• Decrease font size
  • Return font size to normal
  • Increase font size
U.S. Department of Health and Human Services

Recognized Consensus Standards: Medical Devices

  • Print
  • Share
  • E-mail
Super Search Devices@FDA
510(k) | DeNovo | Registration & Listing | Adverse Events | Recalls | PMA | HDE | Classification | Standards
CFR Title 21 | Radiation-Emitting Products | X-Ray Assembler | Medsun Reports | CLIA | TPLC

New Search Back To Search Results
Part B: Supplementary Information Sheet (SIS)
FR Recognition List Number 032 Date of Entry 08/06/2013 
FR Recognition Number 13-42
IEC  TR 80001-2-2 Edition 1.0 2012-07
Application of risk management for IT Networks incorporating medical devices - Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls
Identical Adoption
ANSI AAMI IEC TIR 80001-2-2:2012
Application of risk management for IT Networks incorporating medical devices - Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls
This part of IEC 80001 creates a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks and for the security dialog that surrounds the IEC 80001-1 risk management of IT-network connection. This security report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls. Intended use and local factors determine which exact capabilities will be useful in the dialog about risk.

The capability descriptions in this report are intended to supply:
a) health delivery organizations (HDOs),
b) medical device manufacturers (MDMs), and
c) IT vendors
with a basis for discussing risk and their respective roles and responsibilities toward its management. This discussion among the risk partners serves as the basis for one or more responsibility agreements as specified in IEC 80001-1.

The present report provides broad descriptions of the security-related capabilities with the intent that any particular device or use of a device will have to have at least one additional level of specification detail under each capability. This will often be site and application-specific and may invoke risk and security controls standards as applicable.

At this introductory stage of IEC 80001-1 standardization, the security capabilities in this report provide a common, simple classification of security controls particularly suited to medical IT networks and the incorporated devices. The list is not intended to constitute or to support rigorous IT security standards-based controls and associated programs of certification and assurance such as might be found in other ISO standards (e.g., ISO/IEC 15408 with its Common Criteria for Information Technology Security Evaluation). The present report does not contain sufficient detail for exact specification of requirements in a request for proposal or product security disclosure sheet. However, the classification and structure can be used to organize such requirements with underlying detail sufficient for communication during the purchase and integration process for a medical device or IT equipment component. Again, this report is intended to act as a basis for discussion and agreement sufficient to initial integration project risk management. Additionally, security only exists in the context of the organizational security policies. Both:
a) the security policies of the healthcare delivery organization (HDO), and
b) the product and services security policies of the medical device manufacturer (MDM)
are outside of the scope of this report. In addition, the Technical Report does not address clinical studies where there is a need for securing the selective disclosure of private data or health data.
Extent of Recognition
Complete standard
Rationale for Recognition
This standard is relevant to medical devices and is recognized on its scientific and technical merit and/or because it supports existing regulatory policies.
Public Law, CFR Citation(s) and Procode(s)*
Any procode which describes a networkable medical device
Relevant FDA Guidance and/or Supportive Publications*
Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018.
FDA Technical Contact
 CDRH Division of Medical Device Cybersecurity
Standards Development Organization
IEC International Electrotechnical Commission http://www.iec.ch/
FDA Specialty Task Group (STG)
*These are provided as examples and others may be applicable.