1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, STANDARD FOR SAFETY
2、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM ULUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL UL Standard for Safety for Software Cybersecurity for Network-Connectable Products, Par
3、t 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, UL 2900-2-1 First Edition, Dated September 1, 2017 Summary of Topics This is the First Edition of the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requi
4、rements for Network Connectable Components of Healthcare and Wellness Systems, ANSI/UL 2900-2-1 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical photocopying, recording, or otherwise with
5、out prior permission of UL. UL provides this Standard as is without warranty of any kind, either expressed or implied, including but not limited to, the implied warranties of merchantability or tness for any purpose. In no event will UL be liable for any special, incidental, consequential, indirect
6、or similar damages, including loss of prots, lost savings, loss of data, or any other damages arising out of the use of or the inability to use this Standard, even if UL or an authorized UL representative has been advised of the possibility of such damage. In no event shall ULs liability for any dam
7、age ever exceed the price paid for this Standard, regardless of the form of the claim. Users of the electronic versions of ULs Standards for Safety agree to defend, indemnify, and hold UL harmless from and against any loss, expense, liability, damage, claim, or judgment (including reasonable attorne
8、ys fees) resulting from any error or deviation introduced while purchaser is storing an electronic Standard on the purchasers computer system. SEPTEMBER 1, 2017 UL 2900-2-1 tr1UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL SEPTEMBER 1, 2017
9、 UL 2900-2-1 tr2 No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL SEPTEMBER 1, 2017 1 UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Component
10、s of Healthcare and Wellness Systems, First Edition September 1, 2017 This ANSI/UL Standard for Safety consists of the First Edition. The most recent designation of ANSI/UL 2900-2-1 as an American National Standard (ANSI) occurred on September 1, 2017. ANSI approval for a standard does not include t
11、he Cover Page, Transmittal Pages, and Title Page. Comments or proposals for revisions on any part of the Standard may be submitted to UL at any time. Proposals should be submitted via a Proposal Request in ULs On-Line Collaborative Standards Development System (CSDS) at https:/. ULs Standards for Sa
12、fety are copyrighted by UL. Neither a printed nor electronic copy of a Standard should be altered in any way. All of ULs Standards and all copyrights, ownerships, and rights regarding those Standards shall remain the sole and exclusive property of UL. COPYRIGHT 2017 UNDERWRITERS LABORATORIES INC. AN
13、SI/UL 2900-2-1-2017UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL SEPTEMBER 1, 2017 UL 2900-2-1 2 No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL CONTENTS INTROD
14、UCTION 1 Scope .4 2 Normative References .4 3 Glossary .5 DOCUMENTATION FOR PRODUCT, PROCESSES, AND USE 4 Product Documentation 5 5 Process Documentation5 6 Documentation for Product Use.5 6.1 Safety-related security considerations for product use.5 6.2 Instructions 6 SECURITY CONTROLS 7 General 6 8
15、 Access Control, User Authentication, and User Authorization .6 9 Remote Communication .6 10 Cryptography 6 11 Product Management.7 PRODUCT ASSESSMENT 12 Safety-Related Security Risk Management 7 12.1 Risk analysis7 12.2 Risk evaluation8 12.3 Risk control .8 12.4 Coverage of security analysis and te
16、sting 9 13 Known Vulnerability Testing 12 14 Malware Testing 12 15 Malformed Input Testing .12 16 Structured Penetration Testing .13 17 Software Weakness Analysis.14 18 Static Source Code Analysis 14 19 Static Binary and Bytecode Analysis 14 ORGANIZATIONAL ASSESSMENT 20 Lifecycle Security Processes
17、.14 20.1 Quality management processes 14 20.2 General procurement processes .14 20.3 Procurement risk management process .15 20.4 Product update release and patch management process 15 20.5 Decommissioning process .15 20.6 Packaging and shipment 16 SEPTEMBER 1, 2017 UL 2900-2-1 3UL COPYRIGHTED MATER
18、IAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL INTRODUCTION NOTE: This Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, is to be used
19、in conjunction with the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1. The requirements for network connectable components of healthcare systems are contained in this part 2 standard and UL 2900-1. Requirements of this Part 2 standard,
20、where stated, amend the requirements of UL 2900-1. Where a particular subclause of UL 2900-1 is not mentioned in UL 2900-2-1, the UL 2900-1 subclause applies. 1 Scope 1.1 This security evaluation standard applies to the testing of network connected components of healthcare systems. It applies to, bu
21、t is not limited to, the following key components: a) Medical devices; b) Accessories to medical devices; c) Medical device data systems; d) In vitro diagnostic devices; e) Health information technology; and f) Wellness devices. 2 Normative References 2.1 The Standard for Software Cybersecurity for
22、Network-Connectable Products, Part 1: General Requirements, UL 2900-1, shall be applied as specied in this standard. 2.2 The Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971:2007, shall be applied as specied in this standard. 2.3 The Standard for Medical Devi
23、ces Quality Management Systems Requirements for Regulatory Purposes, ISO 13485:2003, shall be applied as specied in this standard. 2.4 The Standard for Medical Device Software Software Life Cycle Processes, IEC 62304:2006, shall be applied as specied in this standard. SEPTEMBER 1, 2017 UL 2900-2-1 4
24、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 3 Glossary 3.1 BASIC SAFETY Freedom from unacceptable risk, for those risks that are not directly related to the intended use of the product 3.2 ESSENTIAL PERFORMANCE Performance, other than th
25、at related to BASIC SAFETY, whose loss or degradation beyond the limits specied by the MANUFACTURER results in an unacceptable risk. IEC 60601-1 Ed3.1 3.3 MANUFACTURER See VENDOR 3.4 RISK MANAGEMENT FILE Set of records and other documents that are produced by risk management EN ISO 14971: 2012 DOCUM
