Iec TR 80001-2-8-2016

I EC TR 80001 -2-8
Edition 1 .0 201 6-05
TE CH N I CAL
R E POR T
Appl i cati on of ri sk m an ag em en t fo r I T-n etwo rks i n corporati n g m ed i cal d evi ces –
Part 2-8: Appl i cati on g u i d an ce – G u i d an ce o n stan d ard s for establ i sh i n g th e
secu ri ty capabi l i ti es i d en ti fi ed i n I E C TR 80001 -2 -2

IEC TR 80001 -2-8:201 6-05(en)
TH I S P U B L I C ATI O N I S C O P YR I G H T P R O TE C TE D
C o p yri g h t © 2 0 1 6 I E C , G e n e va , Sw i t z e rl a n d
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
IEC Central Office Tel.: +41 22 91 9 02 1 1
3, rue de Varembé Fax: +41 22 91 9 03 00
CH-1 21 1 Geneva 20 info@iec.ch
Switzerland www.iec.ch
Abo u t th e I E C
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
Ab o u t I E C p u b l i c a t i o n s
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
I EC C atal og u e - webstore. i ec. ch /catal o g u e E l ectro ped i a - www. el ectro ped i a. org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 1 5 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.
I EC pu bl i cati on s search - www. i ec. ch /search pu b I E C G l o ssary - s td . i ec. ch /g l ossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and
CISPR.
I EC J u st Pu bl i s h ed - webstore. i ec. ch /j u stp u bl i s h ed
Stay up to date on all new IEC publications. Just Published I E C Cu s to m er S ervi ce Cen tre - webstore. i ec. ch /csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
I E C TR 80001 -2-8
Edition 1 .0 201 6-05
TECH N I CAL
R E POR T
Appl i cati on of ri sk m an ag em en t fo r I T-n etworks i n corpo rati n g m ed i cal d evi ces –
Part 2-8: Appl i cati o n g u i d an ce – G u i d an ce o n stan d ard s for establ i sh i n g th e
secu ri ty capabi l i ti es i d en ti fi ed i n I E C TR 80001 -2-2
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 1 1 .040.01 ISBN 978-2-8322-341 2-9
Warn i n g ! M ake su re th at you obtai n ed th i s pu bl i cati on from an au th ori zed d i stri bu tor.
–2– I EC TR 80001 -2-8:201 6 © I EC 201 6
CONTENTS
FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
I N TRODU CTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 N ormati ve references. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Terms an d defin i tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0
4 Gu idance for establ ish ing SECU RI TY CAPABI LI TI ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
4. 1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3
4. 2 Au tomatic log off – ALOF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4
4. 3 Au dit controls – AU DT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5
4. 4 Au thorization – AU TH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 7
4. 5 Con fig u rati on of secu ri ty featu res – CN FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 9
4. 6 Cyber secu rity product upg rades – CSU P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4. 7 H EALTH DATA de-iden ti fication – DI DT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4. 8 Data backu p and disaster recovery – DTBK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4. 9 Em erg ency access – EM RG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4. 1 0 H EALTH DATA in teg ri ty and au th en ticity – I GAU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4. 1 1 M alware detection /protection – MLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4. 1 2 N ode au thentication – N AU T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4. 1 3 Person au then tication – PAU T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4. 1 4 Ph ysical locks on device – PLOK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4. 1 5 Third-party componen ts in produ ct li fecycle roadm aps – RDMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4. 1 6 System an d application hardening – SAH D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4. 1 7 Secu rity g u ides – SGU D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4. 1 8 H EALTH DATA storag e confiden tial ity – STCF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4. 1 9 Transm issi on con fiden tial ity – TXCF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4. 20 Transm issi on in tegrity – TXI G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Bi bliog raph y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 1 – ALOF con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4

Table 2 – AU DT con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6
Table 3 – AU TH con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 8
Table 4 – CN FS con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 5 – CSU P con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table 6 – DI DT con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 7 – DTBK controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 8 – EM RG con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 9 – I GAU controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 1 0 – M LDP controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 1 1 – N AU T con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 1 2 – PAU T con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 1 3 – PLOK con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 1 4 – RDMP con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 1 5 – SAH D controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
I EC TR 80001 -2-8:201 6 © I EC 201 6 –3–
Table 16 – SGU D con trols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Table 17 – STCF con trol s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 18 – TXCF con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 19 – TXI G con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
–4– I EC TR 80001 -2-8:201 6 © I EC 201 6
I NTERNATI ONAL ELECTROTECHN I CAL COMMI SSI ON

____________
APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS

INCORPORATING MEDICAL DEVICES –
Part 2-8: Application guidance – Guidance on standards for
establishing the security capabilities identified in IEC TR 80001 -2-2
FOREWORD
1 ) Th e I n tern ati on al El ectrotech n i cal Com m i ssi on (I EC) i s a worl d wi d e org an i zati on for stan dard i zati on com pri si n g
al l n ati on al el ectrotech n i cal com m i ttees (I EC N ati on al Com m i ttees) . Th e obj ect of I E C i s to prom ote
i n tern ati on al co-operati on on al l q u esti on s con cern i n g stan dard i zati on i n th e el ectri cal an d el ectron i c fi el ds. To
th i s en d an d i n ad di ti on to oth er acti vi ti es, I EC pu bl i sh es I n tern ati on al Stan d ards, Tech n i cal Speci fi cati on s,
Tech n i cal Reports, Pu bl i cl y Avai l abl e Speci fi cati on s (PAS) an d G u i d es (h ereafter referred to as “I EC
Pu bl i cati on (s) ”) . Th ei r preparati on i s en tru sted to tech n i cal com m i ttees; an y I EC N ati on al Com m i ttee i n terested
i n th e su bj ect d eal t wi th m ay parti ci pate i n th i s preparatory work. I n tern ati on al , g overn m en tal an d n on -
g overn m en tal org an i zati on s l i ai si n g wi th th e I EC al so parti ci pate i n th i s preparati on . I EC col l aborates cl osel y
wi th th e I n tern ati on al Org an i zati on for Stan d ard i zati on (I SO) i n accordan ce wi th con d i ti on s d eterm i n ed by
ag reem en t between th e two org an i zati on s.
2) Th e form al d eci si on s or ag reem en ts of I EC on tech n i cal m atters express, as n earl y as possi bl e, an i n tern ati on al
con sen su s of opi n i on on th e rel evan t su bj ects si n ce each tech n i cal com m i ttee h as represen tati on from al l
i n terested I EC N ati on al Com m i ttees.
3) I EC Pu bl i cati on s h ave th e form of recom m en d ati on s for i n tern ati on al u se an d are accepted by I EC N ati on al
Com m i ttees i n th at sen se. Wh i l e al l reason abl e efforts are m ad e to en su re th at th e tech n i cal con ten t of I EC
Pu bl i cati on s i s accu rate, I EC can n ot be h el d respon si bl e for th e way i n wh i ch th ey are u sed or for an y
m i si n terpretati on by an y en d u ser.
4) I n ord er to prom ote i n tern ati on al u n i form i ty, I EC N ati on al Com m i ttees u n d ertake to appl y I EC Pu bl i cati on s
tran sparen tl y to th e m axi m u m exten t possi bl e i n th ei r n ati on al an d reg i on al pu bl i cati on s. An y d i verg en ce
between an y I EC Pu bl i cati on an d th e correspon d i n g n ati on al or reg i on al pu bl i cati on sh al l be cl earl y i n di cated i n
th e l atter.
5) I EC i tsel f d oes n ot provi d e an y attestati on of con form i ty. I n d epen d en t certi fi cati on bodi es provi d e con form i ty
assessm en t servi ces an d , i n som e areas, access to I EC m arks of con form i ty. I EC i s n ot respon si bl e for an y
servi ces carri ed ou t by i n d epen d en t certi fi cati on bodi es.
6) Al l u sers sh ou l d en su re th at th ey h ave th e l atest edi ti on of th i s pu bl i cati on .
7) N o l i abi l i ty sh al l attach to I E C or i ts di rectors, em pl oyees, servan ts or ag en ts i n cl u di n g i n d i vi du al experts an d
m em bers of i ts tech n i cal com m i ttees an d I EC N ati on al Com m i ttees for an y person al i n j u ry, property d am ag e or
oth er d am ag e of an y n atu re wh atsoever, wh eth er di rect or i n d i rect, or for costs (i n cl u d i n g l eg al fees) an d
expen ses ari si n g ou t of th e pu bl i cati on , u se of, or rel i an ce u pon , th i s I EC Pu bl i cati on or an y oth er I EC
Pu bl i cati on s.
8) Atten ti on i s d rawn to th e N orm ati ve referen ces ci ted i n th i s pu bl i cati on . U se of th e referen ced pu bl i cati on s i s
i n di spen sabl e for th e correct appl i cati on of th i s pu bl i cati on .
9) Atten ti on i s d rawn to th e possi bi l i ty th at som e of th e el em en ts of th i s I EC Pu bl i cati on m ay be th e su bj ect of
paten t ri g h ts. I EC sh al l n ot be h el d respon si bl e for i d en ti fyi n g an y or al l su ch paten t ri g h ts.
The main task of I EC tech nical commi ttees is to prepare I n ternational Standards. H owever, a
techn ical com m ittee may propose th e pu bl ication of a techn ical report wh en it has collected
data of a differen t kin d from th at wh ich is normall y pu blished as an I nternational Standard, for
exam pl e "state of th e art".
I EC 80001 -2-8, wh ich i s a techn ical report, h as been prepared by su bcomm i ttee 62A:
Comm on aspects of electrical equ ipm en t u sed in medical practice, of I EC tech n ical comm i ttee
62: Electrical equi pm en t in medical practice, an d I SO techn ical com m ittee 21 5: H ealth
in formatics. 1 )
___________
1 ) Th i s d ocu m en t con tai n s ori g i n al m ateri al th at i s © 201 3, Du n d al k I n sti tu te of Tech n ol og y, I rel an d . Perm i ssi on i s
g ran ted to I SO an d I EC to reprod u ce an d ci rcu l ate th i s m ateri al , th i s bei n g wi th ou t prej u d i ce to th e ri g h ts of
Du n d al k I n sti tu te of Tech n ol og y to expl oi t th e ori g i n al text el sewh ere.
I EC TR 80001 -2-8:201 6 © I EC 201 6 –5–
I t i s pu blished as a dou ble logo technical report.
The text of th is techn ical report is based on the fol lowin g docu men ts of I EC:
En q u i ry d raft Report on voti n g

62A/1 01 8/DTR 62A/1 043A/RVC
Fu ll in formati on on the votin g for the approval of th is technical report can be fou nd in th e
report on voting indicated in th e above tabl e. I n I SO, the standard has been approved by
1 4 P-m embers ou t of 31 h aving cast a vote.
Th is pu blication has been drafted in accordance wi th the I SO I EC Di recti ves, Part 2.
Terms used th rou g hou t this techn ical report that have been defin ed in Clau se 3 appear i n
SM ALL CAPI TALS .
A list of all parts of the I EC 80001 seri es, pu blish ed u nder the g eneral titl e Application of risk
management for it-networks incorporating medical devices, can be foun d on the I EC websi te.
The commi ttee has decided that th e con ten ts of th is pu bl icati on wi ll remain u nchan ged u n ti l
the stabili ty date in dicated on th e I EC websi te u nder "h ttp://webstore. iec. ch " in the data
rel ated to the speci fic publ ication . At th is date, the publ ication will be
• recon firmed,
• withdrawn,
• replaced by a revised edi ti on , or
• amended.
A bi li ng u al version of th is pu blicati on m ay be issued at a later date.
–6– I EC TR 80001 -2-8:201 6 © I EC 201 6
I NTRODUCTI ON
The I EC 80001 -1 standard, the Application of risk management to IT-networks incorporating
medical devices, provides the roles, responsibili ties and acti vi ties n ecessary for RI SK
M AN AG EM EN T . I EC TR 80001 -2-2, th e Application of risk management for IT-networks
incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of
medical device security needs, risks and controls is a tech nical report that provides addi ti onal
g u i dance i n relation to h ow SECU RI TY CAPABI LI TI ES migh t be referenced (disclosed an d
discu ssed) in both the RI SK M AN AG EM EN T PROCESS and stakeholder commu n ications and
agreemen ts. Th is tech nical report provides g u idance for the establishm en t of each of the
SECU RI TY CAPABI LI TI ES presen ted i n I EC TR 80001 -2-2.
I EC TR 80001 -2-2 contains an in formati ve set of com mon , descriptive SECU RI TY CAPABI LI TI ES
in tended to be th e startin g poi nt for a secu ri ty-cen tric discu ssion between the vendor and
pu rch aser or am ong a larg er g rou p of stakeholders involved i n a M EDI CAL DEVI CE I T- N ETWORK
project. Scalabi li ty is possible across a ran ge of different sizes of RESPON SI BLE ORG AN I ZATI ON S
(henceforth called healthcare del ivery org an izations – H DOs) as each eval u ates RI SK u sin g
th e SECU RI TY CAPABI LI TI ES and decides what to inclu de or not to inclu de accordin g to their RI SK
tolerance and availabl e resou rces. Th is docum entation can be u sed by H DOs as input to their
I EC 80001 PROCESS or to form the basis of RESPON SI BI LI TY AG RE EM EN TS among stakeholders.
Other I EC 80001 techn ical reports wil l provide step-by-step g u idance in th e RI SK M AN AG E M EN T
PROCESS . I EC TR 80001 -2-2 SECU RI TY CAPABI LI TI ES encourag e the disclosu re of m ore detai led
SECU RI TY CON TROLS . Th is tech nical report identifies SE CU RI TY CON TROLS from key security
standards wh ich aim to provide g u idance to a RESPON SI BLE ORG AN I ZATI ON wh en adaptin g th e
framework ou tlined i n I EC TR 80001 -2-2.
The fram ework ou tl ined in I EC TR 80001 -2-2 requ ires shared responsi bil ity between H DOs
and M EDI CAL DEVI CE man u facturers (MDMs) . Si m ilarly, this gu idance applies to both
stakeholders, as a shared responsibility, to ensu re safe M EDI CAL DEVI CE I T n etworks. I n order
to bu il d a secu re M EDI CAL DEVI CE I T n etwork a join t effort from both stakeholders is requ ired.
A SECU RI TY CAPABI LI TY , as defined in I EC TR 80001 -2-2, represen ts a broad category of

