BS PD IEC TR 80001-2-9-2017 Application of risk management for it-networks incorporating medical devices Application guidance Guidance for use of security assurance cases to demonsp.pdf
《BS PD IEC TR 80001-2-9-2017 Application of risk management for it-networks incorporating medical devices Application guidance Guidance for use of security assurance cases to demonsp.pdf》由会员分享,可在线阅读,更多相关《BS PD IEC TR 80001-2-9-2017 Application of risk management for it-networks incorporating medical devices Application guidance Guidance for use of security assurance cases to demonsp.pdf(40页珍藏版)》请在麦多课文档分享上搜索。
1、Application of risk managementfor it-networks incorporating medical devicesPart 2-9: Application guidance Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001-2-2 security capabilitiesPD IEC/TR 80001-2-9:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.
2、indd 1 15/05/2013 15:06National forewordThis Published Document is the UK implementation of IEC/TR80001-2-9:2017. The UK participation in its preparation was entrusted by TechnicalCommittee CH/62, Electrical Equipment in Medical Practice, toSubcommittee CH/62/1, Common aspects of Electrical Equipmen
3、t used in Medical Practice.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 201
4、7.Published by BSI Standards Limited 2017ISBN 978 0 580 91661 8ICS 11.040.01; 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 28 February 2017.Amendment
5、s/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD IEC/TR 80001-2-9:2017IEC TR 80001-2-9 Edition 1.0 2017-01 TECHNICAL REPORT Application of risk management for it-networks incorporating medical devices Part 2-9: Application guidance Guidance for use of security assurance ca
6、ses to demonstrate confidence in IEC TR 80001-2-2 security capabilities INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 11.040.01, 35.240.80 ISBN 978-2-8322-3907-0 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtained this publication from an author
7、ized distributor. PD IEC/TR 80001-2-9:2017 2 IEC TR 80001-2-9:2017 IEC 2017 CONTENTS FOREWORD . 4 INTRODUCTION . 6 1 Scope 8 2 Normative references 8 3 Terms, definitions and abbreviated terms 9 3.1 Terms and definitions 9 3.2 Abbreviated terms . 12 4 ASSURANCE case 12 5 Use of this document . 13 5.
8、1 Intended use . 13 5.2 Intended audience 13 Intended purpose . 13 5.2.1MEDICAL DEVICE MANUFACTURERS (MDM) 13 5.2.2Healthcare delivery organizations (HDO) . 14 5.2.3Other stakeholders 15 5.2.46 General guidelines. 15 6.1 General . 15 6.2 Overview of the SECURITY CASE framework 15 6.3 Notation 16 Com
9、ponents of a SECURITY CASE 16 6.3.1Goal 16 6.3.2Strategy . 17 6.3.3Justification . 17 6.3.4Context 17 6.3.5Solution (EVIDENCE) . 18 6.3.6Stakeholder . 18 6.3.7Notation extensions . 18 6.3.87 Developing the SECURITY CASE . 19 8 SECURITY CASE change management 28 Annex A (informative) Exemplar SECURIT
10、Y PATTERNS 29 A.1 General . 29 A.2 Exemplar SECURITY PATTERN for person authentication (PAUT) SECURITY CAPABILITY PAUT established by MDM for a medical system . 29 A.2.1 Goal G6: Replay attack mitigated. 29 A.2.2 Goal G8: Man-in-the-middle attack mitigated 29 A.2.3 Goal G10: Brute force attack mitig
11、ated 29 A.2.4 Goal G13, G14: Denial of service attacks due to account lockout controls mitigated 30 A.3 Exemplar SECURITY PATTERN for automatic logoff (ALOF) established for a thin client terminal system . 31 A.3.1 Goal: Patient safety RISK with short session timeouts in OR mitigated 31 A.3.2 Goal:
12、Patient safety RISK with restoring sessions in the OR and ICU mitigated . 31 A.4 Exemplar SECURITY PATTERN for audit controls (AUDT) for a system or a device in a HDO facility such as a pharmacy system or an EMR, where multiple people require access to the same data set Goal G6: Keep a correct audit
13、 trail of attending staff in the OR while sessions are kept open 33 PD IEC/TR 80001-2-9:2017IEC TR 80001-2-9:2017 IEC 2017 3 Bibliography 35 Figure 1 Example GOAL (top-level) . 17 Figure 2 Example strategy . 17 Figure 3 Example justification 17 Figure 4 Example context 18 Figure 5 Example solution (
14、EVIDENCE) 18 Figure 6 Example stakeholder 18 Figure 7 Leading components Steps 1 through 9 . 19 Figure 8 SECURITY CAPABILITY pattern . 22 Figure 9 SECURITY CASE structure . 27 Figure A.1 Exemplar SECURITY PATTERN for PAUT 30 Figure A.2 Exemplar SECURITY PATTERN for ALOF 32 Figure A.3 Exemplar SECURI
15、TY PATTERN for AUDT 34 Table 1 Notation extensions . 18 Table 2 SECURiTY CASE steps 1 through 9 . 20 Table 3 SECURITY CASE steps 10 through 26 . 23 PD IEC/TR 80001-2-9:2017 4 IEC TR 80001-2-9:2017 IEC 2017 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ APPLICATION OF RISK MANAGEMENT FOR IT-NETWORKS INC
16、ORPORATING MEDICAL DEVICES Part 2-9: Application guidance Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001-2-2 security capabilities FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all na
17、tional electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Techni
18、cal Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work.
19、 International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) T
20、he formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendat
21、ions for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end
22、user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publicati
23、on shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent
24、 certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any person
- 1.请仔细阅读文档,确保文档完整性,对于不预览、不比对内容而直接下载带来的问题本站不予受理。
- 2.下载的文档,不会出现我们的网址水印。
- 3、该文档所得收入(下载+内容+预览)归上传者、原创作者;如果您是本文档原作者,请点此认领!既往收益都归您。
下载文档到电脑,查找使用更方便
10000 积分 0人已下载
下载 | 加入VIP,交流精品资源 |
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- BSPDIECTR80001292017APPLICATIONOFRISKMANAGEMENTFORITNETWORKSINCORPORATINGMEDICALDEVICESAPPLICATIONGUIDANCEGUIDANCEFORUSEOFSECURITYASSURANCECASESTODEMONSPPDF

链接地址:http://www.mydoc123.com/p-588946.html