| Part B: Supplementary Information Sheet (SIS) |
|
FR Recognition List Number
|
048
|
Date of Entry 12/04/2017
|
|
FR Recognition Number
|
13-102
|
| Standard | |
IEC TR 80001-2-8 Edition 1.0 2016-05
Application of risk management for IT-networks incorporating medical devices - Part 2-8: Application guidance - Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 |
|
Scope/AbstractThis part of IEC 80001, which is a Technical Report, provides guidance to Health Delivery Organizations (HDOs) and medical device manufacturers (MDMs) for the application of the framework outlined in IEC TR 80001-2-2. Managing the risk in connecting medical devices to IT-networks requires the disclosure of security-related capabilities and risks. IEC TR 80001-2-2 presents a framework for this disclosure and the security dialog that surrounds the IEC 80001-1 risk management of IT-networks. IEC TR 80001-2-2 presents an informative set of common, descriptive security-related capabilities that are useful in terms of gaining an understanding of user needs. This report addresses each of the security capabilities and identifies security controls for consideration by HDOs and MDMs during risk management activities, supplier selection, device selection, device implementation, operation etc.
It is not intended that the security standards referenced herein are exhaustive of all useful standards; rather, the purpose of this technical report is to identify security controls, which exist in these particular security standards (listed in the introduction of this technical report), that apply to each of the security capabilities.
This report provides guidance to HDOs and MDMs for the selection and implementation of management, operational, administrative and technical security controls to protect the confidentiality, integrity, availability and accountability of data and systems during development, operation and disposal.
All 19 security capabilities are not required in every case and the identified security capabilities included in this report should not be considered exhaustive in nature. The selection of security capabilities and security controls should be based on the risk evaluation and the risk tolerance with consideration for protection of patient safety, life and health. Intended use, operational environment, network structure and local factors should also determine which security capabilities are necessary and which security controls most suitably assist in establishing that security capability. |
|
| Extent of Recognition
|
Rationale for Recognition
| This standard is relevant to medical devices and is recognized on its scientific and technical merit and/or because it supports existing regulatory policies. |
|
|
Public Law, CFR Citation(s) and Procode(s)*
|
Relevant FDA Guidance and/or Supportive Publications*
-Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, Oct 2, 2014.
-Postmarket Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff, Dec. 28, 2016.
Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices - Guidance for Industry and Food and Drug Administration Staff, issued September 2018. |
|
| FDA Technical Contact
|
| Standards Development Organization
|
| FDA Specialty Task Group (STG)
|
| *These are provided as examples and others may be applicable. |