techn ical, adm i nistrati ve and/or org an izational SECU RI TY CON TROLS 2) requ ired to m anage RI SKS
to con fiden tial i ty, in teg ri ty, avai labi l ity and accoun tabil i ty of data an d systems. This docu ment
presen ts these categ ories of SECU RI TY CON TROLS prescribed for a system and the operational
en vi ronment to establ ish SECU RI TY CAPABI LI TI ES to protect the con fi den ti ali ty, integ ri ty,
availabi li ty and accou ntabi l ity of data and systems. The SECU RI TY CON TROLS su pport the
m ain tenance of con fidential ity and th e protection from mal iciou s i n tru sion th at migh t lead to
comprom ises in integ rity or system /data availability. Th e SECU RI TY CON TROLS for each
SECU RI TY CAPABI LI TY can be added to as th e need arises 3) . Con trols are in ten ded to protect
both data an d systems bu t special atten tion is g iven to the protection of both PRI VATE DATA
and i ts su bset cal led H EALTH DATA .
I n addition to providing a basis for discu ssin g RI SK an d respective roles an d responsibilities

toward RI SK M AN AG EM EN T , th is report is intended to supply:
a) H ealth Deli very Organ izations (H DOs) wi th a catalog ue of m anag ement, operational and
adm in istrative SECU RI TY CON TROLS to main tain the EFFECTI VEN ESS of a SECU RI TY CAPABI LI TY
for a M EDI CAL DEVI CE on a M EDI CAL DEVI CE I T- N ETWORK ;
b) M EDI CAL DEVI CE man u factu rers (MDMs) wi th a catalog ue of technical SECU RI TY CON TROLS
for the establishm ent of each of the 1 9 SECU RI TY CAPABI LI TI ES .
___________
2) For th e pu rpose of con si sten cy th rou g h ou t th i s report, th e term S E CU RI TY CON TROLS refers to th e tech n i cal ,
ad m i n i strati ve an d org an i zati on al con trol s/safeg u ards prescri bed to establ i sh SE CU RI TY C APABI LI TI E S .
3) Th e sel ecti on of S EC U R I TY C APABI LI TI E S an d SE CU R I TY C ON TROLS wi l l vary d u e to th e d i versi ty of M ED I CAL D EVI C E

prod u cts an d con text i n rel ati on to en vi ron m en t an d I N TEN D ED U S E . Th erefore, th i s tech n i cal report i s n ot
i n ten d ed as a “on e si ze fi ts al l ” sol u ti on .
I EC TR 80001 -2-8:201 6 © I EC 201 6 –7–
Th is report presen ts the 1 9 SECU RI TY CAPABI LI TI ES , their respective “requ irem ent goal” and
“user need” (i den tical to that i n I EC TR 80001 -2-2) wi th a correspon ding list of SECU RI TY
CON TROLS from a n um ber of secu rity standards. Th e secu rity standards u sed for mapping
SECU RI TY CON TROLS to SE CU RI TY CAPABI LI TI ES inclu de 4) :
• N I ST SP 800-53, Revision 4, Recommended Security Controls for Federal Information

Systems and Organizations
N I ST Special Pu bl ication 800-53 covers the steps in the R I SK M AN AG EM EN T Framework
that address SECU RI TY CON TROL selection for federal in formation systems in accordance
with the secu ri ty requ iremen ts in Federal I n form ation Processing Standard (FI PS) 200.
Th is inclu des selectin g an i ni tial set of baseline SECU RI TY CON TROLS based on a FI PS 1 99
worst-case im pact anal ysis, tai loring the basel ine SECU RI TY CON TROLS , an d su pplemen ting
th e SECU RI TY CON TROLS based on an org anization al assessment of RI SK . The secu ri ty ru les
cover 1 7 areas inclu ding access con trol , i nci den t response, bu si ness con tin u i ty, an d
disaster recoverabil ity.
• I SO I EC 1 5408-2:2008, Information technology – Security techniques – Evaluation criteria
for IT security – Part 2: Security functional components
Th is standard defines the con ten t and presentation of the secu rity fu nctional requ irem en ts
to be assessed in a secu ri ty evaluation u sin g I SO I EC 1 5408. I t con tains a comprehensi ve
catal og u e of predefin ed security fu nction al componen ts that wi ll fu lfil th e most com mon
secu ri ty needs of the marketplace. These are org anized u sin g a h ierarch ical structure of
classes, fami lies and componen ts, an d su pported by compreh ensive u ser n otes.
Th is standard also provides g u idance on the speci fication of custom ized secu ri ty
requ iremen ts wh ere no su i tabl e predefi ned secu ri ty fu ncti on al com ponen ts exist.
• I SO I EC 1 5408-3:2008, Information technology – Security techniques – Evaluation criteria
for IT security – Part 3: Security assurance components
Th is standard defi nes the assu rance requ irements of the evalu ati on cri teria. I t in clu des the
evalu ation assu rance levels that define a scale for m easu rin g assurance for compon en t
targets of evalu ation (TOEs) , th e composed assu rance packages that defi ne a scale for
m easu ri ng assu rance for composed TOEs, the indi vidual assurance componen ts from
wh ich th e assu rance levels an d packag es are composed, and th e cri teria for eval uati on of
protection profiles and secu ri ty targ ets.
Th is stan dard defines the con tent an d presen tati on of the assu rance requ irem en ts in the
form of assu rance classes, fami lies an d componen ts and provides g u i dance on th e
org anization of n ew assu rance requ irements. The assu rance componen ts wi th in th e
assurance fam il ies are presen ted in a hi erarchical order.
• I EC 62443-3-3:201 3, Industrial communication networks – Network and system security –
Part 3-3: System security requirements and security levels
Th is standard provi des detail ed technical con trol system requ iremen ts (SRs) associated
wi th the seven fou ndati on al requ iremen ts (FRs) described in I EC TS 62443-1 -1 inclu ding
defi ning the requ irem ents for con trol system capability secu ri ty levels, SL-C (control
system) . These requ irem ents wou ld be u sed by variou s members of th e industrial
au tomation and con trol system (I ACS) com mun i ty alon g wi th the defi ned zones and
condu i ts for the system u nder consideration (Su C) while developing the appropriate
con trol system targ et SL, SL-T(con trol system ) , for a specific asset.
• I SO I EC 27002:201 3 , Information technology – Security techniques – Code of practice for
information security controls
Th is standard ou tlines g ui delines for org an izati on al in formation secu rity standards and
i nformation secu ri ty m an agemen t practices inclu ding the selection , implemen tation an d
m an agement of controls taki ng into consideration the org an ization's i nformation secu ri ty
RI SK en vironm en t(s) . I t is desi gned to be u sed by org anizati ons th at i nten d to:
___________
4) Th e sel ecti on of secu ri ty stan d ard s u sed i n th i s tech n i cal report d oes n ot represen t an exh au sti ve l i st of al l
poten ti al l y u sefu l stan d ard s.
–8– I EC TR 80001 -2-8:201 6 © I EC 201 6
1 ) select con trols wi th in the PROCESS of im plemen tin g a M EDI CAL DEVI CE system based on
I SO I EC 27001 ;
2) im plemen t comm on l y accepted in form ation SECU RI TY CON TROLS ;
3) develop their own in formation secu ri ty m anag emen t g u idel ines .
• I SO 27799:— 5) , Health informatics – Information security management in health using ISO
IEC 27002
Th is standard defi nes g u idelines to su pport th e interpretati on and i mplemen tation in health
i n formatics of I SO I EC 27002 and is a companion to that stan dard.
I t speci fi es a set of detai led controls for m anagi ng health in form ation security and provi des
h eal th information secu ri ty best practice g u ideli nes. By i mplemen ti ng th is I n ternati onal
Standard, H DOs and other custodians of health in formation will be abl e to ensu re a
m ini mu m requ isi te level of secu rity th at is appropriate to thei r org anization 's
circu mstances and that will m ain tain the con fiden tiality, in teg ri ty and avai lability of
personal heal th in form ation .
___________
5) To be pu bl i sh ed .
I EC TR 80001 -2-8:201 6 © I EC 201 6 –9–
APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS

INCORPORATING MEDICAL DEVICES –
Part 2-8: Application guidance – Guidance on standards for
establishing the security capabilities identified in IEC TR 80001 -2-2
1 Scope
Th is part of I EC 80001 , wh ich is a Tech nical Report, provides g u idance to H ealth Del ivery
Organizati ons (H DOs) and M EDI CAL DEVI CE m an u factu rers (MDMs) for th e application of the
framework ou tlined in I EC TR 80001 -2-2. Managin g the RI SK in conn ecti ng M EDI CAL DEVI CES to
I T- N ETWORKS requ ires the discl osu re of secu rity-related capabil ities an d RI SKS .
I EC TR 80001 -2-2 presen ts a framework for th is disclosu re and the secu ri ty dialog that
su rrou nds the I EC 80001 -1 RI SK M AN AG EM EN T of I T- N ETWORKS . I EC TR 80001 -2-2 presen ts an
i n formative set of common , descriptive security-related capabilities th at are usefu l in terms of
g ai ning an u nderstan ding of u ser needs. This report addresses each of th e SECU RI TY
CAPABI LI TI E S an d iden ti fies SECU RI TY CON TROLS for consideration by H DOs an d MDMs during
RI SK M AN AG EM EN T acti vi ti es, su ppl ier selection, device selection , devi ce impl ementation ,
operation etc.
I t is not inten ded that the secu ri ty standards referenced herein are exhausti ve of all u sefu l
standards; rather, the pu rpose of this technical report is to iden ti fy SECU RI TY CON TROLS , which
exist in these particu lar secu ri ty stan dards (listed in the introdu ction of th is tech nical report) ,
that apply to each of the SECU RI TY CAPABI LI TI E S .
Th is report provides g u idance to H DOs and MDMs for th e selection an d impl em entation of
man ag ement, operational , admin istrative and techn ical SECU RI TY CON TROLS to protect the
con fi den tiali ty, in teg ri ty, availability and accou n tability of data and systems durin g
development, operation and disposal.
Al l 1 9 SECU RI TY CAPABI LI TI ES are not requ ired i n every case and th e i den ti fied SECU RI TY
CAPABI LI TI ES i nclu ded in this report sh ou ld not be considered exhaustive in natu re. The
selection of SECU RI TY CAPABI LI TI ES and SECU RI TY CON TROLS sh ou ld be based on th e RI SK
EVALU ATI ON and th e RI SK tolerance wi th consi deration for protection of pati ent SAFETY , l ife an d
h eal th . I N TEN DED U SE , operational en vironmen t, n etwork structure and local factors shou ld
also determi ne wh ich SECU RI TY CAPABI LI TI ES are necessary and wh ich SECU RI TY CON TROLS
m ost su i tably assist in establishin g th at SECU RI TY CAPABI LI TY .
2 Normative references
The following docu men ts, in wh ole or in part, are n orm ati vel y referenced in this docu m en t and
are indispensabl e for i ts application . For dated references, on ly the edition cited appli es. For
u ndated references, th e latest edition of th e referenced docu men t (inclu din g an y
amendm ents) appl ies.
I EC 80001 -1 :201 0, Application of risk management for IT-networks incorporating medical

devices – Part 1: Roles, responsibilities and activities
– 10 – I EC TR 80001 -2-8:201 6 © I EC 201 6
I EC TR 80001 -2-2:201 2, Application of risk management for IT-networks incorporating

medical devices – Part 2-2: Guidance for the communication of medical device security
needs, risks and controls 6)
3 Terms and definitions

