Health informatics -- Information security management for remote maintenance of medical devices and medical information systems

This document gives a guideline for implementation of an ISMS by showing practical examples of risk analysis on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs) as provided by vendors of medical devices or health information systems in order to protect both sides' information assets (primarily the information system itself and personal health data) in a safe and efficient (i.e. economical) manner. This document consists of: — application of ISMS to RMS; — security management measures for RMS; — an example of the evaluation and effectiveness based on the "controls" defined in the ISMS.

Informatique de santé -- Management de la sécurité de l'information pour la maintenance à distance des dispositifs médicaux et des systèmes d'information médicale

General Information

Status
Published
Publication Date
12-Feb-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
09-Dec-2020
Completion Date
09-Dec-2020
Ref Project

RELATIONS

Buy Standard

Technical report
ISO/TR 11633-2:2021 - Health informatics -- Information security management for remote maintenance of medical devices and medical information systems
English language
70 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/PRF TR 11633-2:Version 21-nov-2020 - Health informatics -- Information security management for remote maintenance of medical devices and medical information systems
English language
68 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/TR
REPORT 11633-2
Second edition
2021-02
Health informatics — Information
security management for remote
maintenance of medical devices and
medical information systems —
Part 2:
Implementation of an information
security management system (ISMS)
Informatique de santé — Management de la sécurité de l'information
pour la maintenance à distance des dispositifs médicaux et des
systèmes d'information médicale —
Partie 2: Mise en œuvre d'un système de management de la sécurité
de l'information (ISMS)
Reference number
ISO/TR 11633-2:2021(E)
ISO 2021
---------------------- Page: 1 ----------------------
ISO/TR 11633-2:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 11633-2:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Application of ISMS to remote maintenance services .................................................................................................... 1

4.1 Overview ...................................................................................................................................................................................................... 1

4.2 Compliance scope ................................................................................................................................................................................. 3

4.3 Security policy ......................................................................................................................................................................................... 3

4.4 Assessing risks ........................................................................................................................................................................................ 4

4.5 Risks to be managed ........................................................................................................................................................................... 4

4.6 Identification of risks that are not described in this document ................................................................... 5

4.7 Treating risks ............................................................................................................................................................................................ 5

5 Security management measures for remote maintenance services ...............................................................6

6 Approving residual risks .............................................................................................................................................................................. 6

7 Security audit ........................................................................................................................................................................................................... 7

7.1 Security audit of remote maintenance services ......................................................................................................... 7

7.2 Recommendation of security audit by third parties ............................................................................................... 7

Annex A (informative) Example of risk assessment in remote maintenance services .....................................8

Bibliography .............................................................................................................................................................................................................................70

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/TR 11633-2:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 215, Health informatics.

This second edition cancels and replaces the first edition (ISO/TR 11633-2:2009), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— complete revision of the bibliography;
— update of Figure 1;
— update of Annex A.
A list of all parts in the ISO 11633 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 11633-2:2021(E)
Introduction

The advancement and spread of technology in the information and communication technology field,

and the infrastructure based on them, have brought many changes in how technology and networks

are used in modern society. Similarly, in healthcare, information systems once closed systems in each

healthcare facility (HCF) are now connected by networks, and are progressing to the point of being

able to facilitate mutual use of health information accumulated in these information systems. Such

information and communication networks are spreading not only in between HCFs but also between

HCFs and vendors of medical devices and healthcare information systems. Maintenance of such systems

is paramount to keeping them up-to-date. By practicing so-called 'remote maintenance services' (RMS),

it becomes possible to reduce down-time and lower costs for this maintenance activity.

Whilst there are benefits to remote maintenance, such remote connections with external organizations

also expose HCFs and vendors to risks regarding confidentiality, integrity and availability of information

and systems; risks which previously received scant consideration.

This document stipulates the risk assessment to protect remote maintenance activities, taking into

consideration the special characteristics of the healthcare field such as patient safety, and applicable

requirements and privacy protections. Although normal remote maintenance is generally done on

a contract basis, in the case of medical devices, risk assessment is commonly a legal prerequisite.

Therefore, appropriate risk assessment where remote maintenance is provided in any healthcare

context should be implemented. The risk assessment examples provided in this document support for

HCFs and RMS providers to implement risk assessment effectively.

By implementing the risk assessment process and employing controls referenced in this document,

HCFs owners and RMS providers will be able to obtain the following benefits:

— Risk assessment can result in improved efficiency. If the risk assessment document, created through

the use of this document, does not fully conform, it may be used in part in a risk assessment of an

incompatible area, thus reducing the risk assessment effort required.

