HIMSS/NEMA Standard HN 1-2013 Manufacturer Disclosure
Contents
1. Medical record e g medical record account test ortreatment date device identification number Diagnostic therapeutic e g photo radiograph test results or physiologic data with identifying characteristics Open unstructured text entered by dev ice user operator Biometric data Personal financial information Maintaining private data Can the device Maintain private data temporarily in volatile memory i e until cleared by power off or reset Store private data persistently on local media Import export private data with other systems Maintain private data during power service interruptions Mechanismsused forthe transmitting importing exporting of private data Can the device Display private data e g video display etc Generate hardcopy reportsorimagescontaining private data Retrieve priv ate data from or record private data to removable media e g disk DVD CD ROM tape CF SD card memory stick etc Transmit receive orimport export private data via dedicated cable connection e g IEEE 1073 serial port USB FireWire etc Transmit receive private data via a wired networkconnection e g LAN WAN VPN intranet Internet etc Transmit receive private data via an integrated wireless network connection e g WiFi Bluetooth infrared etc Import priv ate data via scanning Other Can the device be configuredto force reauthorization of logged in user s after a predeterm2. 2 2 2 Display presentation of data GUIDANCE Does the audit trail track the display printing or other means of presenting data 2 2 3 Creation modification deletion of data GUIDANCE If yes indicate in notes which creation and or modification and or deletion of these forms of data manipulation are tracked 2 2 4 Import export of data from removable media GUIDANCE If yes indicate in notes which of these forms of data manipulation are tracked 2 2 5 Receipt transmission of data from to external e g network connection GUIDANCE If yes indicate in notes which of these forms of data manipulation are tracked 2 2 5 1 Remote service activity 2 2 6 Other events Describe in the notes section GUIDANCE If yes indicate in notes which other forms of data manipulation are tracked 2 3 Indicate what information is used to identify individual events recorded in the audit log 2 3 1 User ID 2 3 2 Date time GUIDANCE Indicate in the notes how the device time is set e g indicate if the device can synchronize time to a Network Time Server NTP SNIP etc 3 AUTHORIZATION AUTH The ability of the device to determine the authorization of users 3 1 Can the device prevent access to unauthorized users through user login requirements or other mechanism GUIDANCE If the device can prevent unauthorized access indicate in the notes what physical or technical safe guards the device uses to prevent access password biom
3. Can the device owner operator technically physically update virus definitionson manufacturer 12c installed anti virus softw are 11a the recipientof data are known to each other andare authorized to receive transferred information Does the device support user operator specific username s and password s for atleast one 13 user Does the device support unique user operator specific IDsand passwords for multiple users Can the device be configuredto authenticate users through an external authentication service e g MS Active Directory NDS LDAP etc Can the device be configured to lockout a user after a certain number of unsuccessful logon attempts Can default passwords be changed at prior to installation Table continues on next page Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society 2013 12 5 12 6 12 7 13 1 14 1 14 2 15 1 15 2 15 3 15 4 15 5 15 6 1 15 8 159 15 10 15 11 16 14 16 2 aa 81 18 2 18 3 19 1 20 1 20 2 20 2 1 Can the device restrict remote accessto from specified devicesor users or networklocations e g HN 1 2013 Page 25 Table A 1 Continued 2008 Are any shared user IDs used in thissystem Can the device be configuredto enforce creation of user account passwords that meet established complexity rules Can the device be configuredso that acco
4. Indicate what information isused to identify individual events recorded in the audit log User ID Date time Can the device prevent accessto unauthorized users through user login requirementsor other mechanism Can users be assigned different privilege levelswithinan application based on roles e g guests regular users power users administrators etc 12d system or application vialocal root or admin account Can the device owner operator reconfigure product security capabilities Can relevant OS and device security patches be appliedto the device asthey become available 12a Can security patchesor other software be installed remotely 1ic Does the device provide an integral capability to de identify private data Does the device havean integral data backup capability i e backup to remote storage or g remov able media like tape disk Does the device incorporate an emergency access break glass feature 16 Does the device ensure the integrity of stored data withimplicit or explicit error detection correction 19 technology Does the device support the use of anti malware software or other anti malware mechanism Can the user independently re configure anti malware settings Does notification of malware detection occur in the device user interface Can only manufacturer authorized personsrepair systems when malware hasbeen detected 12b Can the device owner install or update anti virus software
5. s user s ability to modify the list of authorized applications the white list NODE AUTHENTICATION NAUT The ability of the device to authenticate communication partners nodes Does the device provide support any means of node authentication that assures both the sender and the recipient of data are known to each other and are authorized to receive transferred information PERSON AUTHENTICATION PAUT The ability of the device to authenticate users Does the device support user operator specific username s and password s for at least one user GUIDANCE If the device supports identification beyond username and password describe it briefly in the notes e g uses XYZ Secure token mechanism 1 Does the device support unique user operator specific IDs and passwords for multiple users Can the device be configured to authenticate users through an external authentication service e g MS Active Directory NDS LDAP etc GUIDANCE If yes please specify which mechanism in the notes section Can the device be configured to lock out a user after a certain number of unsuccessful logon attempts GUIDANCE If yes provide any detail in notes as desired Can default passwords be changed at prior to installation GUIDANCE If the manufacturer imposes specific restrictions please explain in the notes Are any shared user IDs used in this system GUIDANCE Answer Yes if by design the device is intended to
6. 22 Device Category Manufacturer Document ID T OA ftiwsacn DA ama OAA Device Model Software Revision Software Release Date l l l l T l l l l Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note 17 HEALTH DATA STORAGE CONFIDENTIALITY STCF The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media 17 1 Can the device encrypt data at rest sp see inteerstinedumriimnniadancdtecacdadnecacenadacacdgaceaaisivenisiiunaiiniivendeniivasaswbsiats STCF notes 18 TRANSMISSION CONFIDENTIALITY TXCF The ability of the device to ensure the confidentiality of transmitted private data 18 1 Can private data be transmitted only viaa point to point dedicated cable cccccceeeeceeeeeeeeeeeeeeenees 18 2 Is private data encrypted prior to transmission via a networkor removable media If yes indicate inthe noteswhich encryption standardisiMpleMented ccccccseccceeeceeeceeceeeceeeeeeeeneeeceeeceeesaeeseeesaeeneeeseeenaes 18 3 Is private data transmission restricted to a fixed list of networkdestinatiOnS ccccccecceeeeeeeeeeeeeneeeeees TXCF notes 19 TRANSMISSION INTEGRITY TXIG The ability of the device to ensure the integrity of transmitted private data 19 1 Doesthe device support any mechanism intended to ensure
7. Because security risk assessment spans an entire organization this document focuses on only those elements of the security risk assessment process associated with medical devices that maintain or transmit private data A standardized form 1 allows manufacturers to quickly respond to a potentially large volume of information requests from providers regarding the security related features of the medical devices they manufacture and 2 facilitates the providers review of the large volume of security related information supplied by the manufacturers The manufacturer completed MDS should 1 Be useful to healthcare provider organizations worldwide The information presented should be useful for any healthcare delivery organization that aspires to have an effective information security risk management program 2 Include device specific information addressing the technical security related attributes of the individual device model 3 Provide a simple flexible way of collecting the technical device specific elements of the common typical information needed by provider organizations device users operators to begin medical device information security i e confidentiality integrity availability risk assessments HIMSS and NEMA grant permission to make copies and use this form PLEASE BE ADVISED The MDS form is not intended to nor should it be used as the sole basis for medical device procurement Writing procurement specificatio
