ISO/TR 80001-2-6:2014

TECHNICAL ISO/TR
REPORT 80001-2-6
First edition
2014-12-01
Application of risk management for
IT-networks incorporating medical
device —
Part 2-6:
Application guidance — Guidance for
responsibility agreements
Application de la gestion des risques pour les réseaux intégrant
appareils médicaux —
Partie 2-6: Application guidage — Orientation des accords de
responsabilité
Reference number
ISO/TR 80001-2-6:2014(E)
ISO 2014
---------------------- Page: 1 ----------------------
ISO/TR 80001-2-6:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any

means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.

Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.

Foreword ............................................................................................................................................................ iv

Introduction ......................................................................................................................................................... v

1 Scope ...................................................................................................................................................... 1

1.1 Purpose .................................................................................................................................................. 1

1.2 Prerequisites .......................................................................................................................................... 1

2 Normative references ............................................................................................................................ 1

3 Terms and definitions ........................................................................................................................... 1

4 Key aspects for RESPONSIBILITY AGREEMENTS ........................................................................ 5

4.1 Reasons and rationale .......................................................................................................................... 5

4.2 Participants ............................................................................................................................................ 5

4.3 Proposed types of RESPONSIBILITY AGREEMENTS ....................................................................... 5

4.4 Communication control ........................................................................................................................ 5

4.4.1 Bilateral versus multilateral RESPONSIBILITY AGREEMENTS ........................................................ 5

4.4.2 Non-disclosure agreements ................................................................................................................. 5

4.4.3 Update of information and documentation ......................................................................................... 6

4.5 Responsibility for establishing ............................................................................................................ 6

4.6 Methods for determination and of responsibilities ............................................................................ 6

4.7 Life cycle considerations...................................................................................................................... 6

5 Elements of a RESPONSIBILITY AGREEMENT .................................................................................. 7

Annex A (informative) RACI chart .................................................................................................................... 11

Annex B (informative) Typical documents ........................................................................................................ 12

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies

(ISO member bodies). The work of preparing International Standards is normally carried out through ISO

technical committees. Each member body interested in a subject for which a technical committee has been

established has the right to be represented on that committee. International organizations, governmental and

non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the

International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of technical committees is to prepare International Standards. Draft International Standards

adopted by the technical committees are circulated to the member bodies for voting. Publication as an

International Standard requires approval by at least 75 % of the member bodies casting a vote.

In exceptional circumstances, when a technical committee has collected data of a different kind from that

which is normally published as an International Standard (“state of the art”, for example), it may decide by a

simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely

informative in nature and does not have to be reviewed until the data it provides are considered to be no

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO shall not be held responsible for identifying any or all such patent rights.

ISO TR 80001-2-6 was prepared by Technical Committee ISO/TC 215, Health informatics, jointly with IEC

ISO/IEC TR 80001 consists of the following parts, under the general title Application of risk management for

 Part 2-1: Step-by-step risk management of medical IT-networks – Practical applications and examples

 Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and

 Part 2-4: Application guidance – General implementation guidance for Healthcare Delivery Organizations

 Part 2-5: Application guidance – Guidance on distributed alarm systems (in development)

 Part 2-7: IT-networks incorporating medical devices - Part 2-7: Application Guidance - Guidance for

Healthcare Delivery Organizations (HDOs) on how to self-assess their conformance with IEC 80001-1 (in

 Part 2-8: Application of risk management for IT-networks incorporating medical devices Part 2-8:

Application guidance - Guidance on standards for establishing the security capabilities identified in IEC

IEC 80001-1 was developed to meet the need to managing RISKS associated with the increasing prevalence of

MEDICAL DEVICES being connected to general purpose IT-NETWORKS. The standard introduces the notion of a

RESPONSIBILITY AGREEMENT covering roles and responsibilities of the stakeholders. This Technical Report

provides practical guidance to RESPONSIBLE ORGANIZATIONS on establishing a RESPONSIBILITY AGREEMENT

among all stakeholders involved, namely the RESPONSIBLE ORGANIZATION, the MEDICAL DEVICE manufacturer(s)

Examples of situations where a RESPONSIBILITY AGREEMENT could prove useful when an IT-NETWORK

incorporates MEDICAL DEVICES. The benefits of the RESPONSIBILITY AGREEMENT include:

a) The roles and responsibilities of the stakeholders are identified and communicated in written form.