— Documented validity of the RMS security countermeasures in place will be available to third parties.

— If providing RMS to two or more sites, the provider can apply countermeasures consistently and

effectively.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 11633-2:2021(E)
Health informatics — Information security management
for remote maintenance of medical devices and medical
information systems —
Part 2:
Implementation of an information security management
system (ISMS)
1 Scope

This document gives a guideline for implementation of an ISMS by showing practical examples of risk

analysis on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs)

as provided by vendors of medical devices or health information systems in order to protect both sides’

information assets (primarily the information system itself and personal health data) in a safe and

efficient (i.e. economical) manner.
This document consists of:
— application of ISMS to RMS;
— security management measures for RMS;

— an example of the evaluation and effectiveness based on the “controls” defined in the ISMS.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/TS 11633-1, Health informatics — Information security management for remote maintenance of

medical devices and medical information systems — Part 1: Requirements and risk analysis

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/TS 11633-1 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Application of ISMS to remote maintenance services
4.1 Overview

The information security management system (ISMS) is a mechanism that operates as a series of plan/

do/check/act processes under the security policy. This series of processes means that the organization

plans out proper security measures (plan), puts those security measures into practice (do), reviews

those security measures (check), and reconsiders them if necessary (act). The ISMS is already

© ISO 2021 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/TR 11633-2:2021(E)

standardized internationally as ISO/IEC 27001, therefore, it is convenient to construct and operate an

ISMS referring to ISO/IEC 27001. This also helps to persuade patients, medical treatment evaluation

organizations, and others of the efficacity of the security measures.
General steps of ISMS construction are shown in Figure 1.
Figure 1 — ISMS steps

Security measures for protecting personal information in the remote maintenance services (RMS) are

described below in accordance with the concepts of ISMS.

Both the healthcare organization and the RMS provider should construct the appropriate ISMS.

Additionally, the healthcare organization should ideally do the work to adjust the information security

management among all RMS providers to protect personal information. The RMS connects the network

of the RMS provider and the network of the healthcare organization. After connecting these networks,

there are risks of new security holes being created. In the RMS, a different problem may occur in system

construction in a single organization, because the RMS acts between the healthcare organization and

the remote maintenance service centre (RSC), two organizations that are independent of each other. It

will therefore be a burden on both the healthcare organization and RSC, if security measures are not

considered an integral part of the RMS from the outset. In this regard, using ISMS (a well-evaluated

technique) can be considered as a better way to implement RMS security efficiently.

Under many jurisdictional laws for personal information protection, the healthcare organization

will assume the obligations and responsibilities of being custodian of the personal information. In

the RMS, the healthcare organization should request, from the RMS provider, appropriate measures

for protecting personal information because the provider will access the target device set up in a

healthcare facility from the RSC through the network. The healthcare organization must independently

adjust all RMS providers' information security management systems that provide the RMS, and confirm

that security holes have not been created. Additionally, the healthcare organization should confirm

each RMS provider's security level is kept appropriate.
The following items should be documented and established in the ISMS:
— security policy;
— security measures standard;
2 © ISO 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/TR 11633-2:2021(E)
— mapping of security policy;
— selection of solutions;
— operation execution rule;
— security auditing standards;
— security audit and audit trail.

A healthcare organization should write items into the maintenance contract or agreement between the

healthcare organization and RMS provider that the RSC implements to ensure appropriate measures

in the RSC. As a result, the healthcare organization will distribute the obligation and the responsibility

concerning the protection of personal information during maintenance work to the RMS provider

through the contract and agreement. The healthcare organization should construct the appropriate

ISMS and, at the same time, should put into writing in the maintenance contract or the business

consignment contract the obligation on the part of the RMS provider of providing supervision as the

final authority in charge of personal information management.

The risk analysis and measures are illustrated in this document by the ISMS method. Therefore, it is

thought that constructing the remote maintenance service security (RSS) with this content will bring

advantages to both the healthcare organization and the RSC. When the content of this risk assessment

is not complete, additional risk assessment need only be done on parts that are missing.

4.2 Compliance scope

The coverage of the ISMS in the operational model described in ISO/TS 11633-1:2019, Annex A is as

follows:
— target device for maintenance in healthcare facility (HCF);
— internal network of healthcare organization;
— route from an RMS access point in healthcare organization to the RSC;
— internal network of the RSC;
— equipment management in the RSC.

