iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

IEC 80001-1:2021

(Main)

Application of risk management for IT-networks incorporating medical devices — Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software

Application of risk management for IT-networks incorporating medical devices — Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software

This document specifies general requirements for ORGANIZATIONS in the application of RISK MANAGEMENT before, during and after the connection of a HEALTH IT SYSTEM within a HEALTH IT INFRASTRUCTURE, by addressing the KEY PROPERTIES of SAFETY, EFFECTIVENESS and SECURITY whilst engaging appropriate stakeholders. IEC 80001-1:2021 cancels and replaces the first edition published in 2010. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: a) structure changed to better align with ISO 31000; b) establishment of requirements for an ORGANIZATION in the application of RISK MANAGEMENT; c) communication of the value, intention and purpose of RISK MANAGEMENT through principles that support preservation of the KEY PROPERTIES during the implementation and use of connected HEALTH SOFTWARE and/or HEALTH IT SYSTEMS.

Application de la gestion des risques aux réseaux des technologies de l’information contenant des dispositifs médicaux — Partie 1: Sûreté, efficacité et sécurité dans la mise en oeuvre et l'utilisation des dispositifs médicaux connectés ou des logiciels de santé connectés

Ce document spécifie des exigences générales au profit des ORGANISATIONS pour l’application de la GESTION DES RISQUES avant, pendant et après la connexion d’un SYSTEME TI DE SANTE au sein d’une INFRASTRUCTURE TI DE SANTE. Il traite des PROPRIETES CLES de SECURITE, d’EFFICACITE et de SURETE tout en impliquant les intervenants concernés. L'IEC 80001-1:2021 annule et remplace la première édition parue en 2010. Cette édition constitue une révision technique. Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente: a) modification de la structure pour mieux s’aligner sur l’ISO 31000; b) établissement d’exigences en faveur d’une ORGANISATION dans l’application de la GESTION DES RISQUES; c) communication de la valeur, de l’objectif et de la finalité de la GESTION DES RISQUES à travers des principes qui favorisent la préservation des PROPRIETES CLES lors de la mise en œuvre et de l’utilisation des LOGICIELS DE SANTE et/ou SYSTEMES TI DE SANTE connectés.

General Information

Status
Published
Publication Date
21-Sep-2021
ICS
11.040.01 - Medical equipment in general
35.240.80 - IT applications in health care technology
Technical Committee
ISO/TC 215 - Health informatics
Drafting Committee
ISO/TC 215/JWG 7 - Joint ISO/TC 215 - IEC/SC 62A WG: Safe, effective and secure health software and health IT systems, including those incorporating medical devices
Parallel Committee
IEC/SC 62A - Common aspects of electrical equipment used in medical practice
Current Stage
6060 - International Standard published
Start Date
22-Sep-2021
Due Date
17-Oct-2020
Completion Date
22-Sep-2021
Ref Project

Relations

Consolidated By
ISO 56008:2024 - Innovation management — Tools and methods for innovation operation measurements — Guidance
Effective Date
06-Jun-2022
Revises
IEC 80001-1:2010 - Application of risk management for IT-networks incorporating medical devices — Part 1: Roles, responsibilities and activities
Effective Date
23-Jul-2016
IEC/FDIS 80001-1 - Safety, effectiveness and security in the implementation and use of connected medical devices or connected health softwareIEC/FDIS 80001-1 - Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software
PreviousNext
Draft
IEC/FDIS 80001-1 - Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software
English language
31 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


FINAL
INTERNATIONAL IEC/FDIS
DRAFT
STANDARD 80001-1
ISO/TC 215
Safety, effectiveness and security
Secretariat: ANSI
in the implementation and use
Voting begins on:
2021-02-12 of connected medical devices or
connected health software —
Voting terminates on:
2021-04-09
Part 1:
Application of risk management
Member bodies are requested to consult relevant national interests in IEC/SC
62A before casting their ballot to the e-Balloting application.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
IEC/FDIS 80001-1:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. IEC 2021