For th e pu rposes of th is docu men t, th e foll owing terms and defini tions appl y.
3.1
DATA AND SYSTEMS SECURITY
operati onal state of a M EDI CAL I T-N ETWORK in which in formation assets (data and systems) are
reasonabl y protected from deg radation of confidentiali ty, in teg ri ty, an d avai labil ity
[SOU RCE: I EC 80001 -1 :201 0, 2. 5]
3.2
EFFECTIVENESS
abil i ty to produce th e in tended resu lt for the patien t and the RESPON SI BLE ORG AN I ZATI ON
[SOU RCE: I EC 80001 -1 :201 0, 2. 6]
3.3
HARM
ph ysical in ju ry or dam ag e to th e health of people, or dam age to property or the en vironm en t,
or reduction in EFFECTI VEN ESS , or breach of DATA AN D SYSTEM S SECU RI TY
[SOU RCE: I EC 80001 -1 :201 0, 2. 8]
3.4
HAZARD
poten tial sou rce of H ARM
[SOU RCE: I EC 80001 -1 :201 0, 2. 9]
3.5
HEALTH DATA
PRI VATE DATA that indicates ph ysical or men tal heal th
N ote 1 to en try: Th i s term g en eri cal l y d efi n es P RI VATE D ATA an d i t su bset, H E ALTH D ATA , wi th i n th i s report to perm i t
u sers of th i s report to ad apt i t easi l y to d i fferen t pri vacy com pl i an ce l aws an d reg u l ati ons. For exam pl e, i n Eu rope,
th e req u i rem en ts m i g h t be taken an d referen ces ch an g ed to “Person al Data” an d “Sen si ti ve Data”; i n th e U SA,
H E ALTH D ATA m i g h t be ch an g ed to “Protected H eal th I n form ati on (PH I ) ” wh i l e m aki n g ad j u stm en ts to text as
n ecessary.
3.6
INTENDED USE
INTENDED PURPOSE
u se for which a produ ct, PROCESS or service i s in ten ded accordin g to the specifi cations,
instru cti ons and in formation provided by the manu facturer
[SOU RCE: I EC 80001 -1 :201 0, 2. 1 0]
___________
6) I EC TR 80001 -2-2 con tai n s m an y ad d i ti on al stan d ards, pol i ci es an d referen ce m ateri al s wh i ch are al so
i n di spen sabl e for th e appl i cati on of th i s Tech n i cal Report.
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 11 –
3.7
IT- NETWORK
INFORMATION TECHNOLOGY NETWORK
system or systems composed of comm u n icating nodes and transmission l inks to provide
ph ysical l y l inked or wireless transm ission between two or more speci fi ed commu nication
nodes
[SOU RCE: I EC 80001 -1 :201 0, 2. 1 2]
3.8
MEDICAL DEVICE
means an y instru men t, apparatu s, i mplemen t, mach in e, appliance, implant, in vitro reagen t or
cal ibrator, software, materi al or oth er sim i lar or related article:
a) i ntended by th e manu factu rer to be u sed, alone or i n combin ation , for h u man bein gs for
one or more of the specifi c pu rpose(s) of:
– diagnosis, prevention , moni toring , treatment or al leviation of disease,
– diag nosis, moni toring , treatment, all evi ation of or compensation for an in jury,
– i nvestig ati on, replacement, modification , or su pport of the an atomy or of a
ph ysi ol og ical PROCE SS ,
– su pporti ng or sustai n ing li fe,
– con trol of conception ,
– disin fection of M EDI CAL DEVI CES ,
– providing information for medical or di ag n ostic pu rposes by means of in vitro
exam in ati on of specimens deri ved from the hu man body; and
b) wh ich does n ot ach ieve i ts primary in ten ded action in or on the h u m an body by
pharmacolog ical , im mun olog ical or m etabolic m eans, bu t wh ich may be assisted i n its
i n tended fu nction by su ch means.
N ote 1 to en try: Th e d efi n i ti on of a d evi ce for in vitro exam i n ati on i n cl u des, for exam pl e, reag en ts, cal i brators,
sam pl e col l ecti on an d storag e d evi ces, con trol m ateri al s, an d rel ated i n stru m en ts or apparatu s. Th e i n form ati on
provi d ed by su ch an in vitro d i ag n osti c d evi ce m ay be for d i ag n osti c, m on i tori n g or com pati bi l i ty pu rposes. I n som e
j u ri sdi cti on s, som e in vitro di ag n osti c d evi ces, i n cl u di n g reag en ts an d th e l i ke, m ay be covered by separate
reg u l ati on s.
N ote 2 to en try: Prod u cts wh i ch m ay be con si d ered to be M ED I CAL D E VI CE S i n som e j u ri sd i cti on s bu t for wh i ch
th ere i s n ot yet a h arm on i zed approach , are:
– ai ds for di sabl ed /h an di capped peopl e;
– d evi ces for th e treatm en t/di ag n osi s of d i seases an d i n j u ri es i n an i m al s;
– accessori es for M E D I C AL D EVI CE S (see N ote to en try 3) ;
– d i si n fecti on su bstan ces;
– d evi ces i n corporati n g an i m al an d h u m an ti ssu es wh i ch m ay m eet th e req u i rem en ts of th e above d efi n i ti on bu t
are su bj ect to d i fferen t con trol s.
N ote 3 to en try: Accessori es i n ten d ed speci fi cal l y by m an u factu rers to be u sed tog eth er wi th a ‘ paren t’ M ED I CAL
D E VI CE to en abl e th at M E D I CAL D E VI CE to ach i eve i ts I N TEN D ED P U R POSE sh ou l d be su bj ect to th e sam e G H TF
procedu res as appl y to th e M E D I CAL D EVI C E i tsel f. For exam pl e, an accessory wi l l be cl assi fi ed as th ou g h i t i s a
M E D I CAL D EVI C E i n i ts own ri g h t. Th i s m ay resu l t i n th e accessory h avi n g a d i fferen t cl assi fi cati on th an th e ‘ paren t’
d evi ce.
N ote 4 to en try: Com pon en ts to M ED I C AL D E VI C E S are g en eral l y con trol l ed th rou g h th e m an u factu rer’ s q u al i ty
m an ag em en t system an d th e con form i ty assessm en t proced u res for th e devi ce. I n som e j u ri sdi cti on s, com pon en ts
are i n cl u d ed i n th e d efi n i ti on of a ‘ m ed i cal d evi ce’ .
[SOU RCE: I EC 80001 -1 :201 0, 2. 1 4]
3.9
MEDICAL IT- NETWORK
I T- N ETWORK th at i ncorporates at least one M EDI CAL DE VI CE
– 12 – I EC TR 80001 -2-8:201 6 © I EC 201 6
[SOU RCE: I EC 80001 -1 :201 0, 2. 1 6]
3.1 0
OPERATOR
person handli ng equ ipmen t
[SOU RCE: I EC 80001 -1 :201 0, 2. 1 8]
3.1 1
PRIVATE DATA
an y in formati on relating to an iden ti fied or iden ti fiable person
3.1 2
PROCESS
set of i n terrelated or in teractin g acti vi ti es wh ich transforms in pu ts in to ou tpu ts
[SOU RCE: I EC 80001 -1 :201 0, 2. 1 9]
3.1 3
RESPONSIBILITY AGREEMENT
one or more docu m en ts that tog ether fu l l y define th e responsibilities of all relevant
stakeholders
[SOU RCE: I EC 80001 -1 :201 0, 2. 21 , m odified – Th e note has been deleted. ]
3.1 4
RESPONSIBLE ORGANIZATION
entity accoun table for the use and main tenance of a M EDI CAL I T- N ETWORK
[SOU RCE: I EC 80001 -1 :201 0, 2. 22, m odi fied – Th e notes have been deleted. ]
3.1 5
RISK
combin ation of the probabi li ty of occu rrence of H ARM an d the severity of that H ARM
[SOU RCE: I EC 80001 -1 :201 0, 2. 23]
3.1 6
RISK ANALYSIS
systematic u se of avai lable in formation to i den ti fy H AZARDS and to estimate the RI SK
[SOU RCE: I EC 80001 -1 :201 0, 2. 24]
3.1 7
RISK ASSESSMENT
overal l PROCE SS comprising a RI SK AN ALYSI S and a RI SK EVALU ATI ON
[SOU RCE: I EC 80001 -1 :201 0, 2. 25]
3.1 8
RISK EVALUATION
PROCESS of com parin g the estim ated RI SK ag ainst g iven RI SK cri teria to determ i ne the
acceptabil i ty of the RI SK
[SOU RCE: I EC 80001 -1 :201 0, 2. 27]

I EC TR 80001 -2-8:201 6 © I EC 201 6 – 13 –
3.1 9
RISK MANAGEMENT
systematic applicati on of manag em en t policies, procedures and practices to the tasks of
anal yzi ng , evalu ati ng , con troll in g , and monitori ng RI SK
[SOU RCE: I EC 80001 -1 :201 0, 2. 28]
3.20
SAFETY
freedom from u nacceptable RI SK of physical i nju ry or damag e to the h eal th of people or
dam ag e to property or the en vironmen t
[SOU RCE: I EC 80001 -1 :201 0, 2. 30]
3.21
SECURITY CAPABILITY
broad categ ory of techn ical, adm inistrati ve or organizati onal controls to man ag e RI SKS to
con fidential ity, i nteg rity, availabi li ty an d accoun tabili ty of data and systems
3.22
SECURITY CONTROL
m anag ement, operational, and technical controls (i. e. , safeg u ards or cou n term easures)
prescribed for an in formation system to protect th e confidentiali ty, in tegrity, an d avai labil ity of
the system and i ts i n form ation
[SOU RCE: N I ST I R 7298]
3.23
VERIFICATION
confirmation th rou g h provision of objective evidence that speci fied requ irem ents h ave been
fu l filled
[SOU RCE: I EC 80001 -1 :201 0, 2. 32]
4 Guidance for establishing SECURITY CAPABILITIES

4.1 General
Th is clause presen ts each of SECU RI TY CAPABI LI TI E S , as outli ned in I EC TR 80001 -2-2, wi th
correspondin g tables (Tabl es 1 to 1 9) of recommen ded SECU RI TY CON TROLS from the fol lowing
standards:
Tech nical SECU RI TY CON TROLS :
• N I ST SP-800-53;
• I SO I EC 1 5408-2;
• I SO I EC 1 5408-3;
• I EC 62443-3-3;
Operational /adm in istrative SECU RI TY CON TROLS :
• I SO I EC 27002;
• I SO 27799.
For i nfrastructure and M EDI CAL I T N E TWORK SECU RI TY CON TROLS , I SO I EC 27002 and
I SO 27799 are grou ped tog ether in the below tables as th e standards are fu ll y al ig n ed.
– 14 – I EC TR 80001 -2-8:201 6 © I EC 201 6
I SO I EC 27002 speci fies a set of detai l ed con trols for man ag ing in form ation security.
I SO 27799 specifies addi tional gu i dance specifical l y for heal th information secu ri ty an d
provides heal th in form ation secu ri ty best practice g u idelines.
4.2 Automatic logoff – ALOF