Because the following risks exist independent of the presence of the RMS, they are excluded from the

coverage of the ISMS of this clause:

— threats related to availability of equipment and software that treats protected health information

(PHI);
— threats related to computer virus;
— threats related to staff which pertain to adoption, education and training.
4.3 Security policy

The desired content included in a basic policy is referred to in ISO/IEC 27002:2013, Clause 5.1.1.

When these considerations are applied to RSS, it should be able to secure the availability of the system,

and to secure the integrity, readability, and preservation of patient personal information.

The technical, systematic, human resources and physical safety measures of the RSS should be specified

in a basic security policy of the RSS.

The following explanations assume large-scale integrated HCF. Since it is possible that the RSC which

receives RMS exists in two or more sections of a large-scale HCF, a united management policy is needed.

© ISO 2021 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/TR 11633-2:2021(E)

When the HCF scale and the operation form are different from large-scale integrated HCF, it is important

to implement in conformity with the actual situation.
4.4 Assessing risks

In risk assessment, analysis of information assets is performed with regard to the following.

— What threats exists?

— To what extent is each threat possible and what is its frequency of occurrence?

— When the threat is actualized, how much influence does it exert?

The technique of the analysis is broadly classified into the following four approaches.

a) Baseline approach

This is a technique for analysing risk based on the standards and guidelines that are required in the

target field. This approach measures security based on standard risk assessment done beforehand in

industry.

Though it is advantageous from the perspective of time and cost because the risk need not be evaluated

by oneself, the adaptability of the standardized risks to the risks of a specific organization can be

problematic.
b) Detailed risk analysis

Carrying out a detailed risk assessment includes risk analysis of details, and an appropriate management

plan for management to select. A sizable budget for cost and time are needed for the risk assessment,

including securing necessary human resources.
c) Combined approach

This approach combines the baseline approach with the detailed risk analysis and it has the advantages

of each.
d) Informal approach

This approach implements risk analysis by exploiting the knowledge and the experience of the staff

of the organization. It is difficult for a third party to evaluate the resulting risk analysis because the

method is not structured.

The RMS is related to the healthcare organization and the RSC, so the risk analysis should be what both

can agree upon. In this document, the typical use case is modelled, and the risk assessment concerning

this model is carried out. Risk analysis by baseline approach a) and the combined approach of c) is

enabled by using this risk assessment result. See Table A.1 for the result of the risk assessment. Table A.1

contains the selection of appropriate control purpose and management plan in ISO/IEC 27001 from the

result of risk analysis in ISO/TS 11633-1. Table A.1 conforms to ISO/IEC 27001, and is composed of 14

management fields and 114 management plans.

The measures prescribed here specify the procedures which should be observed, at least in performing

RMS. The healthcare organization, which is also the administrator of personal information, should

evaluate whether the RSC conforms to this document, and should request that appropriate measures be

taken if it does not. Moreover, if the healthcare organization's security level is below the level specified

in this document, appropriate measures should be put in place. Each RMS provider is expected to

implement appropriate measures in order to achieve the requirements described in ISO/TS 11633-1.

4.5 Risks to be managed

This subclause explains some examples from the viewpoint of personal information protection to avoid

risks, which should be especially noted in an RMS. It is important to implement sufficient measures

4 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TR 11633-2:2021(E)

against these risks. The risk discussed here is a mere example; the management of other risks is also

important.

a) When the RSC handling personal information is managed by the healthcare organization.

In this case, the point that needs particular attention is a leak of information by the third party.

Consideration needs to be given to information displayed on computer screens in the work environment

and information printed out on paper, as well as to the threat of hacking into the system. The main risks

are as follows:
— viewing of screens by persons other than persons concerned in RSC;
— leakage in third party trust;

— leakage from logs generated when data is analysed, from printed paper or cache memory, etc.;

— leakage in the network.

b) When the RSC accesses equipment of the healthcare organization for maintenance by the

administrative authority.

In this case, the points that need particular attention are operator error and inappropriate access to the

computer (submit operations that are permitted). The main risks are as follows:
— destruction of data in target device due to an operator mistake;

— destruction of data in target device due to malicious or subversive activities;

— leakage and destruction of more important information due to inside intrusion via the

maintenance device.
c) When the RSC updates the software.

In this case, care is required not to install malicious software and computer viruses, etc., into the target

devices. The main risks are as follows:
— leakage and destruction of data in target device due to malicious software;

— leakage and destruction of important information via internal intrusion due to a computer virus.