IEC/FDIS 80001-1:2021(E)
ii © IEC 2021 – All rights reserved

– 2 – IEC FDIS 80001-1 © IEC 2021
CONTENTS
FOREWORD . 4
INTRODUCTION . 7
1 Scope . 9
2 Normative references . 9
3 Terms and definitions . 9
4 Principles . 11
5 Framework . 12
5.1 General . 12
5.2 Leadership and commitment . 12
5.3 Integrating RISK MANAGEMENT . 12
5.4 Design/planning . 12
5.4.1 General . 12
5.4.2 RISK MANAGEMENT FILE . 13
5.4.3 Understanding the organization and the SOCIOTECHNICAL ECOSYSTEM . 13
5.4.4 Articulating RISK MANAGEMENT commitment . 14
5.4.5 Assigning organizational roles, authorities, responsibilities and
accountabilities . 14
5.4.6 Allocating resources . 15
5.4.7 Establishing communication and consultation . 15
5.5 Implementation . 15
5.6 Evaluation . 16
5.7 Improvement . 16
6 RISK MANAGEMENT PROCESS . 16
6.1 Generic requirements. 16
6.1.1 General . 16
6.1.2 RISK ANALYSIS . 17
6.1.3 RISK EVALUATION . 19
6.1.4 RISK CONTROL . 19
6.2 Lifecycle specific requirements . 22
6.2.1 General . 22
6.2.2 Acquisition . 22
6.2.3 Installation, customization and configuration . 22
6.2.4 Integration, data migration, transition and validation . 23
6.2.5 Implementation, workflow optimization and training . 23
6.2.6 Operation and maintenance . 23
6.2.7 Decommission . 25
Annex A (informative) IEC 80001-1 requirements mapping table . 26
Annex B (informative) Guidance for accompanying document Information . 33
B.1 Foreword . 33
B.2 Information system categorization . 34
B.3 Overview. 34
B.4 Reference documents . 34
B.5 System level description . 34
B.5.1 Environment description . 34
B.5.2 Network ports, protocols and services . 35

IEC FDIS 80001-1 © IEC 2021 – 3 –
B.5.3 Purpose of connection to the health IT infrastructure . 35
B.5.4 Networking requirements . 35
B.5.5 Required IT-network services . 35
B.5.6 Data flows and protocols . 35
B.6 Security and user access . 36
B.6.1 General . 36
B.6.2 Malware / antivirus / whitelisting . 36
B.6.3 Security exclusions . 36
B.6.4 System access . 36
B.7 RISK MANAGEMENT . 38
Bibliography . 39

Figure 1 – Lifecycle framework addressing safety, effectiveness and security of health

IT software and health IT systems. 8
Figure 2 – RISK MANAGEMENT PROCESS . 13

Table A.1 – IEC 80001-1 requirements table . 26
Table B.1 – Organization name and location . 33
Table B.2 – Cybersecurity device characterization level . 34
Table B.3 – Ports, protocols and services . 35
Table B.4 – Information system name and title . 36
Table B.5 – Roles and privileges . 37

– 4 – IEC FDIS 80001-1 © IEC 2021
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SAFETY, EFFECTIVENESS AND SECURITY IN THE IMPLEMENTATION
AND USE OF CONNECTED MEDICAL DEVICES
OR CONNECTED HEALTH SOFTWARE –

Part 1: Application of risk management

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent
rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 80001-1 has been prepared by a Joint Working Group of
Subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC
Technical Committee 62: Electrical equipment in medical practice, and of ISO Technical
Committee 215: Health informatics.
It is published as a double logo standard.
This second edition cancels and replaces the first edition published in 2010. This edition
constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous
edition:
a) structure changed to better align with ISO 31000;
b) establishment of requirements for an ORGANIZATION in the application of RISK MANAGEMENT;

IEC FDIS 80001-1 © IEC 2021 – 5 –
c) communication of the value, intention and purpose of RISK MANAGEMENT through principles
that support preservation of the KEY PROPERTIES during the implementation and use of
connected HEALTH SOFTWARE and/or HEALTH IT SYSTEMS.
The text of this document is based on the following documents:
FDIS Report on voting
62A/XX/FDIS 62A/XX/RVD
Full information on the voting for the approval of this document can be found in the report on
voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
In this document, the following print types are used:
• requirements and definitions: roman type;
• test specifications: italic type;
• informative material appearing outside of tables, such as notes, examples and references: in smaller type.
Normative text of tables is also in a smaller type;
• TERMS DEFINED IN CLAUSE 3 OF THIS DOCUMENT OR AS NOTED ARE PRINTED IN SMALL CAPITALS.
In referring to the structure of this document, the term
• “clause” means one of the five numbered divisions within the table of contents, inclusive of
all subdivisions (e.g. Clause 5 includes subclauses 5.1, 5.2, etc.);
• “subclause” means a numbered subdivision of a clause (e.g. 5.1, 5.2 and 5.3 are all
subclauses of Clause 5).
References to clauses within this document are preceded by the term “Clause” followed by the
clause number. References to subclauses within this particular standard are by number only.
In this document, the conjunctive “or” is used as an “inclusive or” so a statement is true if any
combination of the conditions is true.
The verbal forms used i
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
IEC/TR 80001-2-9:2017(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-9: Application guidance — Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities

IEC TR 80001-2-9:2017(E) establishes a security case framework and provides guidance to health care delivery organizations (HDO) and medical device manufacturers (MDM) for identifying, developing, interpreting, updating and maintaining security cases for networked medical devices. Use of this part of 80001 is intended to be one of the possible means to bridge the gap between MDMs and HDOs in providing adequate information to support the HDOs risk management of IT-networks. This document leverages the requirements set out in ISO/IEC 15026-2 for the development of assurance cases. It is not intended that this security case framework will replace a risk management strategy, rather, the intention is to complement risk management and in turn provide a greater level of assurance for a medical device by: - mapping specific risk management steps to each of the IEC TR 80001-2-2 security capabilities, identifying associated threats and vulnerabilities and presenting them in the format of a security case with the inclusion of a re-useable security pattern; - providing guidance for the selection of appropriate security controls to establish security capabilities and presenting them as part of the security case pattern (IEC TR 80001-2-8 provides examples of such security controls); - providing evidence to support the implementation of a security control, hence providing confidence in the establishment of each of the security capabilities. The purpose of developing the security case is to demonstrate confidence in the establishment of IEC TR 80001-2-2 security capabilities. The quality of artifacts gathered and documented during the development of the security case is agreed and documented as part of a responsibility agreement between the relevant stakeholders. This document provides guidance for one such methodology, through the use of a specific security pattern, to develop and interpret security cases in a systematic manner.

  • Technical report
    28 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-8:2016(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-8: Application guidance — Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2

IEC TR 80001-2-8:2016(E), which is a Technical Report, provides guidance to Health Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) for the application of the framework outlined in IEC TR 80001-2-2.

  • Technical report
    43 pages
    English language
    sale 15% off
ISO
ISO/TR 80001-2-7:2015(Main)
Application of risk management for IT-networks incorporating medical devices — Application guidance — Part 2-7: Guidance for healthcare delivery organizations (HDOs) on how to self-assess their conformance with IEC 80001-1

ISO/TR 80001-2-7:2015 is to provide guidance to HDOs on self-assessment of their conformance against IEC 80001‑1.

  • Technical report
    102 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-5:2014(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-5: Application guidance — Guidance for distributed alarm systems

IEC TR 80001-2-5:2014(E) which is a technical report, gives guidance and practical techniques for responsible organizations, medical device manufacturers and providers of other information technology in the application of IEC 80001-1:2010 for the risk management of distributed alarm systems. This technical report applies to the transmission of alarm conditions between sources, integrator and communicators where at least one source is a medical device and at least one communication path utilizes a medical IT-network. This technical report provides recommendations for the integration, communication of responses and redirection (to another operator) of alarm conditions from one or more sources to ensure safety and effectiveness. Data and systems security is an important consideration for the risk management of distributed alarm systems.

  • Technical report
    33 pages
    English language
    sale 15% off
ISO
ISO/TR 80001-2-6:2014(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-6: Application guidance — Guidance for responsibility agreements

ISO/TR 80001-2-6:2014 provides guidance on implementing RESPONSIBILITY AGREEMENTS, which are described in IEC 80001-1 as used to establish the roles and responsibilities among the stakeholders engaged in the incorporation of a MEDICAL DEVICE into an IT-NETWORK in order to support compliance to IEC 80001-1. Stakeholders may include RESPONSIBLE ORGANIZATIONS, IT suppliers, MEDICAL DEVICE manufacturers and others. The goal of the RESPONSIBILITY AGREEMENT is that these roles and responsibilities should cover the complete lifecycle of the resulting MEDICAL IT-NETWORK.

  • Technical report
    15 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-4:2012(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-4: General implementation guidance for Healthcare Delivery Organizations

IEC/TR 80001-2-4:2012(E), which is a technical report, provides guidance to help a healthcare delivery organization fulfilling its obligations as a responsible organization in the application of IEC 80001-1. A healthcare delivery organization includes hospitals, doctors' offices, community care homes and clinics. Specifically, this guide helps the healthcare delivery organization assess the impact of IEC 80001-1 on the organization and establish a series of business as usual processes to manage RISK in the creation, maintenance and upkeep of its medical IT-networks. This technical report will be useful to those responsible for establishing an IEC 80001-1 compliant risk management framework within a healthcare delivery organization that is expecting to establish one or more medical IT-networks. It provides help through the key decisions and steps required to establish a risk management framework, before the organization embarks on a detailed risk assessment of an individual instance of a medical IT-network. The steps are supported by a series of decision points to steer the responsible organization through the process of understanding the medical IT-network context and identifying any organizational changes required to execute the responsibilities of top management.