Requ irement g oal: Reduce the RI SK of u n au th orized access to H EALTH DATA from an
u nattended workspot.
Preven t m isuse by oth er u sers i f a system or workspot is left i dle for a
period of time.
U ser need: U n au th orized users are n ot abl e to access H EALTH DATA at an
u nattended workspot.
Au thorized u ser sessions need to au tomatical l y termi nate or lock after a
pre-set period of ti me. Th is redu ces the RI SK of un au th orized access to
H EALTH DATA when an au th orized u ser l eft th e workspot wi th ou t l og g ing
off or locking the display or room .
Au tomatic log off n eeds to inclu de a clearing of H EALTH DATA from al l
displays as appropriate.
The l ocal au thorized I T administrator needs to be able to disable th e
fu ncti on and set the expirati on time (inclu di ng screen saver)
A screen saver wi th sh ort i nacti vity ti me or man ually enabled by a
sh ortcu t key mi g ht be an addi ti onal featu re. Thi s H EALTH DATA display
cleari ng cou l d be in voked when no key is pressed for some sh ort period
(e. g . 1 5 s to several m inu tes) . Th is woul d not log ou t the user but wou ld
reduce RI SK of casu al viewing of i n formation.
I t is desirable th at cl in ical u sers sh ou ld n ot lose u ncomm i tted work due
to au tomatic l ogoff. Consider detail in g ch aracteri stics u nder ALOF that
disting uish between (a) logoff and (b) screen locking wi th resu mption of
session .
Table 1 – ALOF controls

Standard Reference Control
SP 800-53 AC-1 Access con trol pol i cy an d m an ag em en t
AC-2 Accou n t m an ag em en t
AC-7 U n su ccessfu l l og on attem pts
AC-1 1 Sessi on l ock
AC-1 2 Sessi on term i n ati on
AC-23 Data m i n i n g protecti on
AC-24 Access con trol d eci si on s
CM -4 Secu ri ty i m pact an al ysi s
I A-4 I d en ti fi er m an ag em en t
I A-1 1 Re-au th en ti cati on
I SO I EC 1 5408-2 FTA_SSL Sessi on l ocki n g an d term i n ati on
FM T_SAE Secu ri ty attri bu te expi rati on
FI A_U AU U ser au th en ti cati on
I SO I EC 1 5408-3 No applicable SE CU R I TY CON TROLS
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 15 –
Table 1 (continued)

I EC 62443-3-3 SR 2. 5 Sessi on l ock
SR 2. 6 Rem ote sessi on term i n ati on
I SO I EC 27002 5. 1 . 1 Pol i ci es for i n form ati on secu ri ty
I SO 27799 5. 1 . 2 Revi ew of th e I n form ati on Secu ri ty Pol i cy
9. 1 . 1 Access con trol pol i cy
9. 4. 2 Secu re l og on proced u res
1 1 . 2. 8 U n atten d ed u ser eq u i pm en t
1 1 . 2. 9 Cl ear d esk an d cl ear screen pol i cy
1 8. 2. 2 Com pl i an ce wi th secu ri ty pol i ci es an d stan d ard s
4.3 Audit controls – AUDT

Requ irement g oal : Defin e h armon ized approach towards rel iably au di ting who is doing
what wi th H EALTH DATA , al lowing H DO I T to monitor this u sing pu blic
frameworks, standards an d tech nolog y.
Ou r indu stry ag reed upon and H DO I T strong ly prefers I n teg rating the
H ealthcare Enterprise (I H E) audi t trai l profi le su pport.
Au di t goal (from I H E) : To allow a security officer in an i nstitu tion to
au dit acti vi ties, to assess compli ance wi th a secu re domain ’s pol icies,
to detect instances of n on-com pl ian t behaviou r, and to facil i tate
detection of i m proper creation , access, modification and deletion of
Protected H eal th I n formation (PH I ) .
U ser need: Capabi lity to record and exam in e system acti vi ty by creatin g audi t trai ls
on a device to track system and H EALTH DATA access, m odi fication, or
del etion .
Su pport for u se either as a stand-alone repository (log g ing au di t fi les in
i ts own fil e system) or, wh en con fi gu red as such , wi l l sen d log g ed
i nformation to a separate, H DO-manag ed cen tral reposi tory.
Au dit creation an d main tenance su pported by appropriate au dit review
tools.
Secu ring of au dit data as appropriate (especially i f they contai n
personal data themsel ves) .
Au dit data that cann ot be edited or deleted.
Au dit data li kely con tains person al data and/or H EALTH DATA and all
processin g (e. g . access, storag e and transfer) sh ou ld have appropriate
con trols.
– 16 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 2 – AUDT controls

SP 800-53 AC-21 I n form ati on sh ari n g
AU -1 Au d i t an d accou n tabi l i ty pol i cy an d proced u res
AU -2 Au d i t even ts
AU -3 Con ten t of au di t record s
AU -4 Au d i t storag e capaci ty
AU -5 Respon se to au d i t processi n g fai l u res
AU -6 Au d i t revi ew, an al ysi s an d reporti n g
AU -7 Au d i t redu cti on an d report g en erati on
AU -8 Ti m e stam ps
AU -9 Protecti on of au d i t i n form ati on
AU -1 0 N on -repu d i ati on
AU -1 1 Au d i t record reten ti on
AU -1 2 Au d i t g en erati on
AU -1 3 M on i tori n g for i n form ati on di scl osu re
AU -1 4 Sessi on au di t
AU -1 5 Al tern ate au d i t capaci ty
AU -1 6 Cross-org an i zati on al au d i ti n g
I SO I EC 1 5408-2 FAU _ARP Secu ri ty au d i t au tom ati c respon se
FAU _G EN Secu ri ty au d i t d ata g en erati on
FAU _SAA Secu ri ty au di t an al ysi s
FAU _SAR Secu ri ty au di t revi ew
FAU _SEL Secu ri ty au d i t even t sel ecti on
FAU _STG Secu ri ty au di t even t storag e
FCO_N RO N on -repu d i ati on of ori g i n
FCO_N RR N on -repu d i ati on of recei pt
FPT_STM Ti m e stam ps
I SO I EC 1 5408-3 No applicable SEC U R I TY CON TROLS
I EC 62443-3-3 SR 2. 8 Au d i tabl e even ts

SR 2. 9 Au d i t storag e capaci ty
SR 2. 1 0 Respon se to au d i t processi n g fai l u res
SR 2. 1 1 Ti m estam ps
SR 2. 1 2 N on -repu di ati on
SR 3. 9 Protecti on of au d i t i n form ati on
SR 6. 1 Au d i t redu cti on an d report g en erati on
SR 6. 2 Con ti n u ou s m on i tori n g
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 17 –
Table 2 (continued)
I SO 27799 5. 1 . 2 Revi ew of th e i n form ati on secu ri ty pol i cy
6. 1 . 2 Seg reg ati on of d u ti es
6. 2. 2 Tel eworki n g
1 2. 4. 1 Even t l og g i n g
1 2. 4. 2 Protecti on of l og i n form ati on
1 2. 4. 3 Ad m i n i strator an d OP E RATOR l og s
1 2. 4. 4 Cl ock syn ch ron i sati on
1 2. 7. 1 I n form ati on system s au di t con trol s
1 6. 1 . 7 Col l ecti on of evi d en ce
1 8. 1 . 3 Protecti on of records
1 8. 1 . 4 Pri vacy an d protecti on of person al l y i d en ti fi abl e i n form ati on
4.4 Authorization – AUTH

Requ irement g oal : Following the principle of data mi ni mization , provi de con trol of access to
H EALTH DATA an d functi ons on l y as n ecessary to perform th e tasks
requ ired by the H DO consisten t with th e I N TEN DED U SE .
U ser need: Avoidin g u nau thorized access to data an d functions in order to (1 )
preserve system and data confi dentiality, i ntegri ty and availabi li ty and
(2) remain with in permi tted u ses of data and systems.
As defined by H DO I T pol icy an d based on the au then ticated in di vidu al
u ser’s iden tification , the au thorization capabi li ty allows each u ser to
only access approved data and on l y perform approved functions on the
device.
Au thorized users i ncl u de H DO and service staff as defi ned by that
policy.
• M EDI CAL DEVI CES typical l y su pport a perm issions-based system
providing access to system functions and data appropriate to th e
rol e(s) of th e individu al in th e H DO (role-based access con trol ,
RBAC) . For exampl e: O PE RATORS can perform th eir assi gned tasks
u sin g all appropriate device functions (e. g . m oni tor or scan
pati en ts) .
• Qu ali ty staff (e. g. medical ph ysicist) can engag e in al l appropriate
qu ality and assurance testin g acti vi ti es.
• Service staff can access the system in a m ann er that su pports their
preven ti ve maintenance, problem in vestig ati on , and problem
el im in ati on acti vi ties.
Au thorization permits the RI SK to effectively del iver heal thcare whil e (1 )
m ain tain in g system an d data secu ri ty and (2) following the principle of
appropriate data access m ini mizati on . Au thorizati on can be m anag ed
l ocall y or enterprise-wide (e. g . via cen tralized directory) .
Wh ere I N TEN DED U SE does not perm it the time necessary for log g i ng
on to and off of a device (e. g . high -th rou g hpu t use) , the local I T Pol icy
can perm it reduced au thorization controls presu m in g adequ acy of
con trolled an d restricted physical access.
– 18 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 3 – AUTH controls

AC-3 Access en forcem en t
AC-5 Separati on of du ti es
AC-6 Least pri vi l eg e
AC-1 7 Rem ote access
AC-1 8 Wi rel ess access
AC-1 9 Access con trol for m obi l e devi ces
AC-21 I n form ati on sh ari n g
AC-24 Access con trol d eci si on s
PL-4 Ru l es of beh avi or
I SO I EC 1 5408-2 FDP_ACC Access con trol pol i cy
FI A_ATD U ser attri bu te d efi n i ti on
FM T_M OF M an ag em en t of fu n cti on s i n TSF
FM T_M SA M an ag em en t of secu ri ty attri bu tes
FM T_M TD M an ag em en t of TSF d ata
FM T_REV Revocati on
FM T_SM R Secu ri ty m an ag em en t rol es
FTA_LSA Li m i tati on on scope of sel ectabl e attri bu tes
I EC 62443-3-3 SR 1 . 3 Accou n t m an agem en t

SR 2. 1 Au th ori zati on en forcem en t
6. 1 . 1 I n form ati on secu ri ty rol es an d respon si bi l i ti es
7. 2. 1 M an ag em en t respon si bi l i ti es
8. 1 . 3 Acceptabl e u se of assets
8. 2. 3 H an d l i n g of assets
9. 1 . 2 Access to n etworks an d n etwork servi ces
9. 2. 1 U ser reg i strati on an d d e-reg i strati on
9. 2. 2 U ser access provi si on i n g
9. 2. 3 M an ag em en t of pri vi l eg ed access ri g h ts
9. 2. 4 M an ag em en t of secret au th en ti cati on i n form ati on of u sers
9. 4. 1 I n form ati on access restri cti on
9. 4. 4 U se of pri vi l eg ed u ti l i ty prog ram s
9. 4. 5 Access con trol to prog ram sou rce cod e
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 19 –
Table 3 (continued)
I SO I EC 27002 1 2. 1 . 1 Docu m en ted operati n g proced u res
I SO 27799 1 3. 1 . 3 Seg reg ati on i n n etworks
1 3. 2. 4 Con fi d en ti al i ty or n on -d i scl osu re ag reem en ts
4.5 Configuration of security features – CNFS

Requ irement g oal : To al low the H DO to determine how to u ti lize th e product SECU RI TY
CAPABI LI TI ES to meet their needs for policy an d/or workfl ow.
U ser need: The local au th orized I T adm in istrator needs to be abl e to select the use
of the product SECU RI TY CAPABI LI TI ES or n ot to u se the product SECU RI TY
CAPABI LI TI ES . Th is can i ncl ude aspects of pri vileg e manag emen t
i n teracting with SECU RI TY CAPABI LI TY control.
– 20 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 4 – CNFS controls

SP 800-53 AC-2 Accou n t m an ag em en t
AC-5 Separati on of d u ti es
AC-6 Least pri vi l eg e
CM -1 Con fi g u rati on m an ag em en t pol i cy an d proced u res
CM -2 Basel i n e con fi g u rati on
CM -3 Con fi g u rati on ch an g e con trol
CM -5 Access restri cti on s for ch an g e
CM -6 Con fi g u rati on setti n g s
CM -7 Least fu n cti on al i ty
CM -9 Con fi g u rati on m an ag em en t pl an
SA-1 0 Devel oper con fi g u rati on m an ag em en t
I SO I EC 1 5408-2 FI A_ATD U ser attri bu te defi n i ti on
FM T_M OF M an ag em en t of fu n cti on s i n TSF
FM T_M TD M an ag em en t of TSF d ata
FM T_REV Revocati on
FM T_SM F Speci fi cati on of m an ag em en t fu n cti on s
I EC 62443-3-3 SR 1 . 3 Accou n t m an agem en t

SR 7. 6 N etwork an d secu ri ty con fi g u rati on setti n g s
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 21 –
Table 4 (continued)