4.6 Identification of risks that are not described in this document

In this document, risk assessment is performed in accordance with the typical model, so the other use

cases are outside its scope. If a business model is different from the model that this document assumes,

the risk assessment results of this document can be misappropriated. There is also a possibility that not

all cases can be covered. When coverage of all cases is not possible, a detailed risk analysis should be

conducted using the combined risk assessment approach, not described by this document.

The risk assessment method in the detailed risk analysis is explained in ISO/TS 11633-1. By adopting

the methods of ISO/TS 11633-1, the results of a risk assessment guided by a different business model

can be easily integrated with the results of a risk assessment guided by this document.

4.7 Treating risks

Risk treatment is defined as treatment of the assumed risk in accordance with the results of risk

assessment. Risk treatment choices are shown in Table 1. These choices are combined and implemented

where necessary.

In the usual risk management process, a combination of these measures is selected by making an overall

judgment of the severity of the risk or the ease of implementing the measures. It is especially important

to adopt the risk control(s) specified by information privacy protection law and regulations. In this

case, the risk should be controlled because risk retention or transfer are not typically adequate to meet

© ISO 2021 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/TR 11633-2:2021(E)

these privacy protection laws, otherwise it would be to adopt risk avoidance, which prevent any data

that falls in scope of privacy protection law and regulations.

In this document, it is recommended that risk control be performed positively based on the ISMS.

Concrete measures are explained in detail in Annex A.
Table 1 — Risk treatment
Risk control: Risk transfer:

Measures are adopted (management plan) to positively Measures to transfer to third parties by contract, etc.

reduce damage.

— Risk prevention — measures to reduce threats and — Insurance — utilizes damage insurance and other

vulnerabilities are implemented. types of insurance so that the risk is transferred.

— Minimization of damage — measures to reduce — Outsourcing — information assets and

the damage when the risk is generated are information security measures are entrusted to

implemented. an outside party.
Risk retention: Risk avoidance:

Approach that accepts risk as belonging to the organization. Approach when appropriate measures cannot be found.

— Financing — this corresponds to accumulating a — Abolition of business — the business is stopped.

reserve, etc.
— Destruction of information assets — the
— Nothing is done. management object is lost.
5 Security management measures for remote maintenance services

The possibility of leakage of personal information such as patient information from the RMS requires

the healthcare organization to obtain the help of the RSC to achieve RMS security.

In order to take appropriate security measures for the actualization of the safety of the RMS, the

healthcare organization and the RSC should select controls based upon the result of the risk assessment.

Regardless of whether or not the RSC is supervised by the healthcare organization, the RSC should

ensure the RMS meets security requirements.

Annex A illustrates concretely how to proceed with the safety management measures during RMS

for the healthcare organization and the RSC. It is expected that referring to Table 1 will reduce risk

assessment time when preparing the RMS.

Even if the RMS is already operational, auditing using Table 1 is recommended to make sure that the

risk assessment is adequate.
6 Approving residual risks
Residual risk means the following among the risks identified by risk assessment.
— Risk that intentionally does not take sufficient measures.
— Risk that is difficult to identify.
— Risk whose cost is too expensive for complete measures.

When risks remain, even if the HCF performs risk control, risk retention or risk transfer, management

should judge whether or not these residual risks are approved from a management point of view.

When the HCF management approves these residual risks, it means that the HCF accepts the RMS as

constituted by risk assessment based on the ISMS.

The HCF approves the residual risks in the whole contract of the RMS, and the RSC operates the RMS

while paying attention to residual risks. According to the result of the risk analysis in the RMS illustrated

in Annex A, particularly in the RSC, there still is the possibility of leakage of personal information such

6 © ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TR 11633-2:2021(E)

as PHI. The HCF should recognize these dangers, take into account guidelines issued by government,

and audit appropriate security measures that are taken in the actual RMS.
7 Security audit
7.1 Security audit of remote maintenance services

The purpose of the security audit is to confirm whether the risk management related to security is

effectively implemented and to confirm whether an appropriate control based on the risk assessment

is done. The security audit comprehensively assesses the conformity of the information security

management standard, but it is also possible to focus on auditing the RMS itself. In the security audit

of the RMS, the auditor verifies and evaluates, if appropriate, whether controls based on the risk

assessment are maintained and operated.

Moreover, it is an effective measure for both the HCF and RSC to evaluate the safety standards of the

security by means of the security audit because the result of such audits become an effective evaluative

material to improve the solidity of the RMS.
7.2 Recommendation of security audit by third parties

There are the following problems to conduct information security audits as internal audits:

— it is hard to notice that the risks to be assessed are missing;
— objectivity and independence will not be satisfied;
— it takes time to train auditors because specialized knowledge is required;
— it is difficult to make an audit report for the purpose of disclosure.

