Wednesday, November 24, 2010

IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network

The history on IEC 80001 is best summarized by Nick Mankovich, Sr.Dir. Product Security and Privacy, Philips Healthcare, in a white paper he wrote for "Information Security Magazine". I have worked side by side with Nick on this standard and want to give him every credit I can at being the lead on the integration of Security Risks. He was recognized as one of the Information Security magazine Security 7 Award winners.
Less than five years ago, Brian Fitzgerald of the U.S. Food and Drug Administration called together a diverse mix of health care folks to talk about the harm that was being done from poor networking of medical devices in hospitals. His agency had reports of injury and death as a result of improperly connected networked devices. In that first brainstorming meeting of December 2005, there were biomedical engineers, IT professionals, regulatory specialists, medical device risk management specialists, security professionals, and medical device engineering staff. Brian urged us to organize and do something to help the world avoid this harm. To avoid international mismatches and "not invented here" issues in government regulatory authorities, he suggested this be pursued as a global standard. Five years later, we are very close to the final vote on the first international standard to address the Application of Risk Management to IT-networks Incorporating Medical Devices (IEC-80001-1).
It was approved September 24th. Nick continues:
This standard lifts security and privacy risk out of the afterthought category into the mainstream of health care delivery. It does this by building around the principle that decisions in any new device integration project in health care need to be built around some simple concepts. In the parlance of IEC-80001-1, medical IT-network risk management proceeds with a careful examination and understanding of three key properties: (1) safety, (2) effectiveness and (3) data and systems security. By considering all three, we can first "do no harm" while effectively delivering on the organization's health care mission. This is done with careful and explicit treatment of the appropriate level of confidentiality, integrity, and availability.
Of course, today's IT staff and biomedical engineers are skillful at keeping the highest levels of safety and effectiveness. However, with IEC-80001's explicit inclusion of data and systems security breach into its definition of harm, we have paved the way for an open and honest discussion of the C-I-A [Risks to Confidentiality, Integrity, and Availability] impacts of an interconnection project or a network change. It allows a consideration of the harm brought to individuals when confidentiality is threatened and, for the first time, consideration of the harm of privacy compromise is an essential part of the IT, biomedical engineer, caregiver, and compliance discussions.
There are specific requirements on Medical Device vendors that Nick explained in an email to the NEMA workgroup:

For medical device manufacturers, it includes requirements for risk disclosure to the Health Delivery Organization that are word-for-word consistent with the 60601 3rd edition. For the most part, this may evolve into a collection called a “80001 risk disclosure statement” that, for safety and effectiveness, would likely be culled from other places in existing manuals/instructions-for-use. Security risk disclosure may evolve into a “next generation MDS2” consistent with something like that described in the Security TR (see below). The establishment of an 80001-consistent “next generation MDS2” is the subject of a MITA/HIMSS working group that is actively discussing the content.

Further there are some anexes that are being written right now. Contact your ISO or IEC representative to get copies and to comment on these. The next meeting is in March at Best Netherlands immediately adjacent to the JWG3 meetings.

  1. 62A/719/NP Step by step risk management of medical IT-networks; practical applications and examples (Karen Delvecchio of GE Medical)
  2. 62A/720/NP Guidance for the communication of medical device security needs, risks and controls (Nick Mankovich and Brian Fitzgerald of FDA)
  3. 62A/721/NP Guidance for wireless networks (Rick Hampton of Partners Med, Boston)