I SO I EC 27002 9. 2. 3 M an ag em en t of pri vi l eg ed access ri g h ts
I SO 27799 9. 2. 4 M an ag em en t of secret au th en ti cati on i n form ati on of u sers
9. 4. 4 U se of pri vi l eg ed u ti l i ty prog ram s
1 2. 1 . 1 Docu m en ted operati n g proced u res
1 2. 1 . 2 Ch an g e m an ag em en t
1 2. 2. 1 Con trol s ag ai n st m al ware
1 4. 2. 2 System ch an g e con trol procedu res
1 4. 2. 3 Tech n i cal revi ew of appl i cati on s after operati n g pl atform
ch an g es
1 4. 2. 4 Restri cti on s on ch an g es to software packag es
1 4. 2. 9 System acceptan ce testi n g
1 8. 1 . 5 Reg u l ati on of cryptog raph i c con trol s
4.6 Cyber security product upgrades – CSUP

Requ irement g oal : Create a u n ified way of workin g . I n stallati on / U pg rade of produ ct
secu ri ty patch es by on-si te service staff, rem ote service staff, and
possibl y au th orized H DO staff (down loadable patches) .
U ser need: I nstallation of th ird party security patches on medical products as soon
as possible in accordance wi th reg ulations requ iri ng :
• H ig h est priority is g iven to patch es that address h ig h- RI SK
vu ln erabi li ti es as ju dg ed by objecti ve, au thori tati ve, docum ented,
M DM vu ln erabil i ty RI SK EVALU ATI ON .
• The medical product vendor and the heal thcare provider are
requ ired to assure con tinu ed safe an d effecti ve clinical fu ncti onal ity
of their products. U nderstanding of local M EDI CAL DEVI CE reg u lation
(in general , M EDI CAL DEVI CES shou ld not be patched or m odi fied
withou t explicit wri tten instructions from the MDM) .
• Adequ ate testing has to be done to discover any u nan ticipated side
effects of th e patch on th e medical produ ct (performance or
fu nctional ity) th at mig ht endanger a PATI EN T .
U ser, especi all y H DO I T staff and H DO service, requ ires proactive
i n formation on assessed/val idated patches.
– 22 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 5 – CSUP controls

SP 800-53 AC-1 7 Rem ote access
CM -5 Access restri cti on s for ch an g e
I A-1 I d en ti fi cati on an d au th en ti cati on pol i cy an d proced u res
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 23 –
Table 5 (continued)
Reference Control
SP 800-53 I A-9 Servi ce i d en ti fi cati on an d au th en ti cati on
M A-1 System m ai n ten an ce pol i cy an d proced u res
M A-2 Con trol l ed m ai n ten an ce
M A-3 M ai n ten an ce tool s
M A-4 N on l ocal m ai n ten an ce
M A-5 M ai n ten an ce person n el
M A-6 Ti m el y m ai n ten an ce
M P-1 M ed i a protecti on pol i cy an d proced u res
SA-8 Secu ri ty en g i n eeri n g pri n ci pl es
SA-1 1 Devel oper secu ri ty testi n g an d eval u ati on
SA-1 4 Cri ti cal i ty an al ysi s
SI -1 1 Error h an dl i n g
I SO I EC 1 5408-2 No applicable SE CU RI TY C ON TROL s
I SO I EC 1 5408-3 ALC_FLR Fl aw rem ed i ati on

ATE_COV Coverag e
ATE_DPT Depth
ATE_FU N Fu n cti on al tests
ATE_I N D I n d epen d en t tests
AVA_VAN Vu l n erabi l i ty an al ysi s
I E C 62443-3-3 No applicable SE CU RI TY C ON TROLS

6. 2. 1 M obi l e d evi ce pol i cy
1 2. 1 . 2 Ch an g e m an agem en t
1 2. 2. 1 Con trol s ag ai nst m al ware
1 2. 5. 1 I n stal l ati on of software on operati on al system s
1 2. 6. 1 M an ag em en t of tech n i cal vu l n erabi l i ti es
1 2. 6. 2 Restri cti on s on software i n stal l ati on
1 4. 1 . 1 I n form ati on secu ri ty req u i rem en ts an al ysi s an d speci fi cati on
Tech n i cal revi ew of appl i cati on s after operati n g pl atform
1 4. 2. 3
ch an g es
1 4. 2. 5 Secu re system en g i n eeri n g pri n ci pl es
1 4. 2. 8 System secu ri ty testi n g
– 24 – I EC TR 80001 -2-8:201 6 © I EC 201 6
4.7 H EALTH DATA de-identification – DIDT

Requ irement g oal: Abi li ty of equi pmen t (application software or addi ti onal tooling ) to
directly remove in formati on that allows iden ti fication of patien t.
Data scrubbing prior to shippi ng back to factory; architectin g to allow
remote service wi thou t H EALTH DATA access/exposu re; i n-factory
qu arantine, labell in g , and trai n ing .
U ser need: Cli nical u ser, service eng ineers and marketing n eed to be abl e to de-
identify H EALTH DATA for various pu rposes not requ irin g PATI EN T i den ti ty.
Table 6 – DIDT controls

SP 800-53 AC-8 System u se n oti fi cati on
AC-21 I n form ati on sh ari n g
AR-7 Pri vacy-en h an ced system d esi g n an d d evel opm en t
AT-1 Secu ri ty assu ran ce an d trai n i n g pol i cy an d protecti on
AU -3 Con ten t of au d i t record s
AU -9 Protecti on of au d i t i n form ati on
AU -1 1 Au d i t record reten ti on
DM -1 M i n i m i zati on of person al l y i d en ti fi abl e i n form ati on
DM -2 Data reten ti on an d di sposal
I SO I EC 1 5408-2 No applicable SE CU RI TY C ON TROLS
I EC 62443-3-3 SR 4. 2 I n form ati on persi sten ce

7. 2. 2 I n form ati on secu ri ty awaren ess, ed u cati on an d trai n i n g
8. 1 . 4 Retu rn of assets
8. 2. 1 Cl assi fi cati on of i n form ati on
8. 2. 2 Label l i n g of i n form ati on
8. 3. 1 M an ag em en t of rem ovabl e m ed i a
8. 3. 2 Di sposal of m ed i a
1 1 . 2. 4 Eq u i pm en t m ai n ten an ce
1 1 . 2. 6 Secu ri ty of eq ui pm en t an d assets off-prem i ses
1 1 . 2. 7 Secu re di sposal or re-u se of eq u i pm en t
Separati on of d evel opm en t, testi n g an d operati on al
1 2. 1 . 4
en vi ron m en ts
1 4. 3. 1 Protecti on of test data
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 25 –
4.8 Data backup and disaster recovery – DTBK

Requ irement g oal : Assure th at the healthcare provi der can con tinu e bu si ness after damag e
or destruction of data, hardware, or software.
U ser need: Reason able assurance th at persisten t system settin g s and persistent
H EALTH DATA stored on produ cts can be restored after a system fail ure
or com promise so that business can be contin u ed.
N OTE Th i s req u i rem en t m i g h t n ot be appropri ate for sm al l er, l ow-cost d evi ces an d
can , i n practi ce, rel y on th e abi l i ty to col l ect n ew, rel evan t d ata i n th e n ext acq u i si ti on
cycl e (e. g . sh ort-d u rati on h eart rate data l ost d u e to occasi on al wi rel ess si g n al l oss)
– 26 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 7 – DTBK controls

SP 800-53 AU -9 Protecti on of au d i t i n form ati on
CM -1 Con fi g u rati on m an ag em en t pol i cy an d proced u re
CM -5 Access restri cti on s for ch an g es
CP-1 Con ti n g en cy pl an n i n g pol i cy an d proced u res
CP-2 Con ti n g en cy pl an
CP-3 Con ti n g en cy trai n i n g
CP-4 Con ti n g en cy pl an testi n g
CP-6 Al tern ate storag e si te
CP-7 Al tern ate processi n g si te
CP-8 Tel ecom m u n i cati on s servi ces
CP-9 I n form ati on system backu p
CP-1 0 I n form ati on system recovery an d recon sti tu ti on
CP-1 3 Al tern ati ve secu ri ty m ech an i sm s
I R-1 I n ci d en t respon se pol i cy an d proced u res
I R-2 I n ci d en t respon se trai n i n g
I R-3 I n ci d en t respon se testi n g
I R-4 I n ci d en t h an d l i n g
I R-5 I n ci d en t m on i tori n g
I R-6 I n ci d en t reporti n g
I R-7 I n ci d en t respon se assi stan ce
I R-8 I n ci d en t respon se pl an
I R-9 I n form ati on spi l l ag e respon se
I R-1 0 I n teg rated i n form ati on secu ri ty an al ysi s team
SI -1 System an d i n form ati on i n teg ri ty pol i cy an d proced u res
PM -9 R I S K M AN AG EM E N T strateg y
I SO I EC 1 5408-2 FDP_ROL Rol l back
FPT_I TA Avai l abi l i ty of exported TSF d ata
FPT_RCV Tru sted recovery
FRU _FLT Fau l t tol eran ce
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 27 –
Table 7 (continued)
I EC 62443-3-3 SR 2. 8 Au d i tabl e even ts
SR 3. 6 Determ i n i sti c ou tpu t
SR 7. 3 Con trol system backu p
SR 7. 4 Con trol system recovery an d recon sti tu ti on
6. 1 . 3 Con tact wi th au th ori ti es
1 1 .1 .4 Protecti n g ag ai n st extern al an d en vi ron m en tal th reats
1 2. 3. 1 I n form ati on backu p
1 6. 1 . 1 Respon si bi l i ti es an d proced u res
1 6. 1 . 2 Reporti n g i n form ati on secu ri ty even ts
1 6. 1 . 5 Respon se to i n form ati on secu ri ty i n ci den ts
1 6. 1 . 6 Learn i n g from i n form ati on secu ri ty i n ci d en ts
1 7. 1 . 1 Pl an n i n g i n form ati on secu ri ty con ti n u i ty
1 7. 1 . 2 I m pl em en ti n g i n form ati on secu ri ty con ti n u i ty
1 7. 1 . 3 Veri fy, revi ew an d eval u ate i n form ati on secu ri ty con ti n u i ty
4.9 Emergency access – EMRG

Requ irement g oal : Ensu re th at access to protected H EALTH DATA is possible in case of an
emerg ency situation requ irin g i mm ediate access to stored H EALTH DATA .
U ser need: Du ri ng emerg ency si tuations, th e clinical user n eeds to be abl e to
access H EALTH DATA wi thou t personal user id an d au then tication (break-
g lass fu nctional ity) .
Em erg ency access is to be detected, recorded and reported. I deal l y
inclu din g some manner of immedi ate notification to the system
adm in istrator or medical staff (in additi on to au di t record) .
Em erg ency access needs to requ ire an d record sel f-attested u ser
identification as en tered (withou t au thenticati on) .
H DO can solve th is throu g h procedu ral approach using a speci fic u ser
accoun t or fu ncti on of the system .
The admi nistrator needs to be abl e to enable/disable an y emergency
fu nctions provided by the produ ct dependen t on technical or procedu ral
con trols are requ ired.
– 28 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 8 – EMRG controls

AC-1 4 Perm i tted acti on s wi th ou t i d en ti fi cati on or au th en ti cati on
RA-5 Vu l n erabi l i ty scan n i n g
I SO I EC 1 5408-2 FDP_ACC Access con trol pol i cy
FDP_ACF Access con trol fu n cti on s
I EC 62443-3-3 SR 1 . 4 I d en ti fi er m an ag em en t
SR 1 . 5 Au th en ti cator m an ag em en t
SR 2. 8 Au d i tabl e even ts
9. 2. 2 U ser access provi si on i n g
9. 2. 3 M an ag em en t of pri vi l eg ed access ri g h ts
9. 2. 5 Revi ew of u ser access ri g h ts
9. 4. 4 U se of pri vi l eged u ti l i ty prog ram s
1 7. 1 . 1 Pl an n i n g i n form ati on secu ri ty con ti n u i ty
1 7. 1 . 2 I m pl em en ti n g i n form ati on secu ri ty con ti n u i ty
1 7. 1 . 3 Veri fy, revi ew an d eval u ate i n form ati on secu ri ty con ti n u i ty
4.1 0 H EALTH DATA integrity and authenticity – IGAU

Requ irement g oal: Assu re th at H EALTH DATA has not been al tered or destroyed in n on-
au thorized m an ner and i s from the orig in ator. Assu re integ ri ty of H EALTH
DATA .
U ser need: U ser wan ts th e assurance that H EALTH DATA is reliabl e and not tampered
wi th .
Solu tions are to i ncl u de both fixed an d also removable media.
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 29 –
Table 9 – IGAU controls

