3 Ass

10、essment Stages . 34.3.1 Stage 1 Defining Assessment Scope . 34.3.2 Stage 2 Stakeholder Involvement . 34.3.3 Stage 3 Information Collection and Evaluation 34.3.4 Stage 4 Findings Report 34.3.5 Stage 5 Presentation of Findings 44.3.6 Stage 6 Improvement Plan (optional) 44.3.7 Stage 7 Follow-up Assessm

11、ent (optional) 44.4 Process attribute rating scale . 44.4.1 Rating of process attributes . 44.4.2 Process attribute rating values 44.5 Capability Levels 54.6 Tailoring the Assessment Method 5Annex A (informative) Assessment Method 7Annex B (informative) Process Reference Model .38Annex C (informativ

12、e) Process Assessment Model .50Annex D (informative) Abbreviations and Process Identifiers 100Bibliography . 102 ISO 2015 All rights reserved iiiContents PagePD ISO/TR 80001-2-7:2015ISO/TR 80001-2-7:2015(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of

13、national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. Inte

14、rnational organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those int

15、ended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see ww

16、w.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document

17、will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expre

18、ssions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information .The committee responsible for this document is ISO/TC 215, Heath informatics.ISO/IEC/TR 8000

19、1 consists of the following parts, under the general title Application of risk management for IT-networks incorporating medical devices: Part 1: Roles, responsibilities and activities Part 2-1: Step-by-step risk management of medical IT-networks; Practical applications and Examples Part 2-2: Guidanc

20、e for the communication of medical device security needs, risks and controls Part 2-3: Guidance for wireless networks Part 2-4: General implementation guidance for Healthcare Delivery Organizations Part 2-5: Application guidance Guidance for distributed alarm systems Part 2-6: Application guidance G

21、uidance for responsibility agreements Part 2-7: Guidance for Healthcare Delivery Organizations (HDOs) on how to self-assess their conformance with IEC 80001-1The following parts are under preparation: Part 2-8: Application guidance Guidance on standards for establishing the security capabilities ide

22、ntified in IEC 80001-2-2iv ISO 2015 All rights reservedPD ISO/TR 80001-2-7:2015ISO/TR 80001-2-7:2015(E)IntroductionThis part of ISO/TR 80001 provides guidance for a Healthcare Delivery Organization (HDO) that wishes to self-assess its implementation of the processes of IEC 80001-1. This part of ISO/

23、TR 80001 can be used to assess Medical IT-Network projects where IEC 80001-1 has been determined to be applicable. This part of ISO/TR 80001 provides an exemplar assessment method which includes a set of questions which can be used to assess the performance of risk management of a Medical IT-Network

24、 incorporating a medical device. This assessment method can be used in its presented form or can be tailored to meet the needs of a specific HDO. A Process Reference Model (PRM) and an example Process Assessment Model (PAM) that meet the requirements of ISO/IEC 15504-2 are included in the Appendices

25、 of this part of ISO/TR 80001. The PRM and PAM can be used to provide a standardized basis for tailoring the exemplar assessment method where required.This part of ISO/TR 80001 can be used in a number of ways including the following.a) The assessment method can be used to perform an assessment to de

26、termine conformance against IEC 80001-1.b) In instances where conformance has been established, the assessment method can also be used to assess risk management processes and determine the capability level at which these processes are being performed.c) Based on the context of the HDO being assessed

27、, the assessment method can be tailored to address the individual HDO use, needs and concerns.The results of the assessment will highlight any weaknesses within current risk management processes and can be used as a basis for the improvement of these processes. Where necessary, modification of the a

28、ssessment method can be undertaken with reference to the PRM and PAM for IEC 80001-1 which are also included in this part of ISO/TR 80001. This approach allows for a lightweight assessment approach to which more rigour can be added if required. For example, a re-assessment may be required in instanc

29、es where an initial assessment revealed weaknesses in the current risk management processes and improvements have subsequently been made which require re-assessment to assess their impact on conformance. A re-assessment may also be performed in instances where confirmation is required that process i

30、mprovement measures which have been undertaken have resulted in the achievement of a higher capability level.This part of ISO/TR 80001 provides the following: guidance for a HDO to self-assess implementation of the processes of IEC 80001-1; an exemplar assessment method which includes a set of quest

31、ions, can be used to assess the performance of risk management of a Medical IT-Network incorporating a medical device, can be used in its presented form, and can be tailored on a standardised basis using the included PRM and PAM; a PRM that meet the requirements of ISO/IEC 15504-2; an example PAM th

32、at meet the requirements of ISO/IEC 15504-2.NOTE This part of ISO/TR 80001 contains original material that is 2013, Dundalk Institute of Technology, Ireland. Permission is granted to ISO and IEC to reproduce and circulate this material, this being without prejudice to the rights of Dundalk Institute

