Risk Management of Medical Devices Connected To IT Networks


Published on

Risk Management of Medical Devices Connected To IT Networks per ANSI / IEC 8001

Published 2011 for informational awareness, non-profit, non-consulting purposes of publicly available resources.


This document is made available at this web site for educational informational purposes only. It is not intended for the purpose of providing legal advice or regulatory advise as ISO 8001 was in draft form in 2011 when this document was originally published.

You should contact your attorney and corporate security / risk management officer(s) to obtain advice with respect to any particular security risk issue or problem. No obligations, rights or indemnification is given or implied by the public sharing of this document. Use of and access to this document on this Web site or any of the e-mail links, materials, etc., contained within the document do not create an attorney-client relationship, consulting between the author(s), legal and / or medical risk management advice in any context between the user or browser.

The opinions expressed at or through this site are the opinions of the individual author to the best of public knowledge in 2011 only. Therefore it does not reflect the opinions of any firm, ISO 8001 committee or any individual attorney or legally binding statue, regulation,etc.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk Management of Medical Devices Connected To IT Networks

  1. 1. IEC 80001-1:2010 RISK MANAGEMENT of Medical IT-NETWORKS Valdez Ladd CISSP, CISA, ITIL V3, COBIT MBA, MS Information Security Management
  2. 2. IEC 80001-1:2010 IEC 80001-1:2010 defines the roles, responsibilities and activities that are necessary for RISK MANAGEMENT of IT-NETWORKS incorporating MEDICAL DEVICES
  3. 3. IEC 80001-1:2010 The responsible organization (hospitals and clinics) are tasked 1) Address key properties of Safety, Effectiveness, Data and System Security 2) Secondarily medical device Interoperability (i.e. PACS, ICD-9)
  4. 4. IEC 80001-1:2010 IEC 80001-1:2010 is applicable to address the KEY PROPERTIES (Risk) of the IT-NETWORK incorporating a MEDICAL DEVICE when there is no single MEDICAL DEVICE manufacturer assuming this responsibility. IEC 80001-1:2010 does not specify acceptable RISK levels.
  5. 5. IEC 80001-1:2010 Application of risk management to information technology (IT) networks incorporating medical devices A framework with defined roles and responsibilities for medical facilities (called: responsible organizations), Medical Device Manufacturers and IT Suppliers to ensure the safety, effectiveness of data and system security.
  6. 6. IEC 80001-1:2010 Risk management Should be used before installing or connecting medical device(s) into an IT-network during its entire life-cycle Removal, change or modification of equipment, items or components are addressed in the same way.
  7. 7. IEC 80001-1:2010 A mutual responsibility agreement (Business Associate Agreement) shall be executed establishing clear roles and responsibilities among the parties engaged. The responsible organization has to appoint resources to specific roles defined in this standard.
  8. 8. EC 80001-1:2010 A key resource is the MEDICAL IT-NETWORK RISK MANAGER The medical IT network risk manager is responsible for ensuring that risk management is applied to address the key properties. DATA AND SYSTEM SECURITY – the operational state of a MEDICAL IT-NETWORK in which information assets (data and systems) are reasonably protected from degradation of confidentiality, integrity, and availability.
  9. 9. IEC 80001-1:2010
  10. 10. EC 80001-1:2010
  11. 11. IEC 80001-1:2010 The End Valdez Ladd Contact Me: Linkedin CISSP, CISA, ITIL V3 F., COBIT MBA, MS Information Security Management