As mentioned above, the HCF should be audited by an external organization and by an auditor with a

high degree of technical knowledge, in order to objectively evaluate the RMS. Performing an external

audit based on an appropriate audit procedure facilitates information security certification such as the

ISMS. Finally, the HCF can enhance its societa
...

TECHNICAL ISO/TR
REPORT 11633-2
Second edition
Health informatics — Information
security management for remote
maintenance of medical devices and
medical information systems —
Part 2:
Implementation of an information
security management system (ISMS)
Informatique de santé — Management de la sécurité de l'information
pour la maintenance à distance des dispositifs médicaux et des
systèmes d'information médicale —
Partie 2: Mise en oeuvre d'un système de management de la sécurité
de l'information (ISMS)
PROOF/ÉPREUVE
Reference number
ISO/TR 11633-2:2020(E)
ISO 2020
---------------------- Page: 1 ----------------------
ISO/TR 11633-2:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 11633-2:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Application of ISMS to remote maintenance services .................................................................................................... 1

4.1 Overview ...................................................................................................................................................................................................... 1

4.2 Compliance scope ................................................................................................................................................................................. 3

4.3 Security policy ......................................................................................................................................................................................... 3

4.4 Assessing risks ........................................................................................................................................................................................ 4

4.5 Risks to be managed ........................................................................................................................................................................... 4

4.6 Identification of risks that are not described in this document ................................................................... 5

4.7 Treating risks ............................................................................................................................................................................................ 5

5 Security management measures for remote maintenance services ...............................................................6

6 Approving residual risks .............................................................................................................................................................................. 6

7 Security audit ........................................................................................................................................................................................................... 7

7.1 Security audit of remote maintenance services ......................................................................................................... 7

7.2 Recommendation of security audit by third parties ............................................................................................... 7

Annex A (informative) Example of risk assessment in remote maintenance services .....................................8

Bibliography .............................................................................................................................................................................................................................68

© ISO 2020 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/TR 11633-2:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 215, Health informatics.

This second edition cancels and replaces the first edition (ISO/TR 11633-2:2009), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— complete revision of the bibliography;
— update of Figure 1;
— update of Annex A.
A list of all parts in the ISO 11633 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 11633-2:2020(E)
Introduction

The advancement and spread of technology in the information and communication technology field,

and the infrastructure based on them, have brought many changes in how technology and networks

are used in modern society. Similarly, in healthcare, information systems once closed systems in each

healthcare facility (HCF) are now connected by networks, and are progressing to the point of being

able to facilitate mutual use of health information accumulated in these information systems. Such

information and communication networks are spreading not only in between HCFs but also between

HCFs and vendors of medical devices and healthcare information systems. Maintenance of such systems

is paramount to keeping them up-to-date. By practicing so-called 'remote maintenance services' (RMS),

it becomes possible to reduce down-time and lower costs for this maintenance activity.

Whilst there are benefits to remote maintenance, such remote connections with external organizations

also expose HCFs and vendors to risks regarding confidentiality, integrity and availability of information

and systems; risks which previously received scant consideration.

This document stipulates the risk assessment to protect remote maintenance activities, taking into

consideration the special characteristics of the healthcare field such as patient safety, and applicable

requirements and privacy protections. Although normal remote maintenance is generally done on

a contract basis, in the case of medical devices, risk assessment is commonly a legal prerequisite.

Therefore, appropriate risk assessment where remote maintenance is provided in any healthcare

context should be implemented. The risk assessment examples provided in this document support for

HCFs and RMS providers to implement risk assessment effectively.

By implementing the risk assessment process and employing controls referenced in this document,

HCFs owners and RMS providers will be able to obtain the following benefits:

— Risk assessment can result in improved efficiency. If the risk assessment document, created through

the use of this document, does not fully conform, it may be used in part in a risk assessment of an

incompatible area, thus reducing the risk assessment effort required.

— Documented validity of the RMS security countermeasures in place will be available to third parties.

