1、 Reference number ISO/TR 11633-2:2009(E) ISO 2009TECHNICAL REPORT ISO/TR 11633-2 First edition 2009-11-15 Health informatics Information security management for remote maintenance of medical devices and medical information systems Part 2: Implementation of an information security management system (
2、ISMS) Informatique de sant Management de la scurit de linformation pour la maintenance distance des dispositifs mdicaux et des systmes dinformation mdicale Partie 2: Mise en oeuvre dun systme de management de la scurit de linformation (ISMS) ISO/TR 11633-2:2009(E) PDF disclaimer This PDF file may co
3、ntain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsi
4、bility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation p
5、arameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2009 All
6、 rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country o
7、f the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2009 All rights reservedISO/TR 11633-2:2009(E) ISO 2009 All rights reserved iiiContents Page Foreword iv Introd
8、uction.v 1 Scope1 2 Terms and definitions .1 3 Abbreviated terms.3 4 Application of ISMS to remote maintenance services.3 4.1 Overview.3 4.2 Compliance scope.5 4.3 Security policy.6 4.4 Assessing risks .6 4.5 Risks to be managed.7 4.6 Identification of risks that are not described in this part of IS
9、O/TR 11633 .8 4.7 Treating risks .8 5 Security management measures for remote maintenance services9 6 Approving residual risks 9 7 Security audit.10 7.1 Security audit of remote maintenance services.10 7.2 Recommendation of security audit by third parties 10 Annex A (informative) Example of risk ass
10、essment in remote maintenance services .11 Bibliography66 ISO/TR 11633-2:2009(E) iv ISO 2009 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards
11、is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take pa
12、rt in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to
13、prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In exceptional circumstances, when a tec
14、hnical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example), it may decide by a simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely informative
15、 in nature and does not have to be reviewed until the data it provides are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all su
16、ch patent rights. ISO/TR 11633-2 was prepared by Technical Committee ISO/TC 215, Health informatics. ISO/TR 11633 consists of the following parts, under the general title Health informatics Information security management for remote maintenance of medical devices and medical information systems: Par
17、t 1: Requirements and risk analysis Part 2: Implementation of an information security management system (ISMS) ISO/TR 11633-2:2009(E) ISO 2009 All rights reserved vIntroduction Progress and spread of technology in information and communication fields and well-arranged infrastructure based on them ha
18、ve brought various changes into modern society. In the healthcare field, information systems formerly closed in each healthcare facility are now connected by networks, and they are coming to the point of being able to facilitate mutual use of health information accumulated in each information system
19、. Such information and communication networks are spreading, not only amongst healthcare facilities but also amongst healthcare facilities and vendors of medical devices or healthcare information systems. By practicing so-called “remote maintenance services” (RMS), it becomes possible to reduce down
20、-time and lower costs. However, such connections with external organizations have come to bring healthcare facilities and vendors not only benefits but also risks regarding confidentiality, integrity and availability of information and systems, risks which previously received scant consideration. Ba
21、sed on the information offered by this part of ISO/TR 11633, healthcare facilities and RMS providers will be able to perform the following activities: clarify risks originating from using the RMS, where environmental conditions of the requesting vendor site (RSC) and maintenance target healthcare fa
22、cility site (HCF) can be selected from the catalogue in Annex A; grasp the essentials of selecting and implementing both technical and non-technical “controls” to be applied in their own facility against the risks described in this part of ISO/TR 11633; request concrete countermeasures from business
23、 partners, as this document can identify the relevant security risks; clarify the boundary of responsibility between the healthcare facility owner and the RMS provider; plan a programme for risk retention or transfer as residual risks are clarified when selecting the appropriate “controls”. By imple
24、menting the risk assessment and employing “controls” referencing this part of ISO/TR 11633, healthcare facilities owners and RMS providers will be able to obtain the following benefits: it will only be necessary to do the risk assessment for those organizational areas where this part of ISO/TR 11633
25、 is not applicable, therefore, the risk assessment effort can be significantly reduced; it will be easy to show the validity of the RMS security countermeasures to a third party; if providing RMS to two or more sites, the provider can apply countermeasures consistently and efficiently. TECHNICAL REP
26、ORT ISO/TR 11633-2:2009(E) ISO 2009 All rights reserved 1Health informatics Information security management for remote maintenance of medical devices and medical information systems Part 2: Implementation of an information security management system (ISMS) 1 Scope This part of ISO/TR 11633 provides
27、an example of selected and applied “controls” for RMS security based on the definition in the ISMS, on the basis of the risk analysis result mentioned in ISO/TR 11633-1. This part of ISO/TR 11633 excludes the handling of the communication problems and the use of encryption method. This part of ISO/T
28、R 11633 consists of: a catalogue of types of security environment in healthcare facilities and RMS providers; an example of combinations of threats and vulnerabilities identified under the environment in the “use cases”; an example of the evaluation and effectiveness based on the “controls” defined
