This content is only available to Standards Navigator subscribers. See our Subscribe page for information on subscriptions.
SoftwareCPR Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices. In addition to information on existing standards, SoftwareCPR Standards Navigator keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.
Recent standards and regulatory activity
Medical device software
- IEC 62304 Edition 2 did not achieve consensus during the 1st circulation as a Draft International Standard. The project team of IEC/SC 62A – ISO/TC 215/JWG 7 revised the document and this was circulated as a Committee Draft. The project team met to resolve comments received on the Committee Draft and a second Draft International Standard of IEC 62304 Ed. 2 has been circulated for vote. This vote will complete at the end of 2019.
Medical devices
- IEC/TC 62 and ISO/TC 210 plan to establish a Joint Advisory Group on Life Cycle Aspects for Medical Devices. The primary focus of the proposed Joint Advisory Group will be on improving access to and availability of safe and effective medical devices for all citizens in support of their health. The secondary focus will be on environmental considerations, including reuse of medical devices and device parts and other circular economy aspects. The Joint Advisory Group will examine and report on gaps between the current state and an ideal future state, along with options or suggestions for closing those gaps, and the need for possible standardization activities on medical device life cycle aspects. The Joint Advisory Group is to produce a final report by 12 months after starting. The scope of the Joint Advisory Group will be all aspects of the medical device life cycle, including:
- development, manufacturing, installation, maintenance, repair, on-site testing, refurbishment, upgrade, remanufacturing of medical devices;
- repair with used parts, possibly after refurbishment or remanufacturing;
- reuse of parts for new medical devices;
- reuse of medical devices intended for single use or short-term use;
- end-of-life aspects such as (final) decommissioning and recycling;
- decommissioning to a next user (change of ownership of the device), including cross-border donation to other facilities or users;
- environmental aspects;
- security aspects, including handling and removal of stored data;
Security
- AAMI TIR97, Principles for medical device security – Post-market security management for device manufacturers, has been approved by the AAMI Standards Board and is now published in the AAMI store.
- A committee draft of IEC 80001-5-1 Security Activities in the Product Lifecycle has been circulated for comment. This document specifies activities that the manufacturer of health software shall perform towards the information security of the health software product. These activities extend the processes required by IEC 62304. This new standard draws heavily on the practices in IEC 62443-4-1:2018 Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements. After it has been completed and adopted, it is expected to be used in regulatory activities.
- A draft technical report for part 2 of ISO 11633 Information Security management for remote maintenance of medical devices and medical information systems has been issued. This part covers Implementation of an information security management system (ISMS). It stipulates the risk assessment necessary to protect remote maintenance activities, taking into consideration the special characteristics of the healthcare field such as patient safety, and jurisdictional legal requirements and privacy protections. It provides practical examples of risk analysis that support healthcare facilities and remote maintenance service providers implementing risk assessment.
- A draft technical report, ISO 22696 Guidance for identification and authentication for connectable Personal Health Devices (PHDs) has been circulated for comment. This document is applicable to identification and authentication between the bidirectionally connected PHDs and gateway by providing possible use cases and the associated threats and vulnerabilities. Since some smart devices with mobile healthcare apps and software may connect to the healthcare service network, these devices are considered connectable PHDs in this document.
- A draft technical report, ISO 21332 Cloud computing considerations for health information systems security and privacy has been circulated for comment. This technical report provides an overview of security and privacy requirements for Electronic Health Records (EHR) in a cloud computing service. It identifies core EHR security and privacy requirements where cloud computing services are considered possible.
- NIST has released a related report on Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Although not specific to health care, the report provides insights to inform organizations’ risk management processes to improve the quality of its risk assessments for IoT devices. It recognizes that risks of safety, reliability and resiliency need to be managed simultaneously with cybersecurity and privacy risks because of the effects addressing one type of risk can have on others, but focuses on cybersecurity and privacy risks. Three high level risk mitigation goals are identified:
- Protect device security
- Protect data security
- Protect individuals’ privacy
Recommendations are provided for addressing cybersecurity and privacy risk mitigation challenges for IoT devices.
Drafts referenced in this post listed below for temporary review and feedback. All comments or feedback on these drafts or on this post should be directed to seagles@softwarecpr.com
11633-2_Information_security_management_for_remote_maint
DTR-21332_security_for_cloud_EHR
DTR_22696_identification_and_authentication_for_connectable_PHDs
80001-5-1_security-in-life-cycle