IEC/DIS 80001-1

DRAFT INTERNATIONAL STANDARD
IEC/DIS 80001-1
ISO/TC 215 Secretariat: ANSI
Voting begins on: Voting terminates on:
2020-01-23 2020-04-16
Application of risk management for IT-networks
incorporating medical devices —
Part 1:
Roles, responsibilities and activities

Application du management du risque aux réseaux des technologies de l'information contenant les

3 FOREWORD ........................................................................................................................... 4

4 INTRODUCTION ..................................................................................................................... 7

5 1 Scope .............................................................................................................................. 9

6 2 Normative references ...................................................................................................... 9

7 3 Terms and Definitions ...................................................................................................... 9

8 4 Principles ........................................................................................................................ 10

9 5 Framework ...................................................................................................................... 11

10 5.1 General ................................................................................................................. 11

11 5.2 Leadership and commitment ................................................................................. 11

12 5.3 Integrating RISK MANAGEMENT ................................................................................. 11

13 5.4 Design/planning .................................................................................................... 12

14 5.5 Implementation ..................................................................................................... 16

15 5.6 Evaluation ............................................................................................................. 16

16 5.7 Improvement ......................................................................................................... 16

17 6 Risk analysis ................................................................................................................. 17

18 6.1 Generic Requirements .......................................................................................... 17

19 6.2 Lifecycle specific requirements ............................................................................. 23

21 Annex A (informative) Mapping of IEC 80001-1 text to reorganized document (by

22 section) ......................................................................................................................... 28

23 Annex B ................................................................................................................................ 34

24 2 Foreword ....................................................................................................................... 34

25 3 Information System Categorization ................................................................................ 35

26 4 Introduction / Title .......................................................................................................... 35

27 5 Reference Documents ................................................................................................... 35

28 6 System Level Description .............................................................................................. 35

29 6.1 Environment Description ....................................................................................... 35

30 6.2 Network Ports, Protocols and Services .................................................................. 36

31 6.3 Purpose of connection to the health IT infrastructure ............................................ 36

32 6.4 Networking Requirements ..................................................................................... 36

33 6.5 Required IT-network services ................................................................................ 36

34 6.6 Data Flows and Protocols ..................................................................................... 36

35 7 Security and User Access .............................................................................................. 37

36 7.1 Malware / Antivirus / White-Listing ........................................................................ 37

37 7.2 Security exclusions ............................................................................................... 37

38 7.3 System Access ..................................................................................................... 37

39 8 Risk Management .......................................................................................................... 39

40 8.1 Hazardous situations resulting from health IT infrastructure failure ....................... 39

41 Bibliography .......................................................................................................................... 40

43 Figure 1: Lifecycle framework addressing safety, security & effectiveness of health IT

44 software and health IT systems ............................................................................................... 8

45 FIGURE 2 – RISK MANAGEMENT PROCESS ................................................................................... 13

47 Table A.1 – IEC 80001-1 requirements table ......................................................................... 28

62 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising

63 all national electrotechnical committees (IEC National Committees). The object of IEC is to promote

64 international co-operation on all questions concerning standardization in the electrical and electronic fields. To

65 this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,

66 Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC

67 Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested

68 in the subject dealt with may participate in this preparatory work. International, governmental and non-

69 governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely

70 with the International Organization for Standardization (ISO) in accordance with conditions determined by

72 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international

73 consensus of opinion on the relevant subjects since each technical committee has representation from all

75 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National

76 Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC

77 Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any

79 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications

80 transparently to the maximum extent possible in their national and regional publications. Any divergence

81 between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in

83 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity

84 assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any

86 6) All users should ensure that they have the latest edition of this publication.

87 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and

88 members of its technical committees and IEC National Committees for any personal injury, property damage or

89 other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and

90 expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC

92 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is

94 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of

95 patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

96 International Standard IEC 80001-1 has been prepared by a joint working group of

97 Subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC

98 Technical Committee 62: Electrical equipment in medical practice and ISO Technical

101 This second edition cancels and replaces the first edition published in 2010. This edition

103 This edition includes the following significant technical changes with respect to the previous

106 b) establishment of requirements and guidance for an ORGANIZATION in the application of RISK

108 communication of the value, intention and purpose of RISK MANAGEMENT through principles that

109 support preservation of the KEY PROPERTIES during the implementation and use of connected

113 Full information on the voting for the approval of this International Standard can be found in

115 This document has been drafted in accordance with the ISO/IEC Directives, Part 2.

119 • informative material appearing outside of tables, such as notes, examples and references: in smaller type.

121 Terms defined in Clause 3 of this document or as noted are printed in SMALL CAPITALS.

123 • “clause” means one of the five numbered divisions within the table of contents, inclusive of

125 • “subclause” means a numbered subdivision of a clause (e.g. 5.1, 5.2 and 5.3 are all

127 References to clauses within this document are preceded by the term “Clause” followed by the

128 clause number. References to subclauses within this particular document are by number only.