29、in the ISMS. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 accountability property that ensures that the actions of an entity may be traced uniquely to the entity ISO/IEC 13335-1:2004, definition 2.1 2.2 asset anything that is of value to t
30、he organization NOTE 1 Adapted from ISO/IEC 13335-1. NOTE 2 In the context of health information security, information assets include: a) health information; b) IT services; c) hardware; d) software; e) communication facilities; ISO/TR 11633-2:2009(E) 2 ISO 2009 All rights reservedf) media; g) IT fa
31、cilities; h) medical devices that record or report data. 2.3 assurance result of a set of compliance processes through which an organization achieves confidence in the status of its information security management 2.4 availability property of being accessible and usable upon demand by an authorized
32、entity ISO 13335-1:2004, definition 2.4 2.5 compliance assessment processes by which an organization confirms that the information security controls put in place remain both operational and effective NOTE Legal compliance relates specifically to the security controls put in place to deliver the requ
33、irements of relevant legislation such as the European Union Directive on the protection of personal data. 2.6 confidentiality property that information is not made available or disclosed to unauthorized individuals, entities or processes ISO 13335-1:2004, definition 2.6 2.7 data integrity property t
34、hat data have not been altered or destroyed in an unauthorized manner ISO/IEC 9797-1:1999, definition 3.1.1 2.8 information governance processes by which an organization obtains assurance that the risks to its information, and thereby the operational capabilities and integrity of the organization, a
35、re effectively identified and managed 2.9 information security preservation of confidentiality, integrity and availability of information NOTE Other properties, particularly accountability of users, but also authenticity, non-repudiation, and reliability, are often mentioned as aspects of informatio
36、n security, but could be considered as derived from the three core properties in the definition. 2.10 risk combination of the probability of an event and its consequence ISO/IEC Guide 73:2002, definition 3.1.1 2.11 risk assessment overall process of risk analysis and risk evaluation ISO/IEC Guide 73
37、:2002, definition 3.3.1 ISO/TR 11633-2:2009(E) ISO 2009 All rights reserved 32.12 risk management coordinated activities to direct and control an organization with regard to risk NOTE Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication. ISO/IEC
38、Guide 73:2002, definition 3.1.7 2.13 risk treatment process of selection and implementation of measures to modify (typically reduce) risk NOTE Adapted from ISO/IEC Guide 73:2002. 2.14 system integrity property that a system performs its intended function in an unimpaired manner, free from deliberate
39、 or accidental unauthorized manipulation of the system 2.15 threat potential cause of an unwanted incident, which may result in harm to a system or organization NOTE Adapted from ISO/IEC 13335-1. 2.16 vulnerability weakness of an asset or group of assets that can be exploited by a threat NOTE Adapte
40、d from ISO/IEC 13335-1. 3 Abbreviated terms HCF Healthcare facility ISP Information-stealing programme ISMS Information security management system PHI Personal health information RMS Remote maintenance services RSC Remote maintenance service centre RSS Remote maintenance service security VPN Virtual
41、 private network 4 Application of ISMS to remote maintenance services 4.1 Overview The information security management system (ISMS) is a mechanism that operates as a series of plan/do/check/act processes under the security policy. This series of processes means that the organization plans out prope
42、r security measures (plan), puts those security measures into practice (do), reviews those ISO/TR 11633-2:2009(E) 4 ISO 2009 All rights reservedsecurity measures (check), and reconsiders them if necessary (act). The ISMS is already standardized internationally as ISO/IEC 27001, therefore, it is conv
43、enient to construct and operate an ISMS referring to ISO/IEC 27001. This also helps to persuade patients, medical treatment evaluation organizations, and others of the efficacity of the security measures. General steps of ISMS construction are shown in Figure 1. Information assets, threats, vulnerab
44、ilities, effects Information assets, threats, vulnerabilities, effects Phase 1 Defining the range to which the ISMS applies STEP 1 Defining the range to which the ISMS applies STEP 1 Criteria for carrying out risk management (the organizations approach, method of analysis, and level of assurance req
45、uired) Criteria for carrying out risk management (the organizations approach, method of analysis, and level of assurance required) List of management goals and possible controls List of additional controls that are not in the ISMS criteria List of management goals and possible controls List of addit
46、ional controls that are not in the ISMS criteria Planning a systematic approach to risk assessment STEP 3 Planning a systematic approach to risk assessment STEP 3 Identifying risks STEP 4 Identifying risks STEP 4 Performing risk treatment STEP 5 Performing risk treatment STEP 5 Performing risk treat
47、ment STEP 6 Performing risk treatment STEP 6 Selecting Management goals and controls STEP 7 Selecting Management goals and controls STEP 7 Range to Which ISMS applies Range to which ISMS applies Policy statement Policy statement List of risks inventory of assets List of risks inventory of assets Res
48、ult report for risk assessment Result report for risk assessment Result report for risk treatment Result report for risk treatment Planning ISMS policies STEP 2 Phase 1 Phase 2 Phase 3 Criteria for measures taken Criteria for measures taken Statement of Applicability Statement of Applicability Prepa
49、ring a Statement of Applicability STEP 10 Preparing a Statement of Applicability STEP 10 Approving residual risks STEP 8 Approving residual risks STEP 8 Allowing ISMS to be carried out STEP 9 Allowing ISMS to be carried out STEP 9 Record of approving residual risks Record of approving residual risksFigure 1 ISMS steps Security measures for protecting personal information in the remote maintenance services (RMS) are described below in accordance with the concepts