8. device deleted disabled Are all applications COTS applications as well asOS included applications e g MS Internet Explorer etc which are not required forthe intended use of the device deleted disabled Can the device boot from uncontrolled or removable media i e a source other than aninternal drive 9 or memory component Can software or hardware not authorized by the device manufacturer be installedon the device 10 without the use of tools Are security related featuresdocumentedfor the device user 5 Are instructions available for dev ice media sanitization i e instructions for how to achieve the permanent deletion of personal or other sensitive data Can the device encrypt data at rest Can private data be transmitted only viaa point to point dedicated cable 18a Is private data encrypted prior to transmission via a networkor remov able media If yes indicate in 18b the noteswhich encryption standard isimplemented Is private data transmission restricted to a fixed list of networkdestinations 18c Does the device support any mechanism intended to ensure data isnot modified during transmission If yes describe in the notessection howthisisachieved Can the device be serviced remotely 11 specific IP addresses Can the device be configuredto require the local user to accept orinitiate remote access Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare
9. 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 1 Section 1 GENERAL 1 1 SCOPE Information provided on the MDS form is intended to assist professionals responsible for security risk assessment processes in their management of medical device security issues The information on the MDS form is not intended and may be inappropriate for other purposes 1 1 1 The Role of Healthcare Providers in the Security Management Process The provider organization has the ultimate responsibility for providing effective security management Device manufacturers can assist providers in their security management programs by offering information describing e the type of data maintained transmitted by the manufacturer s device e how data is maintained transmitted by the manufacturer s device e any security related features incorporated in the manufacturer s device In order to effectively manage medical information security and comply with relevant regulations healthcare providers must employ administrative physical and technical safeguards most of which are extrinsic to the actual device 1 1 2 The Role of Medical Device Manufacturers in the Security Management Process The greatest impact manufacturers can have on medical device security is to incorporate technical safeguards i e security features in their devices to facilitate healthcare providers e
10. 5 15 6 15 7 GUIDANCE This question refers to the typical installation and configuration of the manufacturer s device Consider internal data storage drives and any other storage media that maintain private data Answer Yes if any such media can be physically accessed and removed without tools In this context a physical key required for access is considered a tool ROADMAP FOR THIRD PARTY COMPONENTS IN DEVICE LIFE CYCLE RDMP Manufacturer s plans for security support of third party components within the device s life cycle In the notes section list the provided or required Separately purchased and or delivered operating system s including version number s Is a list of other third party applications provided by the manufacturer available GUIDANCE Inthe notes section list the other third party applications used by the device and provided by the manufacturer If components are proprietary please specify whether this information is available upon request prior to sale SYSTEM AND APPLICATION HARDENING SAHD The device s inherent resistance to cyber attacks and malware Does the device employ any hardening measures Does the device employ any mechanism e g release specific hash key checksums etc to ensure the installed program update is the manufacturer authorized program or software update GUIDANCE Optionally describe in the notes section the mechanism s used to protect changes to the application
11. HIMSS NEMA Standard HN 1 2013 Manufacturer Disclosure Statement for Medical Device Security Published by National Electrical Manufacturers Association 1300 North 17th Street Suite 900 Rosslyn Virginia 22209 www nema org Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society All rights including translation into other languages reserved under the Universal Copyright Convention the Berne Convention for the Protection of Literary and Artistic Works and the International and Pan American Copyright Conventions NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of persons engaged in the development and approval of the document at the time it was developed Consensus does not necessarily mean that there is unanimous agreement among every person participating in the development of this document The National Electrical Manufacturers Association NEMA standards and guideline publications of which the document contained herein is one are developed through a voluntary consensus standards development process This process brings together volunteers and or seeks out the views of persons who have an interest in the topic covered by this publication While NEMA administers the process and establishes rules to promote fairness in the development of consensus it does not write the document and it does not indepe
12. HN 1 2013 Page 2 Personal Information Protection and Electronic Documents Act PIPEDA Statutes of Canada 2000 Guide for Information Security for Biomedical Technology A HIPAA Compliance Guide May 2004 American College of Clinical Engineering ACCE ECRI 1 3 DEFINITIONS administrative safeguards Administrative actions policies and procedures to manage the selection development implementation and maintenance of security measures to protect private data and to manage the conduct of an organization s workforce in relation to the protection of that information anti malware See anti virus software anti virus software A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents See also virus scanner audit trail Data collected and potentially used to facilitate a security audit biometric data Identifies a human via a measurement of a physical feature or repeatable action of the individual e g hand geometry retinal scan iris scan fingerprint patterns facial characteristics DNA sequence characteristics voice prints handwritten signature device A product system including hardware firmware and or only software etc Unless otherwise clear from the context in this MDS document device refers to the medical device the manufacturer s product which is being addressed by the manufacturer in the MDS form See also medical device elect
13. ISASTER RECOVERY DTBk The ability to recover after damage or destruction of device data hardware or software Does the device have an integral data backup capability e g backup to remote storage or removable media such as tape disk GUIDANCE This refers to an integrated feature or option that supports information backup to remote storage or removable media e g optical disk magnetic disk tape etc lf appropriate mention in a note any limitations or restrictions on data backup disaster recovery EMERGENCY ACCESS EMRG The ability of the device user to access private data in case of an emergency situation that requires immediate access to stored private data Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 10 8 1 9 1 10 10 1 Does the device incorporate an emergency access break glass feature GUIDANCE See Definitions section for a description of the term emergency access lf applicable describe in the notes for section 2 e g question 2 2 6 the device s ability to log instances of emergency access The manufacturer may also choose to mention in the notes for question 8 1 e lf now the device prompts an emergency user for a temporary emergency user name and or hospital clinic ID that is then recorded in the audit log e lf now the device identifies or flags data acquired during an emerg
14. Information and Management Systems Society
