scope:

This standard specifies technical and operational requirements, as well as technical implementation procedures related to IT security of IVD systems (devices, analytical instruments, data management systems, etc.) installed at a healthcare organization. This standard also provides guidance to meet and use existing technical standards for medical device IT security and recommendations for identifying the parties responsible for implementing these requirements.

The intended users for this standard are vendors (IVD system manufacturers), users (e.g., laboratory personnel), and IT management of healthcare organizations.

This standard is not intended for use as the final written policy for the healthcare organization. For example, local organizations will need to include in their own documentation the technical and process aspects of medical device security addressed by other standards organizations, such as ISO, IEEE, etc.

The suggested best practices contained in this document are based on the current state of technology at the time of publication. These best practices are distinguished from the requirements by a text box.

Some requirements, procedures, and guidelines specified by this standard may not be necessary or desired for IVD systems during clinical trials. The healthcare organization and vendor should clearly state in the corresponding contract how the standard would be applied during clinical trials.