SP 800-53 SA-1 3 Tru stworth i n ess
SC-1 2 Cryptog raph i c key establ i sh m en t an d m an ag em en t
SC-1 3 Cryptog raph i c protecti on
SC-1 7 Pu bl i c key i n frastru ctu re certi fi cates
SC-28 Protecti on of i n form ati on at rest
SI -3 M al i ci ou s cod e protecti on
SI -7 Software an d i n form ati on i n teg ri ty
SI -1 0 I n form ati on i n pu t val i d ati on
I SO I EC 1 5408-2 FAU _ARP Secu ri ty au di t au tom ati c respon se
FDP_DAU Data au th en ti cati on
FDP_I TT I n tern al TOE tran sfer
FDP_SDI Stored d ata i n teg ri ty
FDP_U I T I n ter_TSF u ser d ata i n teg ri ty tran sfer protecti on
FPT_I TT I n tern al TOE TSF d ata tran sfer
FPT_TRC I n tern al TOE TSF d ata repl i cati on con si sten cy
FPT_TST Sel f test
I SO I EC 1 5408-3 No applicable SEC U R I TY CON TROLS
I EC 62443-3-3 SR 3. 1 Com m u n i cati on i n teg ri ty

SR 3. 3 Secu ri ty fu n cti on al i ty VER I FI C ATI ON
SR 3. 4 Software an d i n form ati on i n teg ri ty
SR 3. 5 I n pu t val i d ati on
8. 1 . 1 I n ven tory of assets
8. 1 . 2 Own ersh i p of assets
1 0. 1 . 1 Pol i cy on th e u se of cryptog raph i c con trol s
1 0. 1 . 2 Key m an ag em en t
1 3. 2. 1 I n form ati on tran sfer pol i ci es an d proced u res
– 30 – I EC TR 80001 -2-8:201 6 © I EC 201 6
4.1 1 Malware detection/protection – MLDP

Requ irement g oal : Produ ct su pports reg u l atory, H DO and u ser n eeds in ensu ring an
effective and un i form support for th e preven ti on, detection and removal
of malware. Th is is an essential step in a proper defence i n depth
approach to security.
M alware application software is u pdated, malware pattern data files
kept cu rren t and operatin g systems and appl icati ons are patch ed in a
tim ely fash ion . Post-updating VERI FI CATI ON testin g of device operation
for both continu ed I N TEN DE D U SE and SAFETY i s often necessary to meet
reg u latory qu al ity requ iremen ts.
U ser need: H DOs n eed to detect traditi onal malware as well as u nau th orized
software th at coul d in terfere with proper operation of the device/system .
Table 1 0 – MLDP controls

SP 800-53 CM -3 Con fi g u rati on ch an g e con trol
I R-3 I n ci d en t respon se testi n g
I R-4 I n ci d en t h an d l i n g
I R-5 I n ci d en t m on i tori n g
I R-6 I n ci d en t reporti n g
M P-2 M ed i a access
SA-4 Acq u i si ti on P ROC ES S
SA-1 2 Su ppl y ch ai n protecti on
SA-1 3 Tru stworth i n ess
SC-7 Bou n d ary protecti on
SC-26 H on eypots
SC-30 Con ceal m en t an d m i sd i recti on
SC-34 N on -m odi fi abl e execu tabl e prog ram s
SC-35 H on eycl i en ts
SC-37 Ou t-of-ban d ch an n el s
SC-44 Deton ati on ch am bers
SI -2 Fl aw rem edi ati on
SI -4 I n form ati on system m on i tori n g
SI -1 5 I n form ati on ou tpu t fi l teri n g
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 31 –
Table 1 0 (continued)
I SO I EC 1 5408-2 FPT_TST Sel f test
FAU _ARP Secu ri ty au di t au tom ati c respon se
FDP_I FF I n form ati on fl ow con trol fu n cti on s
FDP_SDI Stored d ata i n teg ri ty
FPT_FLS Fai l secu re
FPT_I TI I n teg ri ty of exported TSF d ata
FPT_RPL Repl ay d etecti on
FPT_TRC I n tern al TOE TSF d ata repl i cati on con si sten cy
I SO I EC 1 5408-3 ADV_I M P I m pl em en tati on represen tati on
ADV_I N T TSF i n tern al s
ADV_TDS TOE d esi g n
ALC_DVS Devel opm en t secu ri ty
ALC_FLR Fl aw Rem edi ati on
I EC 62443-3-3 SR 1 . 2 Software P ROC ES S an d d evi ce i den ti fi cati on an d
au th en ti cati on
SR 2. 3 U se con trol for portabl e an d m obi l e devi ces
SR 3. 2 M al i ci ou s cod e protecti on
SR 3. 3 Secu ri ty fu n cti on al i ty VE RI FI CATI ON
SR 5. 3 G en eral pu rpose person -to-person com m u n i cati on
restri cti on s
6. 1 . 4 Con tact wi th speci al i n terest g rou ps
7. 2. 2 I n form ati on secu ri ty awaren ess, edu cati on an d trai n i n g
1 2. 4. 3 Ad m i n i strator an d OPE R ATOR l og s
1 2. 4. 4 Cl ock syn ch ron i sati on
1 2. 6. 1 M an ag em en t of tech n i cal vu l n erabi l i ti es
– 32 – I EC TR 80001 -2-8:201 6 © I EC 201 6
I SO I EC 27002 1 2. 7. 1 I n form ati on system s au di t con trol s
I SO 27799 1 3. 1 . 1 N etwork con trol s
1 3. 1 . 2 Secu ri ty of n etwork servi ces
1 3. 1 . 3 Seg reg ati on i n n etworks
1 3. 2. 3 El ectron i c m essag i n g
1 4. 2. 3 Tech n i cal revi ew of appl i cati on s after operati n g pl atform
ch an g es
1 4. 2. 7 Ou tsou rced d evel opm en t
4.1 2 Node authentication – NAUT

Requ irement g oal : Au then tication policies n eed to be flexibl e to adapt to l ocal H DO I T
policy. As n ecessary, u se node au then tication when commu nicatin g
H EALTH DATA .
U ser need: Capabil ity of manag i ng cross-mach ine accoun ts on a modali ty to protect
H EALTH DATA access.
Su pport for stand-al one and cen tral adm in istration .
Su pport for node au th enti cation according to in dustry standards.
To detect and preven t entity falsi fication (provi de n on-repu diati on ) .
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 33 –
Table 1 1 – NAUT controls

AC-1 9 Access con trol for m obi l e devi ces
AU -1 0 N on -repu di ati on
– 34 – I EC TR 80001 -2-8:201 6 © I EC 201 6
SP 800-53 I A-2 I d en ti fi cati on an d au th en ti cati on (org an i zati on al u sers)
I A-3 Devi ce i d en ti fi cati on an d au th en ti cati on
I A-5 Au th en ti cator m an ag em en t
I A-7 Cryptog raph i c m od u l e au th en ti cati on
I A-8 I d en ti fi cati on an d au th en ti cati on (n on -org an i zati on al u sers)
I A-1 0 Ad apti ve i d en ti fi cati on an d au th en ti cati on
M A-1 System m ai n ten an ce pol i cy an d proced u res
M A-4 N on l ocal m ai n ten an ce
I SO I EC 1 5408-2 FAU _G EN Secu ri ty au d i t d ata g en erati on
FCO_N RO N on -repu d i ati on of ori g i n
FCO_N RR N on -repu d i ati on of recei pt
FCS_CKM Cryptog raph i c key m an ag em en t
FCS_COP Cryptog raph i c operati on
FI A_AFL Au th en ti cati on fai l u res
FI A_ATD U ser attri bu te defi n i ti on
FI A_SOS Speci fi cati on of secrets
FI A_U I D U ser i d en ti fi cati on
FTA_TSE TOE sessi on establ i sh m en t
FTP_I TC I n ter-TSF tru sted ch an n el
I EC 62443-3-3 SR 1 . 2 Software PR OCE S S an d d evi ce i d en ti fi cati on an d au th en ti cati on

SR 1 . 3 Accou n t m an ag em en t
SR 1 . 4 I d en ti fi er m an ag em en t
SR 1 . 6 Wi rel ess access m an ag em en t
SR 1 . 8 Pu bl i c key i n frastru ctu re (PKI ) certi fi cates
SR 1 . 9 Stren g th of pu bl i c key au th en ti cati on
SR 1 . 1 0 Au th en ti cator feedback
SR 1 . 1 1 U n su ccessfu l l og i n attem pts
SR 1 . 1 3 Access vi a u n tru sted n etworks
SR 4. 3 U se of cryptog raph y
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 35 –

9. 4. 2 Secu re l og -on procedu res
1 1 . 2. 1 Eq u i pm en t si ti n g an d protecti on
1 1 . 2. 6 Secu ri ty of equ i pm en t an d assets off-prem i ses
1 2. 4. 3 Ad m i n i strator an d OPE R ATOR l og s
1 8. 1 . 1 I d en ti fi cati on of appl i cabl e l eg i sl ati on an d con tractu al
req u i rem en ts
4.1 3 Person authentication – PAUT

Requ irement g oal : Au then tication policies n eed to be flexible to adapt to H DO I T policy.
Th is requ irem en t as a logical place to requ ire person au then tication
wh en providin g access to H EALTH DATA .
To con trol access to devi ces, network resou rces and H EALTH DATA an d
to g enerate non- repu diatabl e au di t trai ls. This featu re shoul d be able to
i den ti fy u nambig uou sly and wi th certain ty th e individu al who is
accessi ng the network, device or resource.
N OTE Th i s req u i rem en t i s rel axed d u ri n g “break-g l ass” operati on . See capabi l i ty
“Em erg en cy access. ”
U ser need: Capabi lity of m anag in g accou n ts on a m odali ty to protect H EALTH DATA
access.
Desirable to l ink to person al setti ng s/preferences.
Su pport for stand-alone and cen tral admin istration .
Si ng le sig n-on an d same password on all workspots.
To detect and preven t person falsification (provide n on-repu diati on) .
Role based access con trol (RBAC) capabi li ty desi rabl e.
– 36 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 1 2 – PAUT controls

AU -1 0 N on -repu di ati on
I A-2 I d en ti fi cati on an d au th en ti cati on (org an i zati on al u sers)
I A-5 Au th en ti cator m an ag em en t
I A-7 Cryptog raph i c m od u l e au th en ti cati on
I A-8 I d en ti fi cati on an d au th en ti cati on (n on -org an i zati on al u sers)
I A-1 0 Ad apti ve i d en ti fi cati on an d au th en ti cati on
I SO I EC 1 5408-2 FAU _G EN Secu ri ty au di t d ata g en erati on
FCO_N RO N on -repu di ati on of ori g i n
FCO_N RR N on -repu di ati on of recei pt
FCS_CKM Cryptog raph i c key m an ag em en t
FI A_AFL Au th en ti cati on fai l u res
FI A_ATD U ser attri bu te defi n i ti on
FI A_SOS Speci fi cati on of secrets
FI A_U I D U ser i d en ti fi cati on
FTA_TSE TOE sessi on establ i sh m en t
I EC 62443-3-3 SR 1 . 1 H u m an u ser i den ti fi cati on an d au th en ti cati on

SR 1 . 3 Accou n t m an agem en t
SR 1 . 4 I d en ti fi er m an ag em en t
SR 1 . 6 Wi rel ess access m an ag em en t
SR 1 . 7 Stren g th of password -based au th en ti cati on
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 37 –

I EC 62443-3-3 SR 1 . 8 Pu bl i c Key I n frastru ctu re (PKI ) certi fi cates
SR 1 . 9 Stren g th of pu bl i c key au th en ti cati on
SR 1 . 1 0 Au th en ti cator feed back
SR 1 . 1 1 U n su ccessfu l l og i n attem pts
SR 1 . 1 3 Access vi a u n tru sted n etworks
SR 2. 3 U se Con trol for portabl e an d m obi l e d evi ces
SR 2. 8 Au d i tabl e even ts
SR 2. 1 1 Ti m estam ps
SR 2. 1 2 N on -repu di ati on
SR 4. 1 I n form ati on con fi d en ti al i ty
9. 2. 1 U ser reg i strati on an d d e-reg i strati on
1 2. 4. 3 Ad m i n i strator an d OP ER ATOR l og s
1 8. 1 . 1 I d en ti fi cati on of appl i cabl e l eg i sl ati on an d con tractu al
req u i rem en ts
4.1 4 Physical locks on device – PLOK