15. abilities categories of IEC 80001 2 2 Guidance for the communication of medical device security needs risks and controls The manufacturer shall answer all questions either Yes No N A not applicable or See Note unless the applicable question requires otherwise lf additional information is needed for proper interpretation of these answers manufacturers are encouraged to provide information in explanatory notes The following clarifications and suggested guidance are provided to assist the manufacturer in answering the questions NOT E the numbersin this subsection below correlate to the questionnumbersin the MDS form 1 AUTOMATIC LOGOFF ALOF The device s ability to prevent access and misuse by unauthorized users if device is left idle for a period of time 1 1 Can the device be configured to force reauthorization of logged in user s after a predetermined length of inactivity e g auto logoff session lock password protected screen saver GUIDANCE Does the device by default or by configuration always e enforce reauthorization after a specified period of inactivity e activate a password protected screen saver after a preselected period of inactivity that effectively prevents user access even without logging the user off The notes section may be used to indicate if how an auto logoff or screen lock function can be disabled e g per session or globally with appropriate user security warn
16. aeeeseeeseeeseeeseeeseeeaeeeaeeeaeeesees D 2 Generate hardcopy reports or images containing private data ccc ccccecccseceseeeceeeeeeeeeeeaeeeseeeseeesees D 3 Retrieve priv ate data from or record private data to removable media e g disk DVD CD ROM tape OF SD Card memory SUCK BIC eset scccccehutsensiireebeareuct xed eae cee Ged EAA EEE NEEE EEEE D 4 Transmit receive orimport export private data via dedicated cable connection e g IEEE 1073 sanal Pon USB RICWTE GI onsen a Eia E D 5 Transmit receive private data via a wired networkconnection e g LAN WAN VPN intranet EEA 2 E E A E ceseeeeeaee ec D 6 Transmit receive private data via an integrated wireless network connection e g WiFi Bluetooth OCAR I e E E A D 7 Import private data via scanning wie siciciaictcieioleionegoleiawsicesscwataus cnet lt essanwe lt yacddoncsuutdcedwwatieetiuntlencacain DRO i EAEE EE E E I TA eee E AE AEE E Management of priv ate data notes Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 18 Device Category Yes No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note 1 AUTOMATIC LOGOFF ALOF The device s ability to prevent accessand misuse by unauthorized users if device isleft idle fora periodof time 1 1 Can the device be configured to force re
17. aintaining private data Can the device C 1 Maintain private data temporarily in volatile memory i e until cleared by power off or reset C 2 Store private data persistently on local media C 3 Import export private data with other systems C 4 Maintain private data during power service interruptions D Mechanisms used for the transmitting importing exporting of private data Can the device D 1 Display private data e g video display etc Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 7 D 2 Generate hardcopy reports or images containing private data D 3 Retrieve private data from or record private data to removable media e g disk DVD CD ROM tape CF SD card memory stick etc D 4 Transmit receive or import export private data via dedicated cable connection e g IEEE 1078 serial port USB FireWire etc D 5 Transmit receive private data via a wired network connection e g LAN WAN VPN intranet Internet etc D 6 Transmit receive private data via an integrated wireless network connection e g WiFi Bluetooth infrared etc D 7 Import private data via scanning D 8 Other SECURITY CAPABILITIES Section The Security Capabilities section of the MDS form contains questions regarding the specific security related features of the device The questions are organized into the security cap
18. aneenmndenbanGeemeaass Typesof private data elementsthat can be maintained by the device B 1 Demographic e g name address location unique identification NUMber ccceeeeeeeeeeeeeeeeeeeees B 2 Medical record e g medical record account test or treatment date device identification i E ee LG a er Ae B 3 Diagnostic therapeutic e g photo radiograph test results or physiologic data with identifying do ON ll ek EEE B 4 Open unstructured text entered by device User operator 22 2 0 0 cece eee ered e eee eeeee eee et sbeeeneeeneees Bro Bidmetnicsdatayercr oo RRR ERPS cerns rete te maceacer B Persomalifimalmelalaintio nije i in n namn a T etree eee verti neem Maintaining private data Can the device C 1 Maintain private data temporarily in volatile memory i e until cleared by power off or reset C 2 Store private data persistently on local media cc cecccseeeceeeeeeeecae cece eeeaeeeeseeeeaeeeesaeeesueeseeeeneeeenes C 3 Import export private data with other systems 0 ecc cece cee ee eee ceeeeeeece esse eeseeeseeeseeeeaeeeaeeseeeseeeseneees C 4 Maintain private data during power service interruptions 0 00 cece ceccceecceeeeeeeea cece eeseeeeeeeeaeeeaeeeaeeeaeeees Mechanismsused for the transmitting importing exporting of private data Can the device D 1 Display private data e g video display CtC ecccecccecccececeeeceeeeeeeeeeee
19. apply OS and device security patches or has any restrictions on this activity then the existence of these restrictions should be mentioned in anote The manufacturer may optionally choose to describe any restrictions directly in the note or reference external documents where a description of these restrictions can be found or simply write Information on manufacturer restrictions limitations can be provided upon request for example Can security patches or other software be installed remotely GUIDANCE If the manufacturer does not authorize users to install OS device security patches or other software remotely or has any restrictions on this activity then the existence of these restrictions should be mentioned in a note The manufacturer may optionally choose to describe any restrictions directly in the note or reference external documents where a description of these restrictions can be found or simply write Information on manufacturer restrictions imitations can be provided upon request for example HEALTH DATA DE IDENTIFICATION DIDT The ability of the device to directly remove information that allows identification of a person Does the device provide an integral capability to de identify private data GUIDANCE Mention in the notes if the de identification process references adheres to any specific de identification standard guideline Also mention if the de identification procedure is configurable DATA BACKUP AND D
20. authorization of logged in user s after a predetermined length of inactivity e g auto logoff session lock password protected screen saver eeeeeece sees eee eeeeeeeeeeeeeneeeeees 1 1 1 Is the length of inactivity time before auto logoff screen lockuser or administrator configurable Indicate time fixed or configurable range iN NOTES cece cece eecceeceeeeeeeeeeeeeeeeeeeeaeeeeeeaeeseeeaeeeeesees 1 1 2 Can auto logoff screen lockbe manually invoked e g via a shortcut key or proximity sensor etc DY IDE USEF isinin anann EEEE TAERAA EARE E EEE ALOF notes 2 AUDIT CONTROLS AUDT The ability to reliably audit activity on the device 2 1 Can the medical device create anaudittrail cece cccecccneeeceeeeneeeeneeeeeeeeeaeeeeaaeeesuecueesueesseeeseeeesaaes 2 2 Indicate which ofthe following eventsare recorded in the auditlog OC Cnn E E EE aa a er a E Ce Wishaw peEe emaon AGA E e s E a T eaten See ean ication gblerot okn ae PO ey ee 2 2 4 Import export of datafrom removable Media cccceccceecc cece eeeeeeeeeeesaeeeeeeeseeeseeesdereeereeesseees 2 2 5 Receipt transmission of data from to external e g network CONNECTION 22 c2ecceeeeeeeeeeeceeeeee ees 22 5 1 Remote Service activity wen nccce ese geek os Cove E e E E E E fame caneaetuegeet 2 2 6 Otherevents describe in the notessection ccccecc cece eccceeece eee eeeeeeeeeeeeeeeeaeeeaeeese
21. be used with shared IDs lf yes specify ifthe shared IDs are for service and or user mode Additionally indicate if the IDs passwords are common across multiple instances of the same model s of the device This excludes emergency or break glass accounts Can the device be configured to enforce creation of user account passwords that meet established organization specific complexity rules If there are any limitations to password constraints please list in the notes section GUIDANCE Answer Yes if password complexity is configurable Answer No if password complexity is not configurable regardless of complexity requirements Indicate complexity rules and limits in the notes Can the device be configured so that account passwords expire periodically GUIDANCE If yes provide in the notes the expiration frequency or administration controls available PHYSICAL LOCKS PLOK Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media Are all device components maintaining private data other than removable media physically secure i e cannot remove without tools Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 12 14 14 1 14 2 15 15 1 15 2 15 3 15 4 15