— If providing RMS to two or more sites, the provider can apply countermeasures consistently and

effectively.
© ISO 2020 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 11633-2:2020(E)
Health informatics — Information security management
for remote maintenance of medical devices and medical
information systems —
Part 2:
Implementation of an information security management
system (ISMS)
1 Scope

This document gives a guideline for implementation of an ISMS by showing practical examples of risk

analysis on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs)

as provided by vendors of medical devices or health information systems in order to protect both sides’

information assets (primarily the information system itself and personal health data) in a safe and

efficient (i.e. economical) manner.
This document consists of:
— application of ISMS to RMS;
— security management measures for RMS;

— an example of the evaluation and effectiveness based on the “controls” defined in the ISMS.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/TS 11633-1, Health informatics — Information security management for remote maintenance of

medical devices and medical information systems — Part 1: Requirements and risk analysis

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/TS 11633-1 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Application of ISMS to remote maintenance services
4.1 Overview

The information security management system (ISMS) is a mechanism that operates as a series of plan/

do/check/act processes under the security policy. This series of processes means that the organization

plans out proper security measures (plan), puts those security measures into practice (do), reviews

those security measures (check), and reconsiders them if necessary (act). The ISMS is already

© ISO 2020 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 6 ----------------------
ISO/TR 11633-2:2020(E)

standardized internationally as ISO/IEC 27001, therefore, it is convenient to construct and operate an

ISMS referring to ISO/IEC 27001. This also helps to persuade patients, medical treatment evaluation

organizations, and others of the efficacity of the security measures.
General steps of ISMS construction are shown in Figure 1.
Figure 1 — ISMS steps

Security measures for protecting personal information in the remote maintenance services (RMS) are

described below in accordance with the concepts of ISMS.

Both the healthcare organization and the RMS provider should construct the appropriate ISMS.

Additionally, the healthcare organization should ideally do the work to adjust the information security

management among all RMS providers to protect personal information. The RMS connects the network

of the RMS provider and the network of the healthcare organization. After connecting these networks,

there are risks of new security holes being created. In the RMS, a different problem may occur in system

construction in a single organization, because the RMS acts between the healthcare organization and

the remote maintenance service centre (RSC), two organizations that are independent of each other. It

will therefore be a burden on both the healthcare organization and RSC, if security measures are not

considered an integral part of the RMS from the outset. In this regard, using ISMS (a well-evaluated

technique) can be considered as a better way to implement RMS security efficiently.

Under many jurisdictional laws for personal information protection, the healthcare organization

will assume the obligations and responsibilities of being custodian of the personal information. In

the RMS, the healthcare organization should request, from the RMS provider, appropriate measures

for protecting personal information because the provider will access the target device set up in a

healthcare facility from the RSC through the network. The healthcare organization must independently

adjust all RMS providers' information security management systems that provide the RMS, and confirm

that security holes have not been created. Additionally, the healthcare organization should confirm

each RMS provider's security level is kept appropriate.
The following items should be documented and established in the ISMS:
— security policy;
— security measures standard;
2 PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/TR 11633-2:2020(E)
— mapping of security policy;
— selection of solutions;
— operation execution rule;
— security auditing standards;
— security audit and audit trail.

A healthcare organization should write items into the maintenance contract or agreement between the

healthcare organization and RMS provider that the RSC implements to ensure appropriate measures

in the RSC. As a result, the healthcare organization will distribute the obligation and the responsibility

concerning the protection of personal information during maintenance work to the RMS provider

through the contract and agreement. The healthcare organization should construct the appropriate

ISMS and, at the same time, should put into writing in the maintenance contract or the business

consignment contract the obligation on the part of the RMS provider of providing supervision as the

final authority in charge of personal information management.

The risk analysis and measures are illustrated in this document by the ISMS method. Therefore, it is

thought that constructing the remote maintenance service security (RSS) with this content will bring

advantages to both the healthcare organization and the RSC. When the content of this risk assessment

is not complete, additional risk assessment need only be done on parts that are missing.

4.2 Compliance scope

The coverage of the ISMS in the operational model described in ISO/TS 11633-1:2019, Annex A is as

follows:
— target device for maintenance in healthcare facility (HCF);
— internal network of healthcare organization;
— route from an RMS access point in healthcare organization to the RSC;
— internal network of the RSC;
— equipment management in the RSC.

Because the following risks exist independent of the presence of the RMS, they are excluded from the

coverage of the ISMS of this clause:

— threats related to availability of equipment and software that treats protected health information

(PHI);
— threats related to computer virus;
— threats related to staff which pertain to adoption, education and training.
4.3 Security policy

The desired content included in a basic policy is referred to in ISO/IEC 27002:2013, Clause 5.1.1.

When these considerations are applied to RSS, it should be able to secure the availability of the system,

and to secure the integrity, readability, and preservation of patient personal information.

