AAMI IEC 80001-2-8 pdf free download

AAMI IEC 80001-2-8 pdf free download.Application of risk management for IT networks incorporating medical devices- Part 2-8: Application guidance Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2.
1 Scope
This part of lEG 80001, which is a Technical Report, provides guidance to Health Delivery Organizations (HDOs) and MEDICAL DEVICE manufacturers (MOMs) for the application of the framework outlined in IEC TR 80001-2-2. Managing the RISK fl connecting MEDICAL DEVICES to IT-NETWORKS requires the disclosure of security-related capabilities and RISKS. IEC TR 80001-2-2 presents a framework for this disclosure and the security dialog that surrounds the IEC 80001-1 RISK MANAGEMENT of IT-NETWORKS. IEC TR 80001 -2-2 presents an informative set of common, descriptive security-related capabilities that are useful in terms of gaining an understanding of user needs. This report addresses each of the SECURITY CAPABILITIES and identifies SECURITY CONTROLS for consideration by HDOs and MDMs during RISK MANAGEMENT activities, supplier selection, device selection, device implementation, operation etc.
It is not intended that the security standards referenced herein are exhaustive of all useful standards; rather, the purpose of this technical report is to identify SECURITY CONTROLS, which exist in these particular security standards (listed in the introduction of this technical report), that apply to each of the SECURITY
CAPABILITIES.
This report provides guidance to HDOs and MDMs for the selection and implementation of management, operational, administrative and technical SECURITY CONTROLS to protect the confidentiality, integrity, availability and accountability of data and systems during development, operation and disposal.
All 19 SECURITY CAPABILITIES are not required in every case and the identified SECURITY CAPABILITIES included in this report should not be considered exhaustive in nature. The selection of SECURITY CAPABILITIES and SECURITY CONTROLS should be based on the RISK EVALUATION and the RISK tolerance with consideration for protection of patient SAFETY, life and health. INTENDED USE, operational environment.
network structure and local factors should also determine which SECURITY CAPABILITIES are necessary and which SECURITY CONTROLS most suitably assist in establishing that SECURITY CAPABILITY.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
lEG 80001-1:2010, Application of risk management for IT-networks incorporating medical devices — Part 1:
Roles, responsibilities and activities
lEG TR 80001 -2-2:2012, Application of risk management for IT-networks incorporating medica’ devices — Part 2-2: Guidance for the communication of medical device security needs, risks and controls6)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
DATA AND SYSTEMS SECURITY
operational state of a MEDICAL IT-NETWORK in which information assets (data and systems) are reasonably protected from degradation of confidentiality, integrity, and availability
[SOURCE: IEC 80001-1:2010, 2.51
3.2
EFFECTIVENESS
ability to produce the intended result for the patient and the RESPONSIBLE ORGANIZATION
[SOURCE: IEC 80001-1:2010, 2.6]
3.3
HARM
physical injury or damage to the health of people, or damage to property or the environment, or reduction in EFFECTIVENESS, or breach of DATA AND SYSTEMS SECURITY
(SOURCE: IEC 80001-1:2010, 2.8]
3.4
HAZARD
potential source of HARM
[SOURCE: IEC 80001-1:2010, 2.9]
3.5
HEALTH DATA
PRIVATE DATA that indicates physical or mental health
Note 1 to entry: This term generically defines PRIVATE DATA and it subset, HEALTH DATA, within this report to permit users of this report to adapt it easily to different privacy compliance laws and regulations. For example, in Europe, the requirements might be taken and references changed to Personal Data and Sensitive DataN; in the USA. HEALTH DATA might be changed to wProtected Health Information (PHI) while making adjustments to text as necessary.AAMI IEC 80001-2-8 pdf download.