22. care provider health plan employer or health care clearinghouse and 2 Relates to the past present or future physical or mental health or condition of an individual the provision of health care to an individual or the past present or future payment for the provision of health care to an individual and i That identifies the individual or ii With respect to which there is a reasonable basis to believe the information can be used to identify the individual intended use Use for which a product process or service is intended according to the specifications instructions and information provided by the manufacturer Source ISO 14971 2007 Application of risk management to medical devices definition 2 5 Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 3 malware Malicious software A software program that is inserted into a system usually covertly with the intent of compromising the confidentiality integrity or availability of the victim s data applications or operating system or of otherwise annoying or disrupting the victim Source NIST SP 800 83 Guide to Malware Incident Prevention and Handling medical device Any instrument apparatus implement machine appliance implant in vitro reagent or calibrator software material or other similar or related article a intended by the manufacturer to be used alone or i
23. ccess to from specified devices or users or network locations e g specific IP addresses 20 2 1 Can the device be configured to require the local user to accept or initiate remote access Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 15 Section 3 MDS FORM To access and download the current HN 1 MDS Worksheet type the following into your web browser http www nema org Standards Complimentary Documents MDS2 Worksheet x s or double click on the icon below MDS2 Worksheet xls DPA ae mavaae Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 16 Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 17 Manufacturer Disclosure Statement for Medical Device Security MDS DEVICE DESCRIPTION Device Category Manufacturer Document ID Document Release Date l l l l Sottware Release Date m m eS Ml l Manufacturer or Representative Contact Information Yes No N A or See Note Can this device display transmit or maintain private data including electronic Protected Health Information ePHI csiccte ced c tects aaa sael alent ancannnadeadlehunnalenameneynneneadeecdareseuceek axesticrs audent
24. dataisnot modified during transmission _ If yes describe in the notessection HhOwthisiSachieVed cseeneeeeusda SUSIE Issa lees eseeeseeceeeseeeeecsdeneeeeeees TXIG notes 20 OTHER SECURITY CONSIDERATIONS OTHR Additional security considerations notes regarding medical device security 20 1 Can the device be serviced remotely cccccccceccceeeceeeceeece cece eese cece eeseeeseueseeeeeeeseeeseeeseeeseeeseeeseeesnesaes 20 2 Can the device restrict remote accessto from specified devices or users or network locations e g BRIS CU aC ie Sa sae cette a E E E T A AEE A 20 2 1 Can the device be configured to require the local user to accept or initiate remote access OTHR notes Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society Annex HN 1 2013 Page 23 COMPARISON OF PREVIOUS 2008 AND CURRENT 2013 MDS Informative 2013 B 1 B 2 B 3 B 4 B 5 B 6 en Oz Ce C 4 D 1 D 2 D 3 D 4 D 5 D 6 D 7 D 8 1 1 1 1 1 1 1 2 2 1 2 2 2 2 1 Table A 1 MDS question number changes cross reference HN 1 2008 vs HN 1 2013 Can this device display transmit or maintain private data including electronic Protected Health Information ePHI Typesof priv ate data elementsthat can be maintained by the device Demographic e g name address location unique identification number
25. ded use of device in network connected environment This allows the manufacturer to describe the intended function and use of the device and if relevant how the device is expected to be used if connected to a customer s network environment MANAGEMENT OF PRIVATE DATA section The manufacturer shall answer all questions either Yes No N A not applicable or See Note lf additional information is needed for proper interpretation of an answer manufacturers are encouraged to provide information in explanatory notes The following clarifications and suggested guidance are provided to assist the manufacturer in answering the questions NOT E the numbersin this subsection below correlate to the questionnumbersin the MDS form A Can this device display transmit or maintain private data including electronic Protected Health Information ePHI B Types of private data elements that can be maintained by the device B 1 Demographic e g name address location unique identification number B 2 Medical record e g medical record account test or treatment date device identification number B 3 Diagnostic therapeutic e g photo radiograph test results or physiologic data with identifying characteristics B 4 Open unstructured text entered by device user operator B 5 Biometric data B 6 Personal financial information e g credit card numbers health insurance information etc C M
26. e eea esse eeaeeseeeaeeseeaees 10 3 Can the device owner operator technically physically update virus definitionson manufacturer installed anti virus OW A oases A cane ie AEAT re urtearseumeaue AE i Nar aaraa MLDP notes 11 NODE AUTHENTICATION NAUT The ability of the device to authenticate communication partners nodes 11 1 Does the device provide support any meansof node authentication that assuresboth the sender and the recipient of data are known to each other and are authorized to receive transferred infomation NAUT notes 12 PERSON AUTHENTICATION PAUT Ability of the device to authenticate users 12 1 Doesthe device support user operator specific username s and password s for atleast one user 12 1 1 Doesthe device support unique user operator specific IDs and passwords for multiple users 12 2 Can the device be configuredto authenticate users through an external authentication service e g MS Active Directory NDS LDAP etc erase acess segs cee sete tee se ecient etie se neue ne eee ee cee eee eee 12 3 Can the device be configured to lock outa user after a certain number of unsuccessful logon attempts 12 4 Can default passwords be changed at prior to installation cccccceccc cece cece eeeeeeee eee eeseeeseeeeeeeeeeeeeeeseeeeaes 12 5 Are any shared user IDs used in this sytem cece cece cece cece cece eee eee eeeeeeeee eee eesaeesaeseeeseese
27. eeeeeeeeeeeeeeeees EMRG notes HEALTH DATA INTEGRITY AND AUTHENTICITY IGAU How the device ensuresthat data processed by the device hasnot been altered or destroyed in an unauthorized manner and isfrom the originator Does the device ensure the integrity of stored data withimplicit or explicit error detection correction PO CIIIVOI OO deeabernascemma ve scumncnrhs A E E aeeesseee Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 20 Device Category Document ID Device Model Software Release Date Yes No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note Note 10 MALWARE DETECTION PROTECTION MLDP The ability of the device to effectively prevent detect and remove malicious software malware 10 1 Doesthe device support the use of anti malware software or other anti malware mechanism 10 1 1 Can the user independently re configure anti malware settings ccccccceccseeceeeeeeeeeeeeeeeeneeeeees 10 1 2 Does notification of malware detection occurin the device user interface ccceccceeceeeeeeeeeeees 10 1 3 Can only manufacturer authornzed persons repair systems when malware has been detected 10 2 Can the device owner install or update anti v irus Software 0c c cece cece eee e eee eee enc
28. eeeeeeeeeeeeege 12 6 Can the device be configuredto enforce creation of user account passwordsthat meet established comple niy CUS csc ce crs acces cacao eee ee esr AE aE A A a 12 7 Can the device be configured so that account passwords expire periodically ceeeeeeeeeeeeeeeeeeeeeeeeeeees PAUT notes 13 PHYSICAL LOCKS PLOK Physical locks can prevent unauthorized users with physical accessto the device from compromising the integrity and confidentiality of private data stored on the device oron removable media 13 1 Are all device components maintaining priv ate data other than removable media physically secure i e cannot remove without tools 2 0 ceecee cece eee eeeeceece eee eee eee eseeseeseeseeeeeseseeseeeeseeseeseeseeseeseeseeseeseeseesensenseess PLOK notes Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 21 Document ID Device Category Device Model Software Release Date m m f m ml ml Ml Yes No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note Note 14 ROADMAP FOR THIRD PARTY COMPONENTS IN DEVICE LIFE CYCLE RDMP Manufacturers plansfor security support of 3rd party componentswithin device life cycle 14 1 Inthe notessection list the provided or required separately purchased and or delivered operating syst
