risk management of medical devices connected to it networks
TRANSCRIPT
IEC 80001-1:2010
RISK MANAGEMENT
of Medical IT-NETWORKS
Valdez LaddCISSP, CISA, ITIL V3, COBIT
MBA, MS Information Security Management
IEC 80001-1:2010
IEC 80001-1:2010 defines the roles, responsibilities and activities that are necessary for RISK MANAGEMENT of IT-NETWORKS
incorporating MEDICAL DEVICES
IEC 80001-1:2010
The responsible organization (hospitals and clinics) are tasked
1) Address key properties of Safety, Effectiveness, Data and
System Security
2) Secondarily medical device Interoperability (i.e. PACS, ICD-9)
IEC 80001-1:2010
IEC 80001-1:2010 is applicable to address the KEY PROPERTIES (Risk) of the IT-NETWORK incorporating a MEDICAL DEVICE
when there is no single MEDICAL DEVICE manufacturer assuming
this responsibility.
IEC 80001-1:2010 does not specify acceptable RISK levels.
IEC 80001-1:2010
Application of risk management to information technology (IT)
networks incorporating medical devices
A framework with defined roles and responsibilities for medical
facilities (called: responsible organizations),
Medical Device Manufacturers and IT Suppliers to ensure the
safety, effectiveness of data and system security.
IEC 80001-1:2010
Risk management
Should be used before installing or connecting medical
device(s) into an IT-network during its entire life-cycle
Removal, change or modification of equipment, items or
components are addressed in the same way.
IEC 80001-1:2010
A mutual responsibility agreement (Business Associate Agreement) shall be executed establishing clear roles and responsibilities among the parties engaged.
The responsible organization has to appoint resources to specific
roles defined in this standard.
EC 80001-1:2010
A key resource is the MEDICAL IT-NETWORK RISK MANAGER
The medical IT network risk manager is responsible for ensuring
that risk management is applied to address the key properties.
DATA AND SYSTEM SECURITY – the operational state of a
MEDICAL IT-NETWORK in which information assets (data and
systems) are reasonably protected from degradation of
confidentiality, integrity, and availability.
IEC 80001-1:2010
EC 80001-1:2010
IEC 80001-1:2010
The End
Valdez Ladd Contact Me: Linkedin
CISSP, CISA, ITIL V3 F., COBITMBA, MS Information Security Management