33、 of Technology to exploit the original text elsewhere. ISO 2015 All rights reserved vPD ISO/TR 80001-2-7:2015Application of risk management for IT-networks incorporating medical devices Application guidance Part 2-7: Guidance for Healthcare Delivery Organizations (HDOs) on how to self-assess their c

34、onformance with IEC 80001-11 ScopeThe purpose of this part of ISO/TR 80001 is to provide guidance to HDOs on self-assessment of their conformance against IEC 80001-1.The purpose of this part of ISO/TR 80001 is toa) provide guidance to HDOs on self-assessment of their conformance against IEC 80001-1,

35、b) provide an exemplar assessment method which can be used by HDOs in varying contexts to assess themselves against IEC 80001-1,c) define a PRM comprising a set of processes, described in terms of process purpose and outcomes that demonstrate coverage of the requirements of IEC 80001-1, andd) define

36、 a PAM that meets the requirements of ISO/IEC 15504-2 and that supports the performance of an assessment by providing indicators for guidance on the interpretation of the process purposes and outcomes as defined in IEC 80001-1 (PRM) and the process attributes as defined in ISO/IEC 15504-2.This part

37、of ISO/TR 80001 does not introduce any requirements in addition to those expressed in IEC 80001-1.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited ap

38、plies. For undated references, the latest edition of the referenced document (including any amendments) applies.Members of ISO and IEC maintain registers of currently valid International Standards.IEC 80001-1:2010, Application of Risk Management for IT-Networks incorporating Medical Devices Part 1:

39、Roles, responsibilities and activitiesISO/IEC 15504-1, Information technology Process assessment Part 1: Concepts and vocabularyISO/IEC 15504-2:2003, Information technology Process assessment Part 2: Performing an assessment3 Terms and definitionsFor the purposes of this document, the terms and defi

40、nitions given in ISO/IEC 15504-1 and IEC 80001-1 apply.TECHNICAL REPORT ISO/TR 80001-2-7:2015(E) ISO 2015 All rights reserved 1PD ISO/TR 80001-2-7:2015ISO/TR 80001-2-7:2015(E)4 Assessment Method4.1 PrerequisitesIn order to perform an assessment, an assessor is required. When performing an assessment

41、, it is preferable to have more than one assessor. In cases where the assessment is performed by more than one assessor, a lead assessor should be nominated. The need for multiple assessors is determined by the context of the HDO and the system under assessment. The context of the HDO and the scope

42、of the assessment also determine the need for the modification of the presented exemplar assessment method. In addition, to performing the assessment, the assessor should consider interacting with all relevant risk management stakeholders both those internal and external to the HDO. The assessor sho

43、uld also have access to all relevant materials related to the performance of risk management activities.4.2 Assessment Method OverviewThe use of an assessment method allows assessments to be performed in a consistent and repeatable manner. The assessment method which is presented in this part of ISO

44、/TR 80001 is based on the processes and practices as defined in the PRM and PAM which are presented in the appendices of this part of ISO/TR 80001. Figure 1 shows the 14 processes and their respective process categories which are contained in the PAM. The PAM, which can be found in Annex C, provides

45、 a full description of these processes including the activities (base practices) which must be performed to successfully achieve the purpose of the process. The assessment method consists of an approach to performing the assessment and a set of questions which allows the assessor to collect objectiv

46、e evidence to support an assessment of how each of the activities are being performed (and support the assignment of a capability rating to each process). On the basis of the evidence gathered during the assessment, the strengths and weaknesses of the processes can be identified and recommendations

47、can be made to improve risk management practices and conformance with IEC 80001-1.PAM Processes:Medical IT Network Risk Management Process Group (MRM)MRM.1Medical IT Network Risk Management ProcessMRM.1.1Risk Analysis lifecycle management of medical devices incorporated into IT networks; choice and

48、procurement of medical devices. Risk management activities require co-operation from management responsible for Medical IT-Networks, general IT networks, lifecycle management of medical devices connected to IT network, users of medical devices, and maintenance and technical support for medical devic

49、es.Table A.1 (continued)8 ISO 2015 All rights reservedPD ISO/TR 80001-2-7:2015ISO/TR 80001-2-7:2015(E)Technical Report: Section:IEC 800012-4 4.1 Top management ResponsibilitiesIEC 800012-4 4.2 Small Responsible Organization points to considerIEC 800012-4 4.3 Large Responsible Organization points to considerIEC 800012-4 5.3 Establish underlying risk frameworkIEC 800012-4 5.4.1 Performing a Risk AssessmentIEC 800012-4 5.4.2.3 Large Responsible Organization points to considerIE