29. eeseeeaeeseeeeaeeeaeees 2 3 Indicate what informationisused to identify individual events recorded in the audit log ee ASR MN cies eee cece sc sc eee etre E tw pce Meret ect scl ct eterna weeded Bree WAS UNS p2ht testy iede sets seis dese E A E E EAA ANE E EEA AUDT notes 3 AUTHORIZATION AUTH The ability of the device to determine the authorization of users 3 1 Can the device prevent accessto unauthorized users through user login requirementsor other mechanism 3 2 Can users be assigned differentprivilegelevelswithinan application based on roles e g guests regular users power users administrators CC oo cece cece eecceeeeeeceeceeceeeseeceeeseeseeeseeseeeseeeeeseeeeeeseeeaueseeeeeseesaeegas 3 3 Can the device owner operator obtain unrestricted administrative privileges e g accessoperating system or application via local root OF AOMIN account siwiinwemivrnvintvwisesiaesaderaacceaacsaicedacited cietieadiadetadstecsens AUTH notes Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 19 Device Category Document ID Device Model M eee Software Release Date m m f ml Ml Yes No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note CONFIGURATION OF SECURITY FEATURES CNFS The ability to configure re configure device security capabili
30. em s including version number s ccccecceecceeceeeeeeceeceeceeeceeeeeeseeeeeeseeseeeseeseeseeeaeeseeeseeseeseeeseeseeeness 14 2 Is alistof other third party applications provided by the manufacturer available ccceceeeeeeeeeeeeeeeeeees RDMP notes 15 SYSTEM AND APPLICATION HARDENING SAHD The device sresistance to cyber attacks and malware 15 1 Does the device employ any hardening measures Please indicate inthe notesthe level of conformance to any industry recognized hardening Standards ccccccececeeeceeeeeeeceeeceeeeeeeeeeeeeeeseeseeeseeseueeenesseesseeeaeeenaes 15 2 Does the device employ any mechanism e g release specific hash key checksums etc to ensure the installed program updateisthe manufacturer authorized program or software update cccceecseeeeeeenees 15 3 Does the device have external communication capability e g network modem etc ceeeeeeeeeeeeeeeees 15 4 Does the file system allow the implementation of file level accesscontrols e g New Technology File System eee Vi n GeO A oe ee a a A 15 5 Are all accountswhich are not required forthe intended use of the device disabled or deleted for both users eS E PD E T a ee 15 6 Are all shared resources e g file shares which are not required forthe intended use of the device oo E E ee A eee f LUmWD 15 7 Are allcommunication portswhich are notrequiredforthe in
31. ency session e g data acquired without an authorized user logged in HEALTH DATA INTEGRITY AND AUTHENTICITY IGAU How the device ensures that data processed by the device has not been altered or destroyed in a non authorized manner and is from the originator Does the device ensure the integrity of stored data with implicit or explicit error detection correction technology GUIDANCE This question refers only to the integrity of stored data Information regarding system controls intended to prevent unauthorized changes to the application program or system in general should be provided in the notes to the System and Application Hardening SAHD section MALWARE DETECTION PROTECTION MLDP The ability of the device to effectively prevent detect and remove malicious software malware Does the device support the use of anti malware software or other anti malware mechanism GUIDANCE The manufacturer may optionally choose to describe any restrictions on malware support purchase installation configuration directly in the note or reference external documents where a description of these restrictions can be found 10 1 1 Can the user independently re configure anti malware settings 10 1 2 Does notification of malware detection occur in the device user interface GUIDANCE Optionally in the notes describe how the user is notified when malware is detected 10 1 3 Can only manufacturer authorized persons repair systems when
32. end user Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society 15 8 15 9 HN 1 2013 Page 13 Are all services e g telnet file transfer protocol FTP internet information server IIS etc which are not required for the intended use of the device deleted disabled GUIDANCE Indicate in the notes if the unneeded services are deleted disabled by the manufacturer at or prior to the installation of the device or are expected to be disabled by the end user Are all applications COTS applications as well as OS included applications e g MS Internet Explorer etc which are not required for the intended use of the device deleted disabled GUIDANCE Indicate in the notes if the unneeded applications are deleted disabled by the manufacturer at or prior to the installation of the device or are expected to be disabled by the end user 15 10Can the device boot from uncontrolled or removable media i e a source other than an internal drive or memory component GUIDANCE Describe in the notes what external media is accepted by the device 15 11Can software or hardware not authorized by the device manufacturer be installed on the 16 16 1 16 2 17 17 1 18 18 1 18 2 device without the use of tools GUIDANCE Answer Yes if the device user owner has the technical ability to install hardware or software However If t
33. est aes teteatenien aces 4 INSTRUCTIONS FOR OBTAINING USING AND COMPLETING MDS FORM 5 OBTAINING THE MDS FORM PROVIDERS cccccccccceceeceeeeeeeeeeeeeeeeeeeeeseeseeeeeees 5 USING THE MDS FORM PROVIDERS cccccecceceeeeeeeccccceseeeeeusueuuuaaeaeeseeeeeeeesenees 5 221 WEViCCDESCHDN OM iaciaa cin dsmasncaaieacancincan eva neh ap texte inetea tnd eaten A 5 22 2 le XPlanlalOly NOLES 45 4315 i5 ins thors cccaun steer sncdeutichcatackoulerdoaieuicotaae gene siesiaaressennneg 5 22 3 OCCU Cabell GS esa aa o ddd hada 5 COMPLETING THE MDS FORM MANUFACTURERS 5 Ee Go gt eee eee ee eee eer ee eee ee ee ee ne ees ee eee 5 2 3 2 MDS Form Completion Guidance ccccccesccssssssseesseeeceeseeeeeeeeeeeeeeeeeeennaes 5 MDS FORM caa ze darecesies te ea moc TE AE 15 COMPARISON OF PREVIOUS 2008 AND CURRENT 2013 MDS Informative 23 Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page ii FOREWORD This document consists of the Manufacturer Disclosure Statement for Medical Device Security MDS form and related instructions how to complete the form The intent of the MDS form is to supply healthcare providers with important information to assist them in assessing the vulnerability and risks associated with protecting private data transmitted or maintained by medical devices and systems
34. etrics keycard etc 3 2 Can users be assigned different privilege levels within an application based on roles e g guests regular users power users administrators etc Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society 4 1 5 1 6 1 7 1 HN 1 2013 Page 9 Can the device owner operator obtain unrestricted administrative privileges e g access operating system or application via local root or administrator account GUIDANCE Indicate in the notes ifthe device supports more than one privileged account e g administrator root Indicate in the notes if the manufacturer imposes any restrictions on users regarding the use of administrator accounts CONFIGURATION OF SECURITY FEATURES CNFS The ability to configure re configure device security capabilities to meet users needs Can the device owner operator reconfigure product security capabilities GUIDANCE Indicate in the notes if the manufacturer imposes any restrictions on users regarding the reconfiguring of product security capabilities CYBER SECURITY PRODUCT UPGRADES CSUP The ability of on site service staff remote service staff or authorized customer staff to install upgrade device s security patches Can relevant OS and device security patches be applied to the device as they become known available GUIDANCE If the manufacturer does not authorize usersto
35. fforts in maintaining effective security programs and meeting any relevant regulatory requirements and or standards The medical device manufacturing industry is increasingly aware of the importance of having effective security functionality in their devices Manufacturers are generally including such security related requirements in the production of new devices based on provider needs and requirements 1 2 REFERENCES The following reference documents are included herein as suggested further reading Supportive material and related publications Application of risk management for I T networks incorporating medical devices Part 1 Roles responsibilities and activities IEC 80001 1 2010 Application of risk management Part 2 1 Step by Step Risk Management of Medical IT Networks Practical Applications and Examples IEC 80001 2 1 2012 Application of risk management Part 2 2 Guidance for the communication of medical device security needs risks and controls IEC TR 80001 2 2 2012 Health Insurance Portability and Accountability Act of 1996 HIPAA Pub L 104 191 USA Health Insurance Reform Security Standards Final Rule 45 CFR pts 160 162 164 USA 2003 EC Data Protection Directive 95 46 EC EU 95 46 1995 Act on the Protection of Personal Information Act No 57 of 2003 Japan Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society