26、ENTATION FOR PRODUCT, PROCESSES, AND USE 4 Product Documentation 4.1 Product documentation shall meet the requirements of the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, except as noted in the clauses below. 4.2 5 Process Documentati
27、on 5.1 Process documentation shall meet the requirements of the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, except as noted in the clauses below. 6 Documentation for Product Use 6.1 Safety-related security considerations for product
28、use 6.1.1 Intended use of the product as indicated in the Risk Management File (RMF) 6.1.1.1 A statement of the products intended use shall be included in the Risk Management File. 6.1.1.2 Jurisdiction-specic denitions for intended use and indications for use shall be provided in the Risk Management
29、 File. 6.1.1.3 The products intended use statement shall indicate essential performance that may be impacted by security breach. SEPTEMBER 1, 2017 UL 2900-2-1 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 6.1.2 Environment in which the pr
30、oduct is intended to be used 6.1.2.1 The products assumptions regarding the environment within which it is intended to be operated shall be enumerated. 6.1.2.2 The products indications for use statement shall identify security capabilities and constraints relative to assumptions regarding the enviro
31、nment within which it is intended to be operated. 6.2 Instructions 6.2.1 Instructions on means to over-ride security measures when necessary for patient safety per 12.4.1.7 and 12.4.2.6 shall be communicated to intended stakeholders with security controls as described in the Risk Management File. SE
32、CURITY CONTROLS 7 General 7.1 The product shall comply with the requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 7, except as noted in the clauses below. 8 Access Control, User Authentication, and User Authoriza
33、tion 8.1 The product shall comply with the requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 8, except as noted in the clauses below. 9 Remote Communication 9.1 The product shall comply with the remote communicat
34、ion requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 9, except as noted in the clauses below. 10 Cryptography 10.1 The product shall comply with the cryptography requirements of the Standard for Software Cyberse
35、curity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 10, except as noted in the clauses below. SEPTEMBER 1, 2017 UL 2900-2-1 6UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 11 Product Management 11.1 The
36、product shall comply with the product management requirements of the Standard for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1, Section 11, except as noted in the clauses below. PRODUCT ASSESSMENT 12 Safety-Related Security Risk Management 12.1 Risk
37、 analysis 12.1.1 The product shall comply with the applicable requirements of the Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971, or the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, Section 1
38、2, Vendor Product Risk Management Process. NOTE: Information Technology network risks per the Standard for Application of Risk Management for IT-Networks Incorporating Medical Devices Part 1: Roles, Responsibilities and Activities, IEC 80001-1, should be considered as part of product risk management
39、. 12.1.2 A risk management le shall be constructed in accordance with the Standard for Medical Devices Application of Risk Management to Medical Devices, ISO 14971, risk management process, and it shall specically include the following elements with regard to security: a) Security risk analysis; NOT
40、E: The security risk analysis should consider defense-in-depth also known as layer of protection analysis (LOPA) 1 . b) Security risk evaluation; c) Security risk control; NOTE: Security risk controls should consider a defense-in-depth strategy to minimize impact of a breach. d) Production and post-
41、production security information; e) Verication and validation of security risk controls; and NOTE: Validation demonstrates an implementation that satises system requirements. f) Analysis of the acceptability of residual security risk. 1 See the IEC 61511, Functional Safety Safety Instrumented System
42、s for the Process Industry Sector standards. SEPTEMBER 1, 2017 UL 2900-2-1 7UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION OR DISTRIBUTION WITHOUT PERMISSION FROM UL 12.1.3 Processes for Quality Management (QM) shall reect: a) Allocation of adequate security resources to product dev
43、elopment; NOTE: Compliance can be determined by demonstrating compliance with Clauses 13-20 of this standard b) Establishing policies and criteria for security risk acceptability for the product based on applicable international, national or regional regulations; and c) Ongoing re-assessment of the
44、continued suitability of the security risk management process at planned intervals, including documentation of decisions and actions taken. 12.2 Risk evaluation 12.2.1 The risk evaluation shall be conducted in accordance with 12.3 and 12.4 in the Standard for Software Cybersecurity for Network-Conne
45、ctable Products, Part 1: General Requirements, UL 2900-1. 12.3 Risk control 12.3.1 The risk controls identied in Sections711oftheStandard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, and the security capabilities of the Application of Risk Man
46、agement for IT-Networks Incorporating Medical Devices Part 2-2: Guidance for the Disclosure and Communication of Medical Device Security Needs, Risks and Controls, IEC/TR 80001-2-2, shall be considered for risk management. 12.3.2 Any security measures contraindicated by the risk analysis are to be d
47、esignated as Not Applicable (NA) with justication(s) in the Risk Management File or explanation of alternative measures. 12.3.3 A security risk management plan shall be constructed and documented to reect the following processes, including rationale for any qualitative or quantitative measures used:
48、 a) Identication of assets, threats, and vulnerabilities; b) Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; c) Assessment of the likelihood of a threat and of a vulnerability being exploited; d) Determination of risk levels and suitable mitiga
49、tion strategies; and e) Assessment of residual risk and risk acceptance criteria. f) Security-relevant data logging when applicable 12.3.4 The vendor shall provide a risk management artifact to reect hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the product, including: a) A specic list of all cybersecurity risks that were considered in the design of the product; b) A specic list and justication