It is essential to have a clear understanding of the clinical dependencies on the network and to identify

the roles and responsibilities of the stakeholders, including clinical staff and the MEDICAL DEVICE

The organization or department responsible for configurations control and maintenance of the IT-

NETWORK should have, or establish if necessary, change control procedures to manage the RISKS to

services supported by the network arising from the implementation of changes to network (e.g. software

EXAMPLE 1 Common examples include software upgrades for antivirus software or bug fixes in networking

switches and routers. Before upgrading hard/soft/firmware on infrastructure supporting MEDICAL DEVICES and medical

systems, it is important that MEDICAL DEVICES that can be impacted are identified through an impact assessment. To

undertake such an assessment requires either detailed engineering knowledge of each component and its

dependencies or for example, the co-operation of the respective manufacturer. Whichever party takes responsibility

for this should then review and validate their systems on the new hard/soft/firmware. It is also important to ensure

that whenever practicable, there is a back-out/regression plan which has also been tested. In this scenario, the

RESPONSIBILITY AGREEMENT would set out the responsibilities of each party, e.g., How such activities would be initiated,

who would notify whom, when, with what information and how would they be expected to respond. There have

already been documented instances where MEDICAL DEVICES have been adversely affected from such changes and

this was one reason for US FDA's "Guidance for Industry - Cybersecurity for Networked Medical Devices Containing

http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm

b) A clinical user of a MEDICAL DEVICE can desire to connect the MEDICAL DEVICE to a general purpose IT-

NETWORK. Having a PROCESS in place to inform and involve relevant stakeholders early in the planning

stage (i.e., prior to go live) could help avert uninformed decision making and implementation that could

EXAMPLE 2 Demand already exists for this capability, e.g., delivery of MEDICAL DEVICE alarms via wireless

communications devices carried by PATIENT care staff, automated/remote programming of infusion therapy pumps

and Admit/Discharge/Transfer data feeds to medical monitoring systems. When doing so requires multiple otherwise

independent stakeholders to be responsible for aspects of the system’s development, implementation and operation,

and maintenance, it is imperative that all stakeholders are explicitly aware and accepting of their responsibilities. A

In addition to the languages of subclause 4.3.4 describing the RESPONSIBILITY AGREEMENT, subclauses 3.5 and

3.6 require information to be made available to the RESPONSIBLE ORGANIZATION by MEDICAL DEVICE

manufacturers and IT supplier, respectively. Both subclauses acknowledge the possibility that the information

identified may be insufficient to address the RESPONSIBLE ORGANIZATION’S RISK MANAGEMENT needs by

NOTE 1 Where the content made available does not meet the RESPONSIBLE ORGANIZATION'S RISK MANAGEMENT need,

NOTE 2 A RESPONSIBILITY AGREEMENT between the RESPONSIBLE ORGANIZATION and a MEDICAL DEVICE manufacturer can

This Technical Report provides guidance on implementing RESPONSIBILITY AGREEMENTS, which are described

in IEC 80001-1 as used to establish the roles and responsibilities among the stakeholders engaged in the

incorporation of a MEDICAL DEVICE into an IT-NETWORK in order to support compliance to IEC 80001-1.

Stakeholders may include RESPONSIBLE ORGANIZATIONS, IT suppliers, MEDICAL DEVICE manufacturers and

others. The goal of the RESPONSIBILITY AGREEMENT is that these roles and responsibilities should cover the

The RESPONSIBLE ORGANIZATION’S (ROs) TOP MANAGEMENT has accepted responsibility for the successful

implementation of IEC 80001-1. As required by IEC 80001-1, the RO has created and approved policies for

the RISK MANAGEMENT PROCESS and RISK acceptability criteria while balancing the three KEY PROPERTIES with

the mission of the RO. The RO has identified and provisioned adequate resources and assigned qualified

personnel to perform tasks related to the standard. The RO has appointed a MEDICAL IT-NETWORK RISK

The following document, in whole or in part, is normatively referenced in this document and is indispensable

