scope:

This standard specifies technical and operational requirements and technical implementation procedures related to information technology (IT) security of in vitro diagnostic (IVD) systems (devices, analytical instruments, data management systems, etc.) installed at a health care organization (HCO). This standard also provides guidance to meet and use existing technical standards for medical device IT security and recommendations for identifying the parties responsible for implementing these requirements.

The intended users for this standard are vendors (IVD system manufacturers), users (eg, laboratory personnel), and IT management of HCOs.

This standard is not intended for use as the final written policy for the HCO. For example, local organizations will need to include in their own documentation the technical and process aspects of medical device security addressed by other standards organizations, such as the International Organization for Standardization (ISO) and IEEE. In addition, this standard may not apply to certain devices used in health care (see Chapter 4.8).

The suggested best practices contained in this document are based on the state of technology at the time of publication. These best practices are distinguished from the requirements through their inclusion in a text box.

Some requirements, procedures, and guidelines specified by this standard may not be necessary or desired for IVD systems during clinical trials. The HCO and vendor should clearly state in the corresponding contract how the standard would be applied during clinical trials. In addition, some requirements, procedures, and guidelines specified by this standard may not be practical technically or financially for legacy IVD systems or HCO IT departments to implement. In these situations, the vendor and HCO will need to use their best judgment to decide what to implement. It will be important for the vendor and HCO to clearly document any deviations from the standard.