Requ irement g oal : Assu re that u nau thorized access does not com prom ise the system or
data con fidential ity, i nteg ri ty and avai labi l ity.
U ser need: Reason able assu rance th at H EALTH DATA stored on products or m edia is
and stays secure i n a manner proportionate to th e sensi ti vity and
volu me of data records on the device.
Systems are reasonably free from tam perin g or componen t removal th at
mi g ht comprom ise in teg ri ty, con fiden ti al i ty or availabi li ty. Tam perin g
(inclu ding device rem oval) is detectabl e.
– 38 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 1 3 – PLOK controls

SP 800-53 AC-1 Access con trol
CA-7 Con ti n u ou s m on i tori n g
CP-6 Al tern ate storag e si te
M P-2 M ed i a access
M P-4 M ed i a
M P-7 M ed i a u se
PE-1 Ph ysi cal an d en vi ron m en tal protecti on pol i cy an d proced u res
PE-2 Ph ysi cal access au th ori zati on s
PE-3 Ph ysi cal access con trol
PE-4 Access con trol for tran sm i ssi on m edi u m
PE-5 Access con trol for ou tpu t d evi ces
PE-6 M on i tori n g ph ysi cal access
PE-9 Power eq u i pm en t an d power cabl i n g
PE-1 8 Locati on of i n form ati on system com pon en ts
PL-2 System secu ri ty pl an
SC-8 Tran sm i ssi on con fi d en ti al i ty an d i n teg ri ty
I SO I EC 1 5408-2 FPT_PH P TSF ph ysi cal protecti on
I EC 62443-3-3 SR 1 . 1 H u m an u ser i den ti fi cati on an d au th en ti cati on

SR 1 . 3 Accou n t m an agem en t
SR 4. 1 I n form ati on confi d en ti al i ty
SR 7. 7 Least fu n cti on al i ty
1 1 .1 .1 Ph ysi cal secu ri ty peri m eter
1 1 .1 .2 Ph ysi cal en try con trol s
1 1 .1 .3 Secu ri n g offi ces, room s an d faci l i ti es
1 1 .1 .5 Worki n g i n secu re areas
1 1 .1 .6 Del i very an d l oad i n g areas
1 1 . 2. 1 Eq u i pm en t si ti ng an d protecti on
1 1 . 2. 2 Su pporti n g u ti l i ti es
1 1 . 2. 3 Cabl i n g secu ri ty
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 39 –

I SO I EC 27002 1 2. 6. 1 M an ag em en t of tech n i cal vu l n erabi l i ti es
I SO 27799 1 2. 7. 1 I n form ati on system s au d i t con trol s
4.1 5 Third-party components in product lifecycle roadmaps – RDMP

Requ irement g oal : H DOs wan t an u nderstan di ng of secu rity throu ghou t the fu ll life cycle of
a M EDI CAL DE VI CE .
M DM plans su ch that products are sustainable throu ghout their l ife

cycle accordin g i nternal qu ali ty systems and extern al reg u lations.
Produ cts provided wi th clear statemen t of expected l ife span.
Goal is to proacti vel y m anag e impact of li fe cycle of components

throu ghou t a produ ct’s fu l l li fe cycle. Th is comm ercial off-th e-sh elf or
3rd party software inclu des operati ng systems, database systems,
report g enerators, medical imag in g processing componen ts etc.
(assum pti on is that exi sting produ ct creation processes already
m an ages hardware com ponen t obsolescence) . Th ird party in clu des
h ere also i n ternal su ppliers of secu rity vu ln erable components with own
l ife cycl e and su pport prog rams.
U ser need: H DO con tracts, policy and reg ul ations requ ire th at vendors
m ain tain /su pport th e system du ri ng product li fe.
U pdates and u pg rades are expected wh en platform componen ts

become obsolete.
H DOs and service provider show extreme care in irreversibly erasing

H EALTH DATA prior to storage devices bei ng decom missi oned (discarded,
reu sed, resold or recycled) . Su ch activi ties sh ou ld be logg ed an d
audi ted.
Sales an d service are well informed abou t secu ri ty su pport offered per
produ ct du ring i ts l i fe cycle.
– 40 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 1 4 – RDMP controls

SP 800-53 M A-1 System m ai n ten an ce pol i cy an d proced u res
M A-2 Con trol l ed m ai n ten an ce
M A-6 Ti m el y m ai n ten an ce
M P-1 M ed i a protecti on pol i cy an d proced u res
M P-8 M ed i a d own g rad i n g
SA-1 System an d servi ces acq u i si ti on pol i cy an d proced u res
SA-3 System d evel opm en t l i fe cycl e
SA-4 Acq u i si ti on P ROC E SS
SA-5 I n form ati on system docu m en tati on
SA-9 Extern al i n form ati on system servi ces
SA-1 0 Devel oper con fi g u rati on m an ag em en t
SA-1 1 Devel oper secu ri ty testi n g an d eval u ati on
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 41 –
SP 800-53 SA-1 2 Su ppl y ch ai n protecti on
SA-1 5 Devel opm en t PR OCE S S , stan dard s an d tool s
SA-1 6 Devel oper-provi d ed trai n i n g
SA-1 7 Devel oper secu ri ty archi tectu re an d d esi g n
SA-21 Devel oper screen i n g
I SO I EC 1 5408-2 FM T_M OF M an ag em en t of fu n cti on s i n TSF
I EC 62443-3-3 SR 4. 2 I n form ati on persi sten ce
1 2. 1 . 2 Ch an g e m an agem en t
1 4. 2. 1 Secu re d evel opm en t pol i cy
1 4. 2. 3
ch an g es
1 4. 2. 5 Secu re system en g i n eeri n g pri n ci pl es
1 4. 2. 6 Secu re d evel opm en t en vi ron m en t
1 4. 2. 7 Ou tsou rced d evel opm en t
I d en ti fi cati on of appl i cabl e l eg i sl ati on an d con tractu al
1 8. 1 . 1
req u i rem en ts
1 8. 1 . 2 I n tel l ectu al property ri g h ts
1 8. 2. 1 I n d epen d en t revi ew of i n form ati on secu ri ty
1 8. 2. 3 Tech n i cal com pl i an ce revi ew
– 42 – I EC TR 80001 -2-8:201 6 © I EC 201 6
4.1 6 System and application hardening – SAHD

Requ irement g oal : Adju st SECU RI TY CON TROLS on th e M EDI CAL DE VI CE an d/or software
applications su ch that secu ri ty is maximized (“hardened”) whi le
maintain in g I N TEN DED U SE . M in i mize attack vectors and overall attack
su rface area via port closing ; service removal , etc.
U ser need: U ser requi res a system that is stable and provides just those services
speci fied and requ ired according to its I N TEN DED U SE wi th a m i ni mu m of
m ain tenance acti vities.
H DO I T requ ires systems conn ected to their n etwork to be secu re on
del i very an d h ardened ag ai nst m isu se and attacks.
I t i s desirable for th e u ser to in form the MDM of suspected secu ri ty
breaches and percei ved weaknesses i n user equ ipmen t.
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 43 –
Table 1 5 – SAHD controls

SP 800-53 AC-1 9 Access con trol for m obi l e d evi ces
CM -7 Least fu n cti on al i ty
SA-1 4 Cri ti cal i ty an al ysi s
SA-1 7 Devel oper secu ri ty arch i tectu re an d d esi g n
SA-1 8 Tam per resi stan ce an d detecti on
SC-25 Th i n n od es
SC-29 H eterog en ei ty
SC-30 Con ceal m en t an d m i sd i recti on
SC-31 Covert ch an n el an al ysi s
SC-35 H on eycl i en ts
SC-40 Wi rel ess l i n k protecti on
SC-41 Port an d I /O d evi ce access
SC-42 Sen sor capabi l i ty an d d ata
SC-43 U sag e restri cti on s
I SO I EC 1 5408-2 FM T_M SA M an ag em en t of secu ri ty attri bu tes
FPT_PH P TSF ph ysi cal protecti on
I SO I EC 1 5408-3 ASE_TSS TOE su m m ary speci fi cati on
ADV_ARC Secu ri ty arch i tectu re
ADV_TDS TOE d esi g n
ALC_DEL Del i very
ACO_COR Com posi ti on rati on al e
ACO_REL Rel i an ce of i n d epen d en t com pon en t
I EC 62443-3-3 SR 2. 1 Au th ori zati on en forcem en t
SR 2. 2 Wi rel ess u se con trol
SR 2. 3 U se con trol for portabl e an d m obi l e devi ces
SR 3. 4 Software an d i n form ati on i n teg ri ty
SR 5. 1 N etwork seg m en tati on
SR 5. 2 Zon e bou n d ary protecti on
G en eral pu rpose person -to-person com m u n i cati on
SR 5. 3
restri cti on s
SR 5. 4 Appl i cati on parti ti on i n g
SR 7. 7 Least fu n cti on al i ty
1 3. 1 . 1 N etwork con trol s
– 44 – I EC TR 80001 -2-8:201 6 © I EC 201 6
I SO I EC 27002 1 3. 1 . 3 Seg reg ati on i n n etworks
I SO 27799 1 4. 2. 1 Secu re d evel opm en t pol i cy
4.1 7 Security guides – SGUD

Requ irement g oal : Ensu re that security g u idance for OPERATORS an d adm in istrators of th e
system is avai lable. Separate manuals for OPERATORS and
admin istrators (inclu ding MDM sales and service) are desirable as they
al low u nderstanding of fu l l admin istrative functions to be kept on ly by
adm in istrators.
U ser need: O PERATOR sh ou ld be clearly informed abou t his responsibili ties and
secu re way of working wi th the system .
The adm inistrator needs i n formation abou t managi ng , custom izin g and
mon itorin g th e system (i. e. access control lists, au di t logs, etc. ) .
Admi nistrator needs cl ear u nderstan di ng of SECU RI TY CAPABI LI TI ES to
allow H EALTH DATA RI SK ASSESSM EN T per appropriate reg u latory
requ iremen t.
Sales and service also n eed in formation abou t th e system ’s SECU RI TY
CAPABI LI TI ES and secu re way of working .
I t is desi rable for the user to know how an d when to in form th e MDM of
suspected secu ri ty breaches and percei ved weaknesses i n user
equ ipment.
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 45 –
Table 1 6 – SGUD controls

AT-1 Secu ri ty awaren ess an d trai n i n g pol i cy an d proced u res
AT-2 Secu ri ty awaren ess trai n i n g
AT-3 Secu ri ty trai n i n g
CP-1 Con ti n g en cy pl an n i n g pol i cy an d proced u res
CP-2 Con ti n g en cy pl an
CP-3 Con ti n g en cy trai n i n g
PL-1 Secu ri ty pl an n i n g pol i cy an d proced u res
PL-2 System secu ri ty pl an
PL-4 Ru l es of beh avi ou r
PL-7 Secu ri ty con cept of operati on s
– 46 – I EC TR 80001 -2-8:201 6 © I EC 201 6
SP 800-53 PL-8 I n form ati on secu ri ty arch i tectu re
PS-1 Person n el secu ri ty pol i cy an d proced u res
SA-4 Acq u i si ti on P ROCE S S
SA-5 I n form ati on system d ocu m en tati on
SA-1 6 Devel oper-provi d ed trai n i n g
SC-1 System an d com m u ni cati on s protecti on pol i cy an d proced u res
SI -2 Fl aw rem ed i ati on
SI -4 I n form ati on system m on i tori n g
SI -5 Secu ri ty al erts, ad vi sori es, an d d i recti ves
SI -6 Secu ri ty fu n cti on al i ty VER I FI C ATI ON
SI -8 Spam protecti on
SI -1 0 I n form ati on i n pu t val i d ati on
SI -1 2 I n form ati on h an d l i n g an d reten ti on
SI -1 7 Fai l -safe proced u res
PM -1 I n form ati on secu ri ty prog ram pl an
PM -9 R I S K M AN AG E M E N T strateg y
PM -1 2 I n si d er th reat prog ram
PM -1 4 Testi n g , trai n i n g an d m on i tori n g
PM -1 5 Con tacts wi th secu ri ty g rou ps an d associ ati on s
PM -1 6 Th reat awaren ess prog ram
I SO I EC 1 5408-2 FAU _G EN Secu ri ty au di t d ata g en erati on
FAU _SAR Secu ri ty au di t revi ew
FDP_ACC Access con trol pol i cy
FDP_ACF Access con trol fu n cti on s
I SO I EC 1 5408-3 APE_REQ Secu ri ty req u i rem en ts
ASE_I N T ST i n trod u cti on
ASE_CCL Con form an ce cl ai ms
ASE_SPD Secu ri ty probl em defi n i ti on
ASE_OBJ Secu ri ty obj ecti ves
ASE_TSS TOE su m m ary speci fi cati on
ADV_FSP Fu n cti on al speci fi cati on
AG D_OPE Operati on al u ser g u i d an ce
I EC 62443-3-3 No applicable SEC U R I TY CON TROLS