36. he manufacturer does not authorize users to install hardware or software or has any restrictions on this activity then the existence of these restrictions should be mentioned in a note SECURITY GUIDES SGUD Availability of security guidance for operator and administrator of the device and manufacturer sales and service Are security related features documented for the device user GUIDANCE Answer Yes if the manufacturer provides a dedicated security document or security documentation within the user manual service manual or other documentation available to users Are instructions available for device media sanitization i e instructions for how to achieve the permanent deletion of personal or other sensitive data GUIDANCE Answer Yes if the manufacturer provides such instructions within any documentation available to users HEALTH DATA STORAGE CONFIDENTIALITY STCF The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media Can the device encrypt data at rest GUIDANCE See also section 18 for specific questions regarding encryption of data prior to network transmission or media export TRANSMISSION CONFIDENTIALITY TXCF The ability of the device to ensure the confidentiality of transmitted private data Can private data be transmitted only via a point to point dedicated cable GUIDANCE Clarificatio
37. iagnostics software upgrades while not physically or directly connected to the device e g remote access via modem network Internet removable media Electronic media that can be removed from a system without the use of tools risk assessment Conducting an accurate and thorough analysis of the potential risks and vulnerabilities to the integrity availability and confidentiality of private data risk management 1 The ongoing process of assessing risk taking steps to reduce risk to an acceptable level and maintaining that level of risk 2 Security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level security capability The broad category of technical administrative or organizational controls to manage risks of confidentiality integrity and availability and accountability of data and systems technical safeguards The technology policies and procedures to protect data including private data and control access to it token A physical authentication device that the user carries e g smartcard SecurelD etc Often combined with a PIN to provide a two factor authentication method that is generally thought of as Superior to simple password authentication user See operator virus See malware Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 4 virus scanner A computer p
38. ined length of inactivity e g auto logoff session lock password protected screen saver Is the length of inactivity time before auto logoff screen lockuser or administrator configurable Indicate time fixed or configurable range in notes the user Can the medical device create an audit trail Indicate which of the following events are recorded in the auditlog Login logout 2008 2a EM 2C EN 3a 3b 3c 17 4a 4b 4c 4d 4e Af 4g 14 Can auto logoff screen lockbe manually invoked e g via a shortcut key or proximity sensor etc by 15 15a Table continues on next page Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 24 2013 2 2 2 2 2 3 2 2 4 2 2 5 2 2 5 1 2 2 6 2 3 2 3 1 2 3 2 3 1 3 2 4 1 5 1 5 1 1 6 1 7 1 8 1 SHI ot ECEN 10 1 2 10 1 3 10 2 10 3 Can the device owner operator obtain unrestricted administrative privileges e g accessoperating Does the dev ice provide support any meansof node authentication that assures both the sender and Table A 1 Continued 2008 Display presentation of data 15b Creation modification deletion of data 15c Import export of data from removable media 15d Receipt transmission of data from to external e g network connection Remote service activity Tb Other events describe in the notessection
39. ings notification 1 1 1 Is the length of inactivity time before auto logoff screen lock user or administrator configurable Indicate time fixed or configurable range in notes GUIDANCE Can the user or administrator configure the amount of time that must lapse before auto logoff or screen lock occurs The notes section should be used to indicate whether a device with adjustable auto logoff screen lock can be configured e toa user determined time e by specific role e g administrator user 1 1 2 Can auto logoff screen lock be manually invoked e g via a shortcut key by the user Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 8 GUIDANCE Can the user operator manually invoke the auto logoff screen lock vaa shortcut key combination e g CTRL ALT DELETE AUDIT CONTROLS AUDT The ability to reliably audit activity on the device 2 1 Can the medical device create an audit trail GUIDANCE If the answer is no then answers to 2 2 1 2 3 2 should be N A and move to question 3 1 Indicate in the notes if the audit trail can differentiate between the creation display export etc of private data vs other data Ifso indicate in the notes if the data subject e g patient is identified for each private data event in the log 2 2 Indicate which of the following events are recorded in the audit log 2 2 1 Login Logout
40. it the form s and these instructions to the manufacturers compliance office for completion 2 2 USING THE MDS FORM PROVIDERS 2 2 1 Device Description The first two sections of the MDS form are used to identify the device DEVICE DESCRIPTION and describe the type of data maintained transmitted by the device and how the data is maintained transmitted etc MANAGEMENT OF PRIVATE DATA PLEASE BE ADVISED An indication of a device s ability to perform any listed function i e a Yes answer is notan implicit or explicit endorsement or authorization by the manufacturer to configure the device or cause the device to perform those listed functions It is important to distinguish between capability and permission Unless otherwise indicated the questions contained on the MDS form generally refer to device capability Permission is typically a contractual matter separate from the MDS form Making changes to a medical device without explicit manufacturer authorization may have significant contractual safety and liability issues 2 2 2 Explanatory Notes The MDS form contains space for explanatory notes if the manufacturer needs to explain specific details of the manufacturer s answers to questions NOT E Manufacturers may elect to attach supplementary material if additional space for recommended practicesor explanatory notesisnecessary 2 2 3 Security Capabilities The final section of the MDS SECURITY CAPABILITIES contain
41. malware has been 10 2 10 3 detected GUIDANCE Optionally in the notes describe any restrictions on who is or is not authorized by the manufacturer to repair malware infected systems or reference external documents where a description of these restrictions can be found Can the device owner install or update anti virus software GUIDANCE Answer Yes if the device user owner has the technical ability to install or update anti virus software However If the manufacturer does not authorize users to install or update anti virus software or has any restrictions on this actmty then the existence of these restrictions should be mentioned in a note Can the device owner operator technically physically update virus definitions on manufacturer installed anti virus software GUIDANCE Answer Yes ifthe system user owner has the technical ability to update virus definitions virus signature files However if the manufacturer does not authorize users to update these virus signature files or has any restrictions on this activity then the existence of these restrictions should be mentioned in a note For whitelisting Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society 12 12 1 12 1 12 2 12 3 12 4 12 5 12 6 12 7 13 13 1 HN 1 2013 Page 11 solutions indicate in the notes if the device manufacturer restricts the owner
42. n a point to point dedicated cable is a cabling system that is not accessible to the general public e g it is in physically controlled space such as examining rooms or communication closets or building plenum ls private data encrypted prior to transmission via a network or removable media lf yes indicate in the notes section to which standard the encryption mechanism adheres Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 14 18 3 19 19 1 20 20 1 20 2 ls private data transmission restricted to a fixed list of network destinations GUIDANCE Clarification a fixed list is an explicit mechanism that limits the connections and nature of connections on a per device basis TRANSMISSION INTEGRITY TXIG The ability of the device to ensure the integrity of transmitted user Does the device support any mechanism intended to ensure data is not modified during transmission If yes describe in the notes section how this is achieved OTHER SECURITY CONSIDERATIONS OTHR Additional security considerations notes regarding medical device security Can the device be serviced remotely GUIDANCE Remote service refers to device maintenance activities performed by a service person via network or other remote connection Describe in the notes any manufacturer restrictions on remote service Can the device restrict remote a