  • Technical report
    18 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-2:2012(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-2: Guidance for the communication of medical device security needs, risks and controls

IEC/TR 80001-2-2:2012(E), which is a technical report, creates a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks and for the security dialog that surrounds the IEC 80001-1 risk management of IT-network connection. This security report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls. Intended use and local factors determine which exact capabilities will be useful in the dialog about risk. The capability descriptions in this report are intended to supply health delivery organizations (HDOs), medical device manufacturers (MDMs), and IT vendors with a basis for discussing risk and their respective roles and responsibilities toward its management. This discussion among the risk partners serves as the basis for one or more responsibility agreements as specified in IEC 80001-1.

  • Technical report
    48 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-3:2012(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-3: Guidance for wireless networks

IEC/TR 80001-2-3:2012(E), which is a technical report, supports the Healthcare Delivery Organizations (HDO) in the risk management of medical IT-networks that incorporate one or more wireless links. The report, as part of IEC 80001, considers the use of wirelessly networked medical devices on a medical IT-network and offers practical techniques to address the unique risk management requirements of operating wirelessly enabled medical devices in a safe, secure and effective manner. The targeted audience for this technical report is the HDO IT department, biomedical and clinical engineering departments, risk managers, and the people responsible for design and operation of the wireless IT network.

  • Technical report
    41 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-1:2012(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical Applications and Examples

IEC/TR 80001-2-1:2012(E), which is a technical report, is a step-by-step guide to help in the application of risk management when creating or changing a medical IT-network. It provides easy to apply steps, examples, and information helping in the identification and control of risks. All relevant requirements in IEC 80001-1:2010 are addressed and links to other clauses and subclauses of IEC 80001-1 are addressed where appropriate (e.g. handover to release management and monitoring). This technical report focuses on practical risk management. It is not intended to provide a full outline or explanation of all requirements that are satisfactorily covered by IEC 80001-1. This step-by-step guidance follows a 10-step process that follows subclause 4.4 of IEC 80001-1:2010, which specifically addresses risk analysis, risk evaluation and risk control. These activities are embedded within the full life cycle risk management process. They can never be the first step, as risk management follows the general process model which sets planning before any action.

  • Technical report
    59 pages
    English language
    sale 15% off
ISO
IEC/TR 80001-2-9:2017(Main)
Application of risk management for IT-networks incorporating medical devices — Part 2-9: Application guidance — Guidance for use of security assurance cases to demonstrate confidence in IEC/TR 80001-2-2 security capabilities

IEC TR 80001-2-9:2017(E) establishes a security case framework and provides guidance to health care delivery organizations (HDO) and medical device manufacturers (MDM) for identifying, developing, interpreting, updating and maintaining security cases for networked medical devices. Use of this part of 80001 is intended to be one of the possible means to bridge the gap between MDMs and HDOs in providing adequate information to support the HDOs risk management of IT-networks. This document leverages the requirements set out in ISO/IEC 15026-2 for the development of assurance cases. It is not intended that this security case framework will replace a risk management strategy, rather, the intention is to complement risk management and in turn provide a greater level of assurance for a medical device by: - mapping specific risk management steps to each of the IEC TR 80001-2-2 security capabilities, identifying associated threats and vulnerabilities and presenting them in the format of a security case with the inclusion of a re-useable security pattern; - providing guidance for the selection of appropriate security controls to establish security capabilities and presenting them as part of the security case pattern (IEC TR 80001-2-8 provides examples of such security controls); - providing evidence to support the implementation of a security control, hence providing confidence in the establishment of each of the security capabilities. The purpose of developing the security case is to demonstrate confidence in the establishment of IEC TR 80001-2-2 security capabilities. The quality of artifacts gathered and documented during the development of the security case is agreed and documented as part of a responsibility agreement between the relevant stakeholders. This document provides guidance for one such methodology, through the use of a specific security pattern, to develop and interpret security cases in a systematic manner.

  • Technical report
    28 pages
    English language
    sale 15% off