6. 1 . 2 Seg reg ati on of du ti es
I SO I EC 27002 6. 1 . 3 Con tact wi th au th ori ti es
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 47 –
I SO 27799 6. 2. 1 M obi l e d evi ce pol i cy
1 4. 2. 1 Secu re d evel opm en t pol i cy
1 4. 2. 2 System ch an g e con trol proced u res
1 4. 2. 3
ch an g es
1 5. 1 . 1 I n form ati on secu ri ty pol i cy for su ppl i er rel ati on sh i ps
1 6. 1 . 1 Respon si bi l i ti es an d proced u res
1 6. 1 . 5 Respon se to i n form ati on secu ri ty i n ci den ts
1 8. 1 . 1
req u i rem en ts
1 8. 2. 3 Tech n i cal com pl i an ce revi ew
4.1 8 HEALTH DATA storage confidentiality – STCF

Requ irement g oal: M DM establ ishes technical con trols to m itig ate the poten tial for
compromise to th e in tegrity an d con fi den ti al i ty of H EALTH DATA stored on
produ cts or removable media.
U ser need: Reason able assu rance that H EALTH DATA stored on products or media is
and stays secu re.
Encrypti on h as to be consi dered for H EALTH DATA stored on M EDI CAL
DEVI CES based on RI SK AN ALYSI S .
For H EALTH DATA stored on removable m edia, encryption m i gh t protect
con fi den tial ity/ integ ri ty for cl in ical u sers bu t also MDM service and
application en g ineers collecting cl in ical data.
A m echanism for encrypti on key m anagem en t consisten t with
con ven tional use, service access, emerg ency “break-g lass” access.
Encryption m eth od and streng th takes i nto consideration th e volu me
(exten t of record collection /ag g regation) and sensiti vity of data.
– 48 – I EC TR 80001 -2-8:201 6 © I EC 201 6
Table 1 7 – STCF controls

SP 800-53 SC-1 2 Cryptog raph i c key establ i sh m en t an d m an ag em en t
SC-1 7 Pu bl i c key i n frastru ctu re certi fi cates
I SO I EC 1 5408-2 FCS_CKM Cryptog raph i c key m an ag em en t
I EC 62443-3-3 SR 4. 1 I n form ati on confi d en ti al i ty

1 0. 1 . 1 Pol i cy on th e use of cryptog raph i c con trol s
1 2. 1 . 4 Separati on of d evel opm en t, testi n g an d operati on al
en vi ron m en ts
1 4. 3. 1 Protecti on of test data
4.1 9 Transmission confidentiality – TXCF

Requ irement g oal : Device m eets local laws, reg u l ations and standards (e. g . U SA H I PAA,
EU 95/46/EC deri ved national l aws) accordin g to H DO needs to ensu re
th e con fidenti ality of transm itted H EALTH DATA .
U ser need: Assu rance that H EALTH DATA con fiden tiali ty i s main tained duri ng
transmission between au then ticated n odes. Th is al lows transport of
H EALTH DATA over relati vel y open networks and/or en viron men t where
strong H DO I T pol icies for H EALTH DATA in teg ri ty and con fi den tial i ty are
i n use.
See I EC TR 80001 -2-3:201 2 for more inform ation on RI SK M AN AG EM EN T
for wireless n etwork systems.
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 49 –
Table 1 8 – TXCF controls

SP 800-53 PE-4 Access con trol for tran sm i ssi on m edi u m
System an d com m u n i cati on s protecti on pol i cy an d
SC-1
procedu res
I SO I EC 1 5408-2 FCS_CKM Cryptog raph i c key m an ag em en t
FDP_U CT I n ter-TSF u ser d ata con fi den ti al i ty tran sfer protecti on
I EC 62443-3-3 SR 1 . 8 Pu bl i c key i n frastru ctu re (PKI ) certi fi cates

SR 4. 1 I n form ati on con fi d en ti al i ty
1 3. 2. 2 Ag reem en ts on i n form ati on tran sfer
1 3. 2. 3 El ectron i c m essag i n g
1 3. 2. 4 Con fi d en ti al i ty or n on -di scl osu re ag reem en ts
1 4. 1 . 2 Secu ri n g appl i cati on servi ces on pu bl i c n etworks
1 4. 1 . 3 Protecti n g appl i cati on servi ces tran sacti on s
1 8. 1 . 1
req u i rem en ts
1 8. 1 . 3 Protecti on of record s
– 50 – I EC TR 80001 -2-8:201 6 © I EC 201 6
4. 20 Tra n s m i s s i o n i n t e g ri t y – TXI G
Requ irement g oal : Device protects th e i n teg ri ty of transmi tted H EALTH DATA .
U ser need: Assu rance th at i n teg rity of H EALTH DATA is m ain tain ed du rin g
transm ission. This all ows transm ission of H EALTH DATA over relati vel y
open networks or en viron men t where stron g poli cies for H EALTH DATA
i nteg ri ty are i n use.
Tab l e 1 9 – TXI G c o n t ro l s
Stan d ard Referen ce Co n tro l
SP 800-53 PE-4 Access con trol for tran sm i ssi on m edi u m

System an d com m u n i cati on s protecti on pol i cy an d
SC-1
procedu res
I SO I EC 1 5408-2 FDP_I TT I n tern al TOE tran sfer
FPT_I TI I n teg ri ty of exported TSF d ata
I EC 62443-3-3 SR 3. 1 Com m u n i cati on i n teg ri ty

SR 3. 8 Sessi on i n teg ri ty
1 3. 2. 2 Ag reem en ts on i n form ati on tran sfer
1 3. 2. 3 E l ectron i c m essag i n g
I EC TR 80001 -2-8:201 6 © I EC 201 6 – 51 –
Bibliography
[1 ] I EC TS 62443-1 -1 , Industrial communication networks – Network and system security
– Part 1-1: Terminology, concepts and models
[2] I EC 62443-3-3:201 3, Industrial communication networks – Network and system

security – Part 3-3: System security requirements and security levels
[3] I EC TR 80001 -2-3:201 2, Application of risk management for IT-networks incorporating

medical devices – Part 2-3: Guidance for wireless networks
[4] I SO I EC 1 5408-2:2008, Information technology – Security techniques – Evaluation

criteria for IT security – Part 2: Security functional components
[5] I SO I EC 1 5408-3:2008, Information technology – Security techniques – Evaluation

criteria for IT security – Part 3: Security assurance components
[6] I SO I EC 27001 , Information technology – Security techniques – Information security

management systems – Requirements
[7] I SO I EC 27002:201 3, Information technology – Security techniques – Code of practice

for information security controls
[8] I SO 27799:— 7) , Health informatics – Information security management in health using

ISO/IEC 27002
[9] H I M SS/N EMA Standard H N 1 -201 3, Manufacturer Disclosure Statement for Medical
Device Security
[1 0] N I ST I R 7298 Revision 2, Glossary of Key Information Security Terms, Rich ard Kissel,
Edi tor, Com puter Secu rity Di vision I nformati on Technolog y Laborator, N ation al
I nsti tu te of Standards and Technolog y, M ay 201 3
[1 1 ] N I ST SP 800-53 Revision 4:201 3, Security and Privacy Controls for Federal

Information Systems and Organizations, h ttp://dx. doi. org /1 0. 6028/N I ST. SP. 800-53r4
___________
___________
7) To be pu bl i sh ed .
I N TE RN ATI O N AL
E LE C TR OTE C H N I C AL
CO M M I S SI O N
3 , ru e d e Vare m bé
PO Box 1 31
CH -1 21 1 G e n e va 2 0
S wi tze rl an d
Te l : + 41 22 9 1 9 0 2 1 1
Fax: + 4 1 22 9 1 9 0 3 0 0
i n fo @ i e c. ch
www. i e c. ch

Iec TR 80001-2-8-2016

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iec TR 80001-2-8-2016

Uploaded by

Copyright:

Available Formats

I EC TR 80001 -2-8

Edition 1 .0 201 6-05

Appl i cati on of ri sk m an ag em en t fo r I T-n etwo rks i n corporati n g m ed i cal d evi ces –

Part 2-8: Appl i cati on g u i d an ce – G u i d an ce o n stan d ard s for establ i sh i n g th e

secu ri ty capabi l i ti es i d en ti fi ed i n I E C TR 80001 -2 -2

Edition 1 .0 201 6-05

Appl i cati on of ri sk m an ag em en t fo r I T-n etworks i n corpo rati n g m ed i cal d evi ces –

Part 2-8: Appl i cati o n g u i d an ce – G u i d an ce o n stan d ard s for establ i sh i n g th e

secu ri ty capabi l i ti es i d en ti fi ed i n I E C TR 80001 -2-2

ICS 1 1 .040.01 ISBN 978-2-8322-341 2-9

Table 1 – ALOF con trols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4

Table 16 – SGU D con trols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

I NTERNATI ONAL ELECTROTECHN I CAL COMMI SSI ON

APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS

I t i s pu blished as a dou ble logo technical report.

En q u i ry d raft Report on voti n g

Th is pu blication has been drafted in accordance wi th the I SO I EC Di recti ves, Part 2.

A SECU RI TY CAPABI LI TY , as defined in I EC TR 80001 -2-2, represen ts a broad category of

I n addition to providing a basis for discu ssin g RI SK an d respective roles an d responsibilities

3) Th e sel ecti on of S EC U R I TY C APABI LI TI E S an d SE CU R I TY C ON TROLS wi l l vary d u e to th e d i versi ty of M ED I CAL D EVI C E

• N I ST SP 800-53, Revision 4, Recommended Security Controls for Federal Information

APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS

I EC 80001 -1 :201 0, Application of risk management for IT-networks incorporating medical

I EC TR 80001 -2-2:201 2, Application of risk management for IT-networks incorporating

3 Terms and definitions

[SOU RCE: I EC 80001 -1 :201 0, 2. 5]

[SOU RCE: I EC 80001 -1 :201 0, 2. 6]

[SOU RCE: I EC 80001 -1 :201 0, 2. 8]

[SOU RCE: I EC 80001 -1 :201 0, 2. 9]

[SOU RCE: I EC 80001 -1 :201 0, 2. 1 0]

[SOU RCE: I EC 80001 -1 :201 0, 2. 1 2]

[SOU RCE: I EC 80001 -1 :201 0, 2. 1 4]

[SOU RCE: I EC 80001 -1 :201 0, 2. 1 6]

[SOU RCE: I EC 80001 -1 :201 0, 2. 1 8]

[SOU RCE: I EC 80001 -1 :201 0, 2. 1 9]

[SOU RCE: I EC 80001 -1 :201 0, 2. 21 , m odified – Th e note has been deleted. ]

[SOU RCE: I EC 80001 -1 :201 0, 2. 23]

[SOU RCE: I EC 80001 -1 :201 0, 2. 24]

[SOU RCE: I EC 80001 -1 :201 0, 2. 25]

[SOU RCE: I EC 80001 -1 :201 0, 2. 27]

[SOU RCE: I EC 80001 -1 :201 0, 2. 28]

[SOU RCE: I EC 80001 -1 :201 0, 2. 30]

[SOU RCE: N I ST I R 7298]

[SOU RCE: I EC 80001 -1 :201 0, 2. 32]

4 Guidance for establishing SECURITY CAPABILITIES

Tech nical SECU RI TY CON TROLS :

4.2 Automatic logoff – ALOF

Table 1 – ALOF controls

Standard Reference Control

4.3 Audit controls – AUDT

Table 2 – AUDT controls

I EC 62443-3-3 SR 2. 8 Au d i tabl e even ts

4.4 Authorization – AUTH

Table 3 – AUTH controls

I EC 62443-3-3 SR 1 . 3 Accou n t m an agem en t

4.5 Configuration of security features – CNFS

Table 4 – CNFS controls

I EC 62443-3-3 SR 1 . 3 Accou n t m an agem en t

Standard Reference Control

4.6 Cyber security product upgrades – CSUP

Table 5 – CSUP controls

I SO I EC 1 5408-3 ALC_FLR Fl aw rem ed i ati on

I SO I EC 27002 5. 1 . 1 Pol i ci es for i n form ati on secu ri ty