43. n combination for human beings for one or more of the specific purpose s of diagnosis prevention monitoring treatment or alleviation of disease diagnosis monitoring treatment alleviation of or compensation for an injury investigation replacement modification or support of the anatomy or of a physiological process supporting or sustaining life control of conception disinfection of medical devices providing information for medical or diagnostic purposes by means of in vitro examination of specimens derived from the human body b which does not achieve its primary intended action in or on the human body by pharmacological immunological or metabolic means but which may be assisted in its intended function by such means operator Person handling equipment The person s using a medical device for its intended purpose personal identification number PIN A number or code assigned to an individual and used to provide verification of identity physical safeguards Ihe physical measures policies and procedures to protect an organization s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion private data Any information relating to an identified or identifiable person process A set of inter related or interacting activities which transforms inputs into outputs remote service A support service e g testing d
44. ndently test evaluate or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications NEMA disclaims liability for any personal injury property or other damages of any nature whatsoever whether special indirect consequential or compensatory directly or indirectly resulting from the publication use of application or reliance on this document NEMA disclaims and makes no guaranty or warranty expressed or implied as to the accuracy or completeness of any information published herein and disclaims and makes no warranty that the information in this document will fulfill any of your particular purposes or needs NEMA does not undertake to guarantee the performance of any individual manufacturer or seller s products or services by virtue of this standard or guide In publishing and making this document available NEMA is not undertaking to render professional or other services for or on behalf of any person or entity nor is NEMA undertaking to perform any duty owed by any person or entity to someone else Anyone using this document should rely on his or her own independent judgment or as appropriate seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances Information and other standards on the topic covered by this publication may be available from other sources which the user may wish to consult fo
45. ns requires a deeper and more extensive knowledge of security including the individual facility s provider s situation and the healthcare mission Using the information provided by the manufacturer in the MDS form together with information collected about the care delivery environment e g through tools such as ACCE American College of Clinical Engineering ECRI s Guide for Information Security for Biomedical Technology the provider s multidisciplinary risk assessment team can review assembled information and make informed decisions on implementing a local security management plan This form was originally adapted from portions of the ACCE ECRI Biomedical Equipment Survey Form a key tool found in Information Security for Biomedical Technology A HIPAA Compliance Guide ACCE ECRI 2004 This form was published originally in 2004 MDS v 1 0 2004 11 01 and then as a joint HIMSS NEMA standard in 2008 HIMSS NEMA Standard HN 1 2008 Health Insurance Portability and Accountability Act In 2010 International Electrotechnical Commission standard IEC 80001 1 Application of risk management for T networks incorporating medical devices was published The standard deals with the application of risk management to IT networks incorporating medical devices and provides the roles responsibilities and activities necessary for risk management In 2012 a Technical Report TR supplement to IEC 80001 was published IEC TR 80001 2 2 Guidance f
46. or the communication of medical device security needs risks and controls In this supplement 19 relevant security capabilities of a medical device or IT component are defined The 19 high level security capabilities are intended to be the starting point for a security centric discussion Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page iii between vendor and purchaser or among a larger group of stakeholders involved in a Medical Device IT Network project Since this goal closely matches the primary objective of the MDS initiative HIMSS and NEMA have undertaken an expansion and re categorization of the MDS information provided by manufacturers in order to closely align with the 19 IEC TR 80001 2 2 security categories HIMSS and NEMA recommend that the information in the MDS form be used as part of each organization s security compliance and risk assessment efforts In the preparation of this standards publication input of users and other interested parties has been sought and evaluated Inquiries comments and proposed or recommended revisions should be submitted to the concerned NEMA product subdivision by contacting the Senior Technical Director Operations National Electrical Manufacturers Association 1300 North 17th Street Suite 900 Rosslyn Virginia 22209 Copyright 2013 by the National Electrical Manufacturers Associa
47. programs system configuration and or device data Does the device have external communicationcapability network modem etc GUIDANCE If yes indicate in the notes if the device must initiate the external connection or accepts incoming connections Does the file system allow the implementation of file level access controls e g New Technology File System NTFS for MS Windows platforms GUIDANCE Provide a summary in the notes section of the file level access controls e g user access versus administrator access remote versus local access etc Are all accounts which are not required for the intended use of the device disabled or deleted for both users and applications GUIDANCE Indicate in the notes if any accounts are closed disabled by the manufacturer at or prior to the installation of the device or are expected to be disabled by the end user Are all shared resources e g file shares which are not required for the intended use of the device disabled GUIDANCE Indicate in the notes if any shared resources are closed disabled by the manufacturer at or prior to the installation of the device or are expected to be disabled by the end user Are all communication ports which are not required for the intended use of the device closed disabled GUIDANCE Indicate in the notes ifthe ports are closed disabled by the manufacturer at or prior to the installation of the device or are expected to be disabled by the
48. r additional views or information not covered by this publication NEITHER THE HEALTHCARE INFORMATION AND MANAGEMENT SYSTEMS SOCIETY HIMSS NOR NEMA HAVE POWER NOR DO THEY UNDERTAKE TO POLICE OR ENFORCE COMPLIANCE WITH THE CONTENTS OF THIS DOCUMENT NEITHER HIMSS NOR NEMA CERTIFY TEST OR INSPECT PRODUCTS DESIGNS OR INSTALLATIONS FOR SAFETY OR HEALTH PURPOSES ANY CERTIFICATION OR OTHER STATEMENT OF COMPLIANCE WITH ANY HEALTH OR SAFETY RELATED INFORMATION IN THIS DOCUMENT SHALL NOT BE ATTRIBUTABLE TO HIMSS OR NEMA AND IS SOLELY THE RESPONSIBILITY OF THE CERTIFIER OR MAKER OF THE STATEMENT Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society Section 1 1 1 1 2 1 3 1 4 Section 2 2 1 2 2 2 3 Section 3 Annex HN 1 2013 Page CONTENTS FOREWORD ices cntseesioe tae acne sea ae eee saad teeta ae as ee ose aoe eee ete nee ase eens ae li CHANGES FROM PREVIOUS 2008 MDS REVISION iv GENERAL t tee sass dete ad an ia ethane eae eee ea 1 SCOPE east cate Pata E tate nate ena Net Sancta toes 1 1 1 1 The Role of Healthcare Providers in the Security Management Process 1 1 1 2 The Role of Medical Device Manufacturers in the Security Management Process 1 REFERENCES weestistcctectcdeedactectaedeedies peted ininde ae iaa ieaiao taa iriti itat EA E Tra TAREE AREAS 1 DEFINITIONS rner TA E N R 2 RGRONY N eere scab eta eae ioe see ticeeeies ac