The technical, systematic, human resources and physical safety measures of the RSS should be specified

in a basic security policy of the RSS.

The following explanations assume large-scale integrated HCF. Since it is possible that the RSC which

receives RMS exists in two or more sections of a large-scale HCF, a united management policy is needed.

© ISO 2020 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 8 ----------------------
ISO/TR 11633-2:2020(E)

When the HCF scale and the operation form are different from large-scale integrated HCF, it is important

to implement in conformity with the actual situation.
4.4 Assessing risks

In risk assessment, analysis of information assets is performed with regard to the following.

— What threats exists?

— To what extent is each threat possible and what is its frequency of occurrence?

— When the threat is actualized, how much influence does it exert?

The technique of the analysis is broadly classified into the following four approaches.

a) Baseline approach

This is a technique for analysing risk based on the standards and guidelines that are required in the

target field. This approach measures security based on standard risk assessment done beforehand in

industry.

Though it is advantageous from the perspective of time and cost because the risk need not be evaluated

by oneself, the adaptability of the standardized risks to the risks of a specific organization can be

problematic.
b) Detailed risk analysis

Carrying out a detailed risk assessment includes risk analysis of details, and an appropriate management

plan for management to select. A sizable budget for cost and time are needed for the risk assessment,

including securing necessary human resources.
c) Combined approach

This approach combines the baseline approach with the detailed risk analysis and it has the advantages

of each.
d) Informal approach

This approach implements risk analysis by exploiting the knowledge and the experience of the staff

of the organization. It is difficult for a third party to evaluate the resulting risk analysis because the

method is not structured.

The RMS is related to the healthcare organization and the RSC, so the risk analysis should be what both

can agree upon. In this document, the typical use case is modelled, and the risk assessment concerning

this model is carried out. Risk analysis by baseline approach a) and the combined approach of c) is

enabled by using this risk assessment result. See Table A.1 for the result of the risk assessment. Table A.1

contains the selection of appropriate control purpose and management plan in ISO/IEC 27001 from the

result of risk analysis in ISO/TS 11633-1. Table A.1 conforms to ISO/IEC 27001, and is composed of 14

management fields and 114 management plans.

The measures prescribed here specify the procedures which should be observed, at least in performing

RMS. The healthcare organization, which is also the administrator of personal information, should

evaluate whether the RSC conforms to this document, and should request that appropriate measures be

taken if it does not. Moreover, if the healthcare organization's security level is below the level specified

in this document, appropriate measures should be put in place. Each RMS provider is expected to

implement appropriate measures in order to achieve the requirements described in ISO/TS 11633-1.

4.5 Risks to be managed

This subclause explains some examples from the viewpoint of personal information protection to avoid

risks, which should be especially noted in an RMS. It is important to implement sufficient measures

4 PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TR 11633-2:2020(E)

against these risks. The risk discussed here is a mere example; the management of other risks is also

important.

a) When the RSC handling personal information is managed by the healthcare organization.

In this case, the point that needs particular attention is a leak of information by the third party.

Consideration needs to be given to information displayed on computer screens in the work environment

and information printed out on paper, as well as to the threat of hacking into the system. The main risks

are as follows:
— viewing of screens by persons other than persons concerned in RSC;
— leakage in third party trust;

— leakage from logs generated when data is analysed, from printed paper or cache memory, etc.;

— leakage in the network.

b) When the RSC accesses equipment of the healthcare organization for maintenance by the

administrative authority.

In this case, the points that need particular attention are operator error and inappropriate access to the

computer (submit operations that are permitted). The main risks are as follows:
— destruction of data in target device due to an operator mistake;

— destruction of data in target device due to malicious or subversive activities;

— leakage and destruction of more important information due to inside intrusion via the

maintenance device.
c) When the RSC updates the software.

In this case, care is required not to install malicious software and computer viruses, etc., into the target

devices. The main risks are as follows:
— leakage and destruction of data in target device due to malicious software;

— leakage and destruction of important information via internal intrusion due to a computer virus.

4.6 Identification of risks that are not described in this document

In this document, risk assessment is performed in accordance with the typical model, so the other use

cases are outside its scope. If a business model is different from the model that this document assumes,

the risk assessment results of this document can be misappropriated. There is also a possibility that not

all cases can be covered. When coverage of all cases is not possible, a detailed risk analysis should be

conducted using the combined risk assessment approach, not described by this document.

The risk assessment method in the detailed risk analysis is explained in ISO/TS 11633-1. By adopting

the methods of ISO/TS 11633-1, the results of a risk assessment guided by a different business model

can be easily integrated with the results of a risk assessment guided by this document.

