Managing Security Risks With 80001

Abstract

Healthcare delivery organizations (HDOs, or hospitals) will soon begin to use IEC 800011:2010 to assist them in managing risks associated with medical IT networks—IT networks in their facilities that incorporate medical devices. Recent attention has been given to the dangers of and poor outcomes occasionally experienced when in-hospital interconnection of medical devices is performed without due care. Cooper and Eagles related how the new standard will help to provide safer, more effective, and more secure operation of a medical IT network. Of course, the problems of incorporating a medical device onto an IT network are not confined to hospitals. With the global movement toward electronic medical records, it is likely that soon even the single practitioner may have a fairly sophisticated network as an integral part of the practice’s infrastructure. It will be unlikely that the smaller practices will have the resources to maintain an aggressive cybervigilance stance and might be grateful for much of the complexity associated with the incorporation of medical devices into their infrastructure to be managed by a transparent, open process. One of the first challenges in managing risk is assembling information essential to the initial assessment of risk. For medical devices, this effort involves obtaining documentation and understanding of the device’s intended use, instructions for use, security disclosures, and any other safety or effectiveness disclosures that might be possible. Similar documents must be obtained or created for the target IT network where the information sources may be internal or from both internal service providers and from IT vendors. This paper discusses the nature and use of security risk disclosures under IEC 80001-1 with an emphasis on the use of common terminology to group together and discuss the security capabilities and/or requirements for medical devices that are risk managed during the entire life cycle of connection to the medical IT network. It does not assume nor promote any particular security controls framework for the HDO or medical device manufacturer (MDM). Instead, it simply outlines a grouping of security capabilities of the medical device that are relevant to securing the IT network connected device throughout its life cycle. The article is an overview of an upcoming Technical Report from the IEC (publication likely in late 2011) and provides some information that may change before the release of the final report. However, we hope it provides an overview for HDOs, both big and small, to start to think about organizing their IT network risk management activities to include security Managing Security Risks With 80001