IEC 80001-1:2010, Application of risk management for IT -networks incorporating medical devices – Part 1:

outcome of the RISK MANAGEMENT PROCESS consisting of a document that allows a specified change or type of

change without further RISK MANAGEMENT activities subject to specified constraints

operational state of a MEDICAL IT-NETWORK in which information assets (data and systems) are reasonably

ability to produce the intended result for the subject of care and the RESPONSIBLE ORGANIZATION

PROCESS that ensures that all events that can or might negatively impact the operation of the IT-NETWORK are

physical injury or damage to the health of people, or damage to property or the environment, or reduction in

branch of engineering that deals with the use of computers and telecommunications to retrieve, store, and

electronic data transmission facility which can comprise of just a point-to-point wire link between two devices,

three RISK managed characteristics (SAFETY, EFFECTIVENESS, and DATA AND SYSTEMS SECURITY) of MEDICAL IT-

Means any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator,

a) intended by the manufacturer to be used, alone or in combination, for human beings for one or more of

 diagnosis, monitoring, treatment, alleviation of or compensation for an injury,

 investigation, replacement, modification, or support of the anatomy or of a physiological process,

 providing information for medical or diagnostic purposes by means of in vitro examination of

b) which does not achieve its primary intended action in or on the human body by pharmacological,

immunological or metabolic means, but which may be assisted in its intended function by such means.

Note 1 to entry: The definition of a device for in vitro examination includes, for example, reagents, calibrators, sample

collection and storage devices, control materials, and related instruments or apparatus. The information provided by such

an in vitro diagnostic device may be for diagnostic, monitoring or compatibility purposes. In some jurisdictions, some in

vitro diagnostic devices, including reagents and the like, may be covered by separate regulations

Note 2 to entry: Products which may be considered to be MEDICAL DEVICES in some jurisdictions but for which there

 devices incorporating animal and human tissues which may meet the requirements of the above definition

Note 3 to entry: Accessories intended specifically by manufacturers to be used together with a ‘parent’ MEDICAL DEVICE

to enable that MEDICAL DEVICE to achieve its intended purpose should be subject to the same GHTF procedures as apply to

the MEDICAL DEVICE itself. For example, an accessory will be classified as though it is a MEDICAL DEVICE in its own right. This

may result in the accessory having a different classification than the ‘parent’ device.

Note 4 to entry: Components to MEDICAL DEVICES are generally controlled through the manufacturer’s quality

management system and the conformity assessment procedures for the device. In some jurisdictions, components are

[SOURCE: IEC 80001-1:2010, 2.14, modified — NOTES changed to "notes to entry" format.]

on-going review of all RISK MANAGEMENT activities and RISK control options that were put in place to achieve

set of interrelated or interacting activities which transforms inputs into outputs in a computer program

one or more documents that together fully define the responsibilities of all relevant stakeholders

combination of the probability of occurrence of HARM and the severity of that HARM

systematic use of available information to identify HAZARDS and to estimate the RISK

PROCESS of comparing the estimated RISK against given RISK criteria to determine the acceptability of the RISK

systematic application of management policies, procedures and practices to the tasks of analysing, evaluating,

freedom from unacceptable RISK of physical injury or damage to the health of people or damage to property or

person or group of people e who direct(s) and control(s) the RESPONSIBLE ORGANIZATION accountable for

Among the important aspects of implementing and maintaining a MEDICAL IT-NETWORK is distributing

responsibilities for its RISK MANAGEMENT activities. Clear allocation of these responsibilities is indispensable for

achieving the targets of the three KEY PROPERTIES as defined by the RESPONSIBLE ORGANIZATION.

RESPONSIBILITY AGREEMENTS are a means to document the roles and responsibilities relating to RISK

MANAGEMENT, of the various stakeholders involved in the activities associated with procurement,

implementation or through-life /in-service management of MEDICAL IT-NETWORK. Each project/ network will be

different and it is possible that some may already have some roles and responsibilities defined and in such

cases the RESPONSIBILITY AGREEMENT will simply help with identifying any gaps. In other projects however, the

RESPONSIBLE ORGANIZATION may find that it becomes a key PROCESS for establishing the management

PROCESSES that will be required to adequately manage RISKS relating to the three KEY PROPERTIES.

