ISO/NP 81001-5-2

Health software and health IT systems safety, effectiveness and security — Part 5-2: Security Risk Management for Manufacturers

Scope

This document provides requirements and guidance when addressing design, production and post-production security risk management across the lifecycle within the risk management framework defined by ISO 14971.
This document assists manufacturers and other users of the standard with the following:
⎯ identifying threats, vulnerabilities, and assets associated with medical devices and their components and supply chain vendors;
⎯ estimating and evaluating associated security risks;
⎯ determining appropriate security risk controls to reduce security risks;
⎯ verifying and monitoring the effectiveness of the security risk controls;
⎯ establishing an enterprise-wide process to manage security post-production interactions with users and other stakeholders that ensures security of medical devices and systems used to provide medical care;
⎯ creating design features that enable production and post-production management of security risk and effective integration with healthcare delivery organization (HDO) network security policies and technologies, or other operational contexts;
⎯ coordinating communications with HDOs for security risks;
⎯ understanding and communicating the security expectations from manufacturers to those who deploy their medical devices in a user environment;
⎯ implementing processes to manage and monitor fielded medical devices containing either (1) traditional software (including firmware), (2) programmable logic, and (3) hardware for security vulnerabilities;
⎯ implementing security risk management processes to 1) assess security risk in order to decide when action is required and 2) coordinate with safety risk management processes;
⎯ coordinating with HDOs on security risk management activities;
⎯ developing, implementing, and operationalizing a coordinated vulnerability disclosure process;
⎯ implementing processes to manage medical device security patching; and
⎯ planning for medical device retirement.
This document is applicable to the entire life cycle of a medical device including design, production, and post-production phases. End of Support (EOS) and End of Guaranteed Support (EOGS) are milestones in the post-production phase of the medical device and may vary according to differing market and jurisdictional factors.
This document expands on the information provided in Clause 10 “Production and post-production activities” of ISO/TR 2497 by highlighting the need for proactive monitoring to assess threats and detect vulnerabilities. It references the coordinated safety/security risk assessment approach that was presented in Clause 9 of AAMI TIR57, “Production and post-production information.”