49. rogram anti virus software that detects a virus computer program or other kind of malware e g worms and Trojan horses warns of its presence and attempts to prevent it from affecting the protected computer Malware often results in undesired side effects generally unanticipated by the user vulnerability A flaw or weakness in device procedures design implementation or internal controls that could be exercised accidentally triggered or intentionally exploited and result ina security breach or a violation of the device s security policy 1 4 ACRONYMS CD Compact Disk CF Compact Flash COTS Commercial Off The Shelf DVD Digital Versatile Disk IP Internet Protocol LAN Local Area Network OS Operating System ROM Read Only Memory SD secure Digital USB Universal Serial Bus VPN Virtual Private Network WAN Wide Area Network WiFi Wireless Fidelity Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 5 Section 2 INSTRUCTIONS FOR OBTAINING USING AND COMPLETING MDS FORM 2 1 OBTAINING THE MDS FORM PROVIDERS Completed MDS forms for many devices may be available directly from the device manufacturer e g manufacturer website NOTE If a manufacturer doesnot have a completed MDS form forthe appropriate device s enter manufacturer and model information in the appropriate boxeson the top of a blankMDS form and subm
50. ronic media 1 Electronic storage media including memory devices in computers hard drives and any removable transportable digital memory media such as magnetic tapes or disks optical disks or digital memory cards 2 Transmission media used to exchange information already in electronic storage media including for example the Internet wide open extranet using Internet technology to link a business with information accessible only to collaborating parties leased lines dial up lines and private networks and the physical movement of removable transportable electronic storage media Certain transmissions including of paper via facsimile and of voice via telephone are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission electronic protected health information e PHI As defined in U S HIPAA legislation 45 CFR 160 103 individually identifiable health information IIHI that is 1 transmitted by or 2 maintained in electronic media emergency access Ihe process or mechanism by which a device user can quickly and easily access private data in urgent emergency situations bypassing the device s established access controls individually identifiable health information IHI Information that is a subset of health information including demographic information collected from an individual and 1 Is created or received by a health
51. s information on the specific security related capabilities of the device The information is organized into categories aligned with IEC 80001 2 2 Guidance for the communication of medical device security needs risks and controls 2 3 COMPLETING THE MDS FORM MANUFACTURERS 2 3 1 General The manufacturer shall provide the information requested in the MDS form to the appropriate requesting organization including all requested descriptive information on the type of data maintained transmitted by the device how the data is maintained transmitted and other security related features incorporated in the device as appropriate 2 3 2 MDS Form Completion Guidance DEVICE DESCRIPTION section Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 6 Device Category This is a free text field The manufacturer should use standard terminology that customers would reasonably understand to differentiate key modalities or device functionality Device Model This is a free text field The manufacturer should fill in the name of the device under which it is placed on the market Document ID The document ID is the manufacturer s unique tag used internally to track device documentation Manufacturer Contact Information This information identifies how the person or department accountable for the final version of the form can be contacted Inten
52. tended use of the device closed disabled 15 8 Are all services e g telnet file transfer protocol FT P internet information server IIS etc which are not required forthe intended use of the device deleted disabled ccccccceccnecceeceeeeeeceeeeeeeeeeaeeeeeeeeeseeeaeeaes 15 9 Are all applications COTS applications as well asOS included applications e g MS Internet Explorer etc which are not required forthe intended use of the device deleted disabled cccceccceeeeeeeeeeeeeeeeeeeees 15 10 Can the device boot from uncontrolled or removable media i e a source other than aninternal drive or MEMO COMPONGAY sraoin aran a aaar E E 15 11 Can software or hardware not authorized by the device manufacturer be installed on the device without the SOTO r E E ENE EAE E E EAA saadacaes SAHD notes 16 SECURITY GUIDANCE SGUD The availability of security guidance for operator and administrator of the system and manufacturer salesand service 16 1 Are security related featuresdocumented forthe dev iceuser c cece secs eecceeceeeneeneeeeeeaeeseeeaeesaeeaeeeeeeaeeaes 16 2 Are instructionsavailable for device media sanitization i e instructionsfor how to achieve the permanent deletion of personal or other sensitive data SGUD notes Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page
53. ties to meet users needs 4 1 Can the device owner operator reconfigure product security capabilities cc ccceceeeeeeneee nese eeee ees CNFS notes CYBER SECURITY PRODUCT UPGRADES CSUP The ability of on site service staff remote service staff or authorized customer staff to install Uupgrade device s security patches Can relevant OS and device security patches be applied to the device as they become available 5 1 1 Can security patches or other software be installed remotely ccccceecceccsecceeeeeeeeeseeeeeeseeeaeeseeeaes HEALTH DATA DE IDENTIFICATION DIDT The ability of the device to directly remove information that allowsidentification of a person 6 1 Doesthe device provide an integral capability to de identify private data cceececceeneetu dete eeeeeeeaters DIDT notes DATA BACKUP AND DISASTER RECOVERY DTBK The ability to recover after damage or destruction of device data hardware or software Does the device havean integral data backup capability i e backup to remote storage or removable media s ch astape AK pentane eek etna areas E o T evan seni aern nee aie see anes eee EMERGENCY ACCESS EMRG The ability of device users to access priv ate data in case of an emergency situation that requiresimmediate accessto stored private data 8 1 Doesthe device incorporate an emergency access break glass feature cc ceecceeeeeeeee
54. tion and the Healthcare Information and Management Systems Society HN 1 2013 Page iv CHANGES FROM PREVIOUS 2008 MDS REVISION 1 Alignment of MDS with International Electrotechnical Commission IEC standard 80001 1 supplement IEC TR 80001 2 2 Guidance for the communication of medical device security needs risks and controls a The order and numbering of the 2008 MDS questions has been changed and questions are now placed in either the MANAGEMENT OF PRIVATE DATA section or under the appropriate heading in one of the 19 categories in the SECURITY CAPABILITIES section of the MDS form b The amount of MDS data requested of device manufacturers has been increased to more adequately address the 19 security capabilities of IEC TR 80001 2 2 c MDS term definitions have been added or updated to be consistent with definitions used in IEC 80001 when applicable All of the MDS security related questions of previous MDS revisions remain in this latest revision with no or only minor changes A cross reference of the 2008 MDS questions vs 2013 MDS questions is provided in the Annex De localization Several region specific references and standards have been removed or replaced with more generic less region specific references The term Protected Health Information PHI defined in USA HIPAA legislation has been replaced in this MDS revision by the term private data as defined in IEC 80001 Copyright
55. unt passwords expire periodically Are all device components maintaining priv ate data other than removable media physically secure 7 i e cannot remove without tools In the notessection list the providedor required separately purchased and or delivered operating system s including version number s Is alist of other third party applications provided by the manufacturer available Does the device employ any hardening measures Please indicate inthe notesthe level of conformance to any industry recognized hardening standards Does the device employ any mechanism e g release specific hash key checksums etc to ensure the installed program update isthe manufacturer authorized program or software update Does the device have external communication capability e g network modem etc Does the file system allow the implementation of file level access controls e g New Technology File System NTFS forMS Windows platforms Are all accountswhich are not required forthe intended use of the device disabled or deleted for both users and applications Are all shared resources e g file shares which are not required for the intended use of the device disabled Are all communication portswhich are not requiredforthe intended use of the device closed disabled Are all services e g Telnet File Transfer Protocol FT P Internet Information Server IIS etc which are not required forthe intended use of the
Download Pdf Manuals
Related Search