Application of risk management for IT networks incorporating medical devices-Part 2-8: Application guidance-Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2
|Publication Date:||1 January 2016|
This part of IEC 80001, which is a Technical Report, provides guidance to Health Delivery Organizations (HDOs) and MEDICAL DEVICE manufacturers (MDMs) for the application of the framework outlined in IEC TR 80001-2-2. Managing the RISK in connecting MEDICAL DEVICES to IT-NETWORKS requires the disclosure of security-related capabilities and RISKS. IEC TR 80001-2-2 presents a framework for this disclosure and the security dialog that surrounds the IEC 80001-1 RISK MANAGEMENT of IT-NETWORKS. IEC TR 80001-2-2 presents an informative set of common, descriptive security-related capabilities that are useful in terms of gaining an understanding of user needs. This report addresses each of the SECURITY CAPABILITIES and identifies SECURITY CONTROLS for consideration by HDOs and MDMs during RISK MANAGEMENT activities, supplier selection, device selection, device implementation, operation etc.
It is not intended that the security standards referenced herein are exhaustive of all useful standards; rather, the purpose of this technical report is to identify SECURITY CONTROLS, which exist in these particular security standards (listed in the introduction of this technical report), that apply to each of the SECURITY CAPABILITIES.
This report provides guidance to HDOs and MDMs for the selection and implementation of management, operational, administrative and technical SECURITY CONTROLS to protect the confidentiality, integrity, availability and accountability of data and systems during development, operation and disposal.
All 19 SECURITY CAPABILITIES are not required in every case and the identified SECURITY CAPABILITIES included in this report should not be considered exhaustive in nature. The selection of SECURITY CAPABILITIES and SECURITY CONTROLS should be based on the RISK EVALUATION and the RISK tolerance with consideration for protection of patient SAFETY, life and health. INTENDED USE, operational environment, network structure and local factors should also determine which SECURITY CAPABILITIES are necessary and which SECURITY CONTROLS most suitably assist in establishing that SECURITY CAPABILITY.