129 In this document, the conjunctive “or” is used as an “inclusive or” so a statement is true if any

131 The verbal forms used in this document conform to usage described in ISO/IEC Directives,

133 • “shall” means that compliance with a requirement or a test is mandatory for compliance

135 • “should” means that compliance with a requirement or a test is recommended but is not

137 • “may” is used to describe permission (e.g. a permissible way to achieve compliance with a

140 • “must” is used to express an external constraint that is not a requirement of the document;

143 A list of all parts of the IEC 80001 series, published under the general title Safety,

144 effectiveness and security in the implementation and use of connected health IT systems or

146 The committee has decided that the contents of this document will remain unchanged until the

147 stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to

154 The National Committees are requested to note that for this document the stability date

156 THIS TEXT IS INCLUDED FOR THE INFORMATION OF THE NATIONAL COMMITTEES AND WILL BE

160 HEALTHCARE DELIVERY ORGANIZATIONS rely on safe, effective and secure systems as business-

161 critical factors. However, ineffective management of the implementation and use of connected

163 Connected systems that deliver health services, generally involve multiple software

164 applications, various medical devices and complex HEALTH IT SYSTEMS that rely upon shared

165 infrastructure including wired or wireless networks, point to point connections, application

166 servers and data storage, interface engines, security and performance management software,

167 etc. These HEALTH IT INFRASTRUCTURES are often used for both clinical (e.g. patient monitoring

168 systems) and non-clinical organizational functions (e.g. accounting, scheduling, social

169 networking, multimedia, file sharing). These connected systems can involve small

170 departmental networks to large integrated infrastructures spanning multiple locations as well

171 as cloud-based services operated by third parties. The requirements and guidance in this

172 document are intended for multiple stakeholders involved in the application of RISK

173 MANAGEMENT to systems that include HEALTH IT SYSTEMS and / or HEALTH IT INFRASTRUCTURE.

174 Within the context of ISO 81001-1, this document covers the generic lifecycle phase

178 Figure 1: Lifecycle framework addressing safety, security & effectiveness of health IT

180 This document facilitates ORGANIZATIONS in using or adapting existing work practices and

181 processes, personnel and tools wherever practicable to address the requirements of this

182 document. For example, if an organization has an existing RISK MANAGEMENT PROCESS, this can be

183 used or adapted to support the three KEY PROPERTIES of SAFETY, EFFECTIVENESS, and SECURITY.

184 Requirements are defined such that they can be evaluated and as such support an ORGANIZATION

186 The RISK MANAGEMENT requirements of this document are based upon existing concepts adapted

187 and extended for use by all stakeholders supporting implementation and clinical use of connected

196 This document specifies a framework of general requirements, guidance, for ORGANIZATIONS in

197 the application of RISK MANAGEMENT before, during and after the connection of a HEALTH IT

198 SYSTEM within a HEALTH IT INFRASTRUCTURE, by addressing the KEY PROPERTIES of SAFETY,

201 ISO 81001-1 ED2, Health informatics – Health software and health IT systems safety,

202 effectiveness and security – Part 1: Foundational principles, concepts and terms.

204 With the exception of the terms and definitions listed in this section all terms and definitions

206 ISO and IEC maintain terminological databases for use in standardization at the following

214 Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect

216 Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.

217 Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.

220 care activities, services, management or supplies related to the health of an individual

222 Note 1 to entry: This includes more than performing procedures for subjects of care. It includes, for example, the

223 management of information about patients, health status and relations within the healthcare delivery framework and

228 The RISK derived during risk estimation taking into consideration any retained RISK control

236 Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something

237 happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and

238 described using general terms or mathematically (such as a probability or a frequency over a given time period).

239 Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the

240 equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as

241 a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should

242 have the same broad interpretation as the term “probability” has in many languages other than English.

245 set of interrelated or interacting activities which transforms inputs into outputs

254 A description of how the elements and resources of the risk management process will be

259 The following principles provide the basis for RISK MANAGEMENT. They communicate the value,

260 intention and purpose of RISK MANAGEMENT and their application supports the preservation of

261 the KEY PROPERTIES during the implementation and use of HEALTH IT SYSTEMS within a HEALTH IT

263 - RISK MANAGEMENT is an integral part of an ORGANIZATION’S activities at all stages of the

265 - Accountability for the RISK MANAGEMENT PROCESS remains with the HEALTHCARE DELIVERY

267 - A HEALTHCARE DELIVERY ORGANIZATION may assign responsibility for RISK MANAGEMENT of the

268 HEALTH IT SYSTEM and or HEALTH IT INFRASTRUCTURE to a different ORGANIZATION such as

269 providers of HEALTH IT SYSTEMS, HEALTH IT INFRASTRUCTURE or a collaboration of

272 or/and improvement of SAFETY, EFFECTIVENESS and SECURITY in the implementation and use of

