Risk Management of Medical Devices Connected To IT Networks per ANSI / IEC 8001 Published 2011 for informational awareness, non-profit, non-consulting purposes of publicly available resources. Disclaimer This document is made available at this web site for educational informational purposes only. It is not intended for the purpose of providing legal advice or regulatory advise as ISO 8001 was in draft form in 2011 when this document was originally published. You should contact your attorney and corporate security / risk management officer(s) to obtain advice with respect to any particular security risk issue or problem. No obligations, rights or indemnification is given or implied by the public sharing of this document. Use of and access to this document on this Web site or any of the e-mail links, materials, etc., contained within the document do not create an attorney-client relationship, consulting between the author(s), legal and / or medical risk management advice in any context between the user or browser. The opinions expressed at or through this site are the opinions of the individual author to the best of public knowledge in 2011 only. Therefore it does not reflect the opinions of any firm, ISO 8001 committee or any individual attorney or legally binding statue, regulation,etc.

1. IEC 80001-1:2010
RISK MANAGEMENT
of Medical IT-NETWORKS
Valdez Ladd
CISSP, CISA, ITIL V3, COBIT
MBA, MS Information Security Management

2. IEC 80001-1:2010
IEC 80001-1:2010 defines the roles, responsibilities and activities
that are necessary for RISK MANAGEMENT of IT-NETWORKS
incorporating MEDICAL DEVICES

3. IEC 80001-1:2010
The responsible organization (hospitals and clinics) are
tasked
1) Address key properties of Safety, Effectiveness, Data and
System Security
2) Secondarily medical device Interoperability (i.e. PACS, ICD-9)

4. IEC 80001-1:2010
IEC 80001-1:2010 is applicable to address the KEY PROPERTIES
(Risk) of the IT-NETWORK incorporating a MEDICAL DEVICE
when there is no single MEDICAL DEVICE manufacturer assuming
this responsibility.
IEC 80001-1:2010 does not specify acceptable RISK levels.

5. IEC 80001-1:2010
Application of risk management to information technology (IT)
networks incorporating medical devices
A framework with defined roles and responsibilities for medical
facilities (called: responsible organizations),
Medical Device Manufacturers and IT Suppliers to ensure the
safety, effectiveness of data and system security.

6. IEC 80001-1:2010
Risk management
Should be used before installing or connecting medical
device(s) into an IT-network during its entire life-cycle
Removal, change or modification of equipment, items or
components are addressed in the same way.

7. IEC 80001-1:2010
A mutual responsibility agreement (Business Associate
Agreement) shall be executed establishing clear roles and
responsibilities among the parties engaged.
The responsible organization has to appoint resources to specific
roles defined in this standard.

8. EC 80001-1:2010
A key resource is the MEDICAL IT-NETWORK RISK MANAGER
The medical IT network risk manager is responsible for ensuring
that risk management is applied to address the key properties.
DATA AND SYSTEM SECURITY – the operational state of a
MEDICAL IT-NETWORK in which information assets (data and
systems) are reasonably protected from degradation of
confidentiality, integrity, and availability.

9. IEC 80001-1:2010

10. EC 80001-1:2010

11. IEC 80001-1:2010
The End
Valdez Ladd Contact Me: Linkedin
CISSP, CISA, ITIL V3 F., COBIT
MBA, MS Information Security Management