4.7 Treating risks

Risk treatment is defined as treatment of the assumed risk in accordance with the results of risk

assessment. Risk treatment choices are shown in Table 1. These choices are combined and implemented

where necessary.

In the usual risk management process, a combination of these measures is selected by making an overall

judgment of the severity of the risk or the ease of implementing the measures. It is especially important

to adopt the risk control(s) specified by information privacy protection law and regulations. In this

case, the risk should be controlled because risk retention or transfer are not typically adequate to meet

© ISO 2020 – All rights reserved PROOF/ÉPREUVE 5
---------------------- Page: 10 ----------------------
ISO/TR 11633-2:2020(E)

these privacy protection laws, otherwise it would be to adopt risk avoidance, which prevent any data

that falls in scope of privacy protection law and regulations.

In this document, it is recommended that risk control be performed positively based on the ISMS.

Concrete measures are explained in detail in Annex A.
Table 1 — Risk treatment
Risk control: Risk transfer:

Measures are adopted (management plan) to positively Measures to transfer to third parties by contract, etc.

reduce damage.

— Risk prevention — measures to reduce threats and — Insurance — utilizes damage insurance and other

vulnerabilities are implemented. types of insurance so that the risk is transferred.

— Minimization of damage — measures to reduce — Outsourcing — information assets and

the damage when the risk is generated are information security measures are entrusted to

implemented. an outside party.
Risk retention: Risk avoidance:

Approach that accepts risk as belonging to the organization. Approach when appropriate measures cannot be found.

— Financing — this corresponds to accumulating a — Abolition of business — the business is stopped.

reserve, etc.
— Destruction of information assets — the
— Nothing is done. management object is lost.
5 Security management measures for remote maintenance services

The possibility of leakage of personal information such as patient information from the RMS requires

the healthcare organization to obtain the help of the RSC to achieve RMS security.

In order to take appropriate security measures for the actualization of the safety of the RMS, the

healthcare organization and the RSC should select controls based upon the result of the risk assessment.

Regardless of whether or not the RSC is supervised by the healthcare organization, the RSC should

ensure the RMS meets security requirements.

Annex A illustrates concretely how to proceed with the safety management measures during RMS

for the healthcare organization and the RSC. It is expected that referring to Table 1 will reduce risk

assessment time when preparing the RMS.

Even if the RMS is already operational, auditing using Table 1 is recommended to make sure that the

risk assessment is adequate.
6 Approving residual risks
Residual risk means the following among the risks identified by risk assessment.
— Risk that intentionally does not take sufficient measures
— Risks that are difficult to identify
— Risk that cost is too expensive for complete measures

When risks remain, even if the HCF performs risk control, risk retention or risk transfer, management

should judge whether or not these residual risks are approved from a management point of view.

When the HCF management approves these residual risks, it means that the HCF accepts the RMS as

constituted by risk assessment based on the ISMS.

The HCF approves the residual risks in the whole contract of the RMS, and the RSC operates the RMS

while paying attention to residual risks. According to the result of the risk analysis in the RMS illustrated

in Annex A, particularly in the RSC, there still is the possibility of leakage of personal information such

6 PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TR 11633-2:2020(E)

as PHI. The HCF should recognize these dangers, take into account guidelines issued by government,

and audit appropriate security measures that are taken in the actual RMS.
7 Security audit
7.1 Security audit of remote maintenance services

The purpose of the security audit is to confirm whether the risk management related to security is

effectively implemented and to confirm whether an appropriate control based on the risk assessment

is done. The security audit comprehensively assesses the conformity of the information security

management standard, but it is also possible to focus on auditing the RMS itself. In the security audit

of the RMS, the auditor verifies and evaluates, if appropriate, whether controls based on the risk

assessment are maintained and operated.

Moreover, it is an effective measure for both the HCF and RSC to evaluate the safety standards of the

security by means of the security audit because the result of such audits become an effective evaluative

material to improve the solidity of the RMS.
7.2 Recommendation of security audit by third parties

There are the following problems to conduct information security audits as internal audits:

— it is hard to notice that the risks to be assessed are missing;
— objectivity and independence will not be satisfied;
— It takes time to train auditors because specialized knowledge is required;
— it is difficult to make an audit report for the purpose of disclosure.

As mentioned above, the HCF should be audited by an external organization and by an auditor with a

high degree of technical knowledge, in order to objectively evaluate the RMS. Performing an external

audit based on an
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.