BS EN 80001-1:2011 pdf download – Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities
Recognizing that MEDICAL DEVICEs are incorporated into lT-NETWORKs to achieve desirablebenefits (for example,INTEROPERABILITY),this international standard defines the roles,responsibilities and activities that are necessary for RISK MANAGEMENT of IT-NETWORKSincorporating MEDICAL DEVICEs to address SAFETY,EFFECTIVENESs and DATA AND SYSTEMSECURITY (the KEY PROPERTIES).This international standard does not specify acceptable RISKlevels.
NOTE 1 The RISK MANAGEMENT activities described in this standard are derived from those in lS0 14971 [4]. Therelationship between lS0 14971 and this standard is described in Annex A.
This standard applies after a MEDICAL DEVICE has been acquired by a RESPONSIBLEORGANIZATION and is a candidate for incorporation into an lT-NETWORK.
NOTE 2 This standard does not cover pre-market RISK MANAGEMENT.
This standard applies throughout the life cycle of IT-NETWORKS incorporating MEDICAL DEVICES.
NOTE 3 The life cycle management activities described in this standard are very similar to those ofISo/IEC 20000-2 [10].The relationship between lSO/IEC 20000-2 and this standard is described in Annex D.
This standard applies where there is no single MEDICAL DEVICE manufacturer assumingresponsibility for addressing the KEY PROPERTIEs of the lT-NETWORK incorporating a MEDICALDEVICE.
NOTE 4 lf a single manufacturer specifies a complete MEDICAL DEVICE that includes a network, the installation orassembly of the MEDICAL DEVICE according to the manufacturer’s AcCOMPANYING DOCUMENTs is not subject to theprovisions of this standard regardless of who installs or assembles the MEDICAL DEVICE.
NOTE 5 lf a single manufacturer specifies a complete MEDICAL DEVICE that includes a network, additions to thatMEDICAL DEVICE or modification of the configuration of that MEDICAL DEvVIGE,other than as specified by themanufacturer, is subject to the provisions of this standard.
This standard applies to RESPONSIBLE ORGANIZATIONS,MEDICAL DEVICE manufacturers andproviders of other information technology for the purpose of RISK MANAGEMENT of an lT-NETWORK incorporating MEDICAL DEVICEs as specified by the RESPONSIBLE ORGANIZATION.
This standard does not apply to personal use applications where the patient,OPERATOR andRESPONSIBLE ORGANIZATION are one and the same person.
NOTE 6 In cases where a MEDICAL DEVIcE is used at home under the supervision or instruction of the provider,that provider is deemed to be the RESPONSIBLE ORGANIZATION.Personal use where the patient acquires and uses aMEDICAL DEVICE without the supervision or instruction of a provider is out of scope of this standard.
This standard does not address regulatory or legal requirements.
2Terms and definitions
For the purposes of this document, the following terms and definitions apply:
a document accompanying a MEDICAL DEVICE or an accessory and containing information forthe RESPONSIBLE ORGANIZATION or OPERATOR,particularly regarding sAFETY
NOTE Adapted from lEC 60601-1:2005,definition 3.4.
PROCEss that ensures that all changes to the IT-NETWORK are assessed,approved,implemented and reviewed in a controlled manner and that changes are delivered, distributed,and tracked, leading to release of the change in a controlled manner with appropriate inputand output with cONFIGURATION MANAGEMENT
NOTE Adapted from ISO/IEC 20000-1:2005,Subclauses 9.2(change management) and 10.1(releasemanagement).
an outcome of the RISK MANAGEMENT PROCEss consisting of a document that allows a specifiedchange or type of change without further RISK MANAGEMENT Activities subject to specifiedconstraints
a PRoCESs that ensures that configuration information of components and the lT-NETWORK aredefined and maintained in an accurate and controlled manner, and provides a mechanism foridentifying, controlling and tracking versions of the lT-NETWORK
NOTE Adapted from ISO/IEC 20000-1:2005,Subclause 9.1.
an operational state of a MEDICAL IT-NETWORK in which information assets (data and systems)are reasonably protected from degradation of confidentiality,integrity, and availability
NOTE 1 Security, when mentioned in this standard, should be taken to include DATA AND SYSTEMS SECURITY.
NOTE 2 DATA AND SYSTEMS SECURITY is assured through a framework of policy, guidance, infrastructure, andservices designed to protect information assets and the systems that acquire , transmit, store, and use informationin pursuit of the organization’s mission.
ability to produce the intended result for the patient and the RESPONSIBLE ORGANIZATION
a PROCEss that ensures that all events that can or might negatively impact the operation ofthe IT-NETWORK are captured, assessed, and managed in a controlled manner