274 - A structured and comprehensive approach to RISK MANAGEMENT contributes to consistent

278 - Appropriate and timely involvement of stakeholders leads to improved awareness and

280 - RISKS can emerge, change or disappear as new HEALTHCARE tools and methodologies are

281 developed. Proactive RISK MANAGEMENT anticipates, detects, acknowledges and responds

283 - The inputs to RISK MANAGEMENT are based on historical and current information, as well as

284 future expectations. RISK MANAGEMENT explicitly considers any limitations and uncertainties

285 associated with such information and expectations. Information needs to be timely, clear

287 - The sOCIOTECHNICAL ECOSYSTEM significantly influences all aspects of RISK MANAGEMENT at

288 each level within the HEALTHCARE DELIVERY ORGANIZATION and at each lifecycle stage; and

289 - RISK MANAGEMENT is a continuous activity, improved through learning and experience. RISK

290 MANAGEMENT strengthens ORGANIZATION resilience and supports the ORGANIZATION’S

296 The purpose of the RISK MANAGEMENT framework is to assist the ORGANIZATION in integrating

297 RISK MANAGEMENT with other significant activities and functions. Effective RISK MANAGEMENT

298 depends on its integration with the governance of the ORGANIZATION, including decision-

299 making. This requires support from all stakeholders, particularly TOP MANAGEMENT.

300 Requirements in this document apply to HEALTHCARE DELIVERY ORGANIZATIONS and other

301 ORGANIZATIONS seeking conformance with this RISK MANAGEMENT framework. Those

302 requirements that apply to HEALTHCARE DELIVERY ORGANIZATIONS only are clearly identified.

304 It is the responsibility of the TOP MANAGEMENT of the ORGANIZATION to ensure that RISK

305 MANAGEMENT is implemented throughout the HEALTH IT SYSTEM lifecycle, and that its

311 Effective integration of RISK MANAGEMENT relies on an understanding of the ORGANIZATION’S

312 structures and context. Structures differ depending on the ORGANIZATION’S purpose, goals and

313 complexity. RISK is managed in every part of the ORGANIZATION’S structure. Everyone in an

315 Integrating RISK MANAGEMENT is a dynamic and iterative process that can be customised to the

316 ORGANIZATION’S culture and objectives. RISK MANAGEMENT should be part of, and not separate

317 from, organizational purpose, governance, leadership, commitment, strategy, objectives and

321 The safe acquisition, installation, integration, implementation, clinical use, maintenance and

322 decommissioning of a HEALTH IT SYSTEM is dependent on effective RISK MANAGEMENT planning.

323 Planning activities apply to new implementations and modifications to existing HEALTH IT

325 The purpose of the HEALTH IT SYSTEM RISK MANAGEMENT PLAN is to document and schedule the

326 RISK MANAGEMENT activities throughout all lifecycle phases of the HEALTH IT SYSTEM and

327 describe how a specific HEALTH IT SYSTEM project will adhere to the RISK MANAGEMENT PLAN.

328 The RISK MANAGEMENT PROCESS which establishes the requirements of this document is

329 depicted at Figure 2 and applies throughout the lifecycle of the HEALTH IT SYSTEM.

333 The extent of the RISK MANAGEMENT plan needs to be flexible and commensurate with the scale

334 and scope of functionality of the HEALTH IT SYSTEM whilst addressing the RISK MANAGEMENT

335 requirements specified within this document. Contents of the RISK MANAGEMENT PLAN should

345 a) establish, at the start of a project, a HEALTH IT SYSTEM RISK MANAGEMENT FILE;

346 b) maintain the RISK MANAGEMENT FILE throughout the lifecycle of the HEALTH IT SYSTEM; and

347 c) ensure that the RISK MANAGEMENT FILE is recoverable in the event of failure.

348 The HEALTH IT SYSTEM RISK MANAGEMENT FILE provides a physical or logical repository of all

349 records which relate to the RISK MANAGEMENT PROCESS and any decisions that influence RISK

350 MANAGEMENT. It has to be maintained during the HEALTH IT SYSTEM lifecycle and be

353 Before starting the design and implementation of the RISK MANAGEMENT PROCESS it is important

354 to evaluate and understand the internal and external SOCIOTECHNICAL ECOSYSTEM as this will

357 a) establish and maintain a defined list of ASSETS that interface with or constitute part of a

359 Factors which can affect the external SOCIOTECHNICAL ECOSYSTEM include but are not limited

360 to: key drivers and trends which affect the ORGANIZATION’S objectives; contractual relationships

361 and commitments; the complexity of networks and dependencies and any local regulatory

363 Factors which can affect the internal SOCIOTECHNICAL ECOSYSTEM include but are not limited

364 to: the vision, mission and values of the ORGANIZATION; the governance, structure and

365 accountabilities of the ORGANIZATION; any guidance and standards adopted by the

368 It is the responsibility of the ORGANIZATION’S TOP MANAGEMENT to demonstrate and articulate