1、 IEC/TR 80001-2-2 Edition 1.0 2012-07 TECHNICAL REPORT Application of risk management for IT-networks incorporating medical devices Part 2-2:Guidance for the disclosure and communication of medical device security needs,risks and controls IEC/TR 80001-2-2:2012(E)colourinsideCopyrighted material lice
2、nsed to BR Demo by Thomson Reuters(Scientific),Inc.,downloaded on Nov-28-2014 by James Madison.No further reproduction or distribution is permitted.Uncontrolled when printed.THIS PUBLICATION IS COPYRIGHT PROTECTED Copyright 2012 IEC,Geneva,Switzerland All rights reserved.Unless otherwise specified,n
3、o part of this publication may be reproduced or utilized in any form or by any means,electronic or mechanical,including photocopying and microfilm,without permission in writing from either IEC or IECs member National Committee in the country of the requester.If you have any questions about IEC copyr
4、ight or have an enquiry about obtaining additional rights to this publication,please contact the address below or your local IEC member National Committee for further information.IEC Central Office Tel.:+41 22 919 02 11 3,rue de Varemb Fax:+41 22 919 03 00 CH-1211 Geneva 20 infoiec.ch Switzerland ww
5、w.iec.ch About the IEC The International Electrotechnical Commission(IEC)is the leading global organization that prepares and publishes International Standards for all electrical,electronic and related technologies.About IEC publications The technical content of IEC publications is kept under consta
6、nt review by the IEC.Please make sure that you have the latest edition,a corrigenda or an amendment might have been published.Useful links:IEC publications search-www.iec.ch/searchpub The advanced search enables you to find IEC publications by a variety of criteria(reference number,text,technical co
7、mmittee,).It also gives information on projects,replaced and withdrawn publications.IEC Just Published-webstore.iec.ch/justpublished Stay up to date on all new IEC publications.Just Published details all new publications released.Available on-line and also once a month by email.Electropedia-www.elec
8、tropedia.org The worlds leading online dictionary of electronic and electrical terms containing more than 30 000 terms and definitions in English and French,with equivalent terms in additional languages.Also known as the International Electrotechnical Vocabulary(IEV)on-line.Customer Service Centre-w
9、ebstore.iec.ch/csc If you wish to give us your feedback on this publication or need further assistance,please contact the Customer Service Centre:csciec.ch.Copyrighted material licensed to BR Demo by Thomson Reuters(Scientific),Inc.,downloaded on Nov-28-2014 by James Madison.No further reproduction
10、or distribution is permitted.Uncontrolled when printed.IEC/TR 80001-2-2 Edition 1.0 2012-07 TECHNICAL REPORT Application of risk management for IT-networks incorporating medical devices Part 2-2:Guidance for the disclosure and communication of medical device security needs,risks and controls INTERNA
11、TIONAL ELECTROTECHNICAL COMMISSION XA ICS 11.040.01 PRICE CODE ISBN 978-2-83220-202-9 Warning!Make sure that you obtained this publication from an authorized distributor.colourinsideCopyrighted material licensed to BR Demo by Thomson Reuters(Scientific),Inc.,downloaded on Nov-28-2014 by James Madiso
12、n.No further reproduction or distribution is permitted.Uncontrolled when printed.2 TR 80001-2-2 IEC:2012(E)CONTENTS FOREWORD.4 INTRODUCTION.6 1 Scope.7 2 Normative references.8 3 Terms and definitions.8 4 Use of SECURITY CAPABILITIES.12 4.1 Structure of a SECURITY CAPABILITY entry.12 4.2 Guidance fo
13、r use of SECURITY CAPABILITIES in the RISK MANAGEMENT PROCESS.12 4.3 Relationship of ISO 14971-based RISK MANAGEMENT to IT security RISK MANAGEMENT.13 5 SECURITY CAPABILITIES.14 5.1 Automatic logoff ALOF.14 5.2 Audit controls AUDT.14 5.3 Authorization AUTH.15 5.4 Configuration of security features C
14、NFS.16 5.5 Cyber security product upgrades CSUP.16 5.6 HEALTH DATA de-identification DIDT.17 5.7 Data backup and disaster recovery DTBK.17 5.8 Emergency access EMRG.17 5.9 HEALTH DATA integrity and authenticity IGAU.18 5.10 Malware detection/protection MLDP.18 5.11 Node authentication NAUT.18 5.12 P
15、erson authentication PAUT.19 5.13 Physical locks on device PLOK.19 5.14 Third-party components in product lifecycle roadmaps RDMP.20 5.15 System and application hardening SAHD.20 5.16 Security guides SGUD.21 5.17 HEALTH DATA storage confidentiality STCF.21 5.18 Transmission confidentiality TXCF.22 5
16、.19 Transmission integrity TXIG.22 6 Example of detailed specification under SECURITY CAPABILITY:Person authentication PAUT.22 7 References.23 8 Other resources.25 8.1 General.25 8.2 Manufacture disclosure statement for medical device security(MDS2).25 8.3 Application security questionnaire(ASQ).25 8.4 The Certification Commission for Healthcare Information Technology(CCHIT).25 8.5 http:/www.cchit.org/get_certifiedHL7 Functional Electronic Health Record(EHR).26 8.6 Common criteria ISO/IEC 154