RESPONSIBILITY AGREEMENTS may not only be needed between the RO, MEDICAL DEVICE manufacturers, and IT

suppliers but may also be helpful between different stakeholders within the RESPONSIBLE ORGANIZATION like the

Depending upon the context for which it is to be used, a RESPONSIBILITY AGREEMENT can span the spectrum

from informal to formal. A RESPONSIBILITY AGREEMENT can take the form of a Memorandum of Understanding

(MoU) e.g., 1) Planning and & Design Phase, 2) Installation and Go Live Phase, and 3) Maintenance Phase.

Later in the life cycle and given that there may be commitments to provide specific services in certain

situations, a RESPONSIBILITY AGREEMENT for a system being placed in active clinical service may need to take

In the case that more than two parties are required to be included in RESPONSIBILITY AGREEMENTS the MEDICAL

IT-NETWORK RISK MANAGER should consider whether separate bilateral agreements or a common

RESPONSIBILITY AGREEMENT should be set up. The difference between these solutions is the extent of

information sharing. While a high degree of information sharing is often valuable, it needs to be weighed

In the event any stakeholder has concerns related to disclosing proprietary information a confidentiality or

Non-Disclosure Agreement (NDAs) can be established with the RESPONSIBLE ORGANIZATION. This will ensure

that the proprietary information is kept confidential between one or more stakeholders and the RESPONSIBLE

In many cases technical data provided by the MEDICAL DEVICE manufacturer and IT suppliers which are

essential for RISK MANAGEMENT of the MEDICAL IT-NETWORK are sensitive to confidentiality. A means to support

this confidentiality is to limit the intended audience of this information (see also bilateral vs. multilateral) or to

Technical information as well as personnel responsible for specified activities may change over time. It is

important that these changes are communicated to the stakeholders in a timely manner. This should be done

by update of the documentation which contains this information. Furthermore, this requires assigning revision

identifiers to the documents. An appropriate mechanism should be described in the RESPONSIBILITY

AGREEMENT(S) and should cover possible updates of the RESPONSIBILITIES AGREEMENTS themselves.

The overall responsibility for establishing RESPONSIBILITY AGREEMENTS rests with the MEDICAL IT-NETWORK RISK

The starting point for determination of responsibilities is the preparation of the overall plan for incorporation of

MEDICAL DEVICES into the network. In addition, IEC 80001-1:2010, 4.3.5 b) requires for the RISK MANAGEMENT

plan a description of activities, roles and responsibilities for all parties involved in operating/maintaining the

Subclauses 3.4 through 3.6 of the standard define responsibilities for the usually involved parties, e.g. for the

Setting up this plan requires the participation of the involved MEDICAL DEVICE manufacturers and IT suppliers.

Usually, this planning comprises high level meetings with all MEDICAL DEVICE manufacturers and IT suppliers

as well as meetings on a very detailed level with experts from at least two involved parties.

The MEDICAL IT-NETWORK RISK MANAGER should determine which level of detail needs to be defined in the RISK

MANAGEMENT plan and which level of detail can be left up to the internal plans of the involved parties. The

Analysis tools can be used to support identification, clarification, and understanding of stakeholder roles in any

task of any phase. An example is the Responsible, Accountable, Consulted, Informed (RACI) chart, where the

When establishing RESPONSIBILITY AGREEMENTS it should be taken into account that different phases of the

lifecycle necessitate different activities and different responsibilities. This should be considered from the very

beginning of the project. For our purpose here, the lifecycle of a network can be considered as divided into the

Planning and Design, Installation and Go Live, Maintenance phases. The design phase includes the planning

phase where the network is designed to meet the needs of the specific healthcare delivery organization, as

well as any phase where, for example, the architecture, topology or hardware used within an existing network

is modified. The maintenance phase includes times where the network is operational and changes are

completed while the network is in operation. Changes to the network during the maintenance phase are

restricted to replacement of defective parts. Modification of the network according to CHANGE PERMITS as

Reference information supporting these phases is available from various sources. For example:

The purpose of this clause is to elaborate upon the requirements of subclause 4.3.4 of the IEC 80001-1:2010.

Boxed text [items a) – h)] is copied from 80001-1:2010 to identify the subclauses for which guidance is

NOTE 1 If in the following more than two parties are mentioned this does not impose that multilateral RESPONSIBILITY

AGREEMENTS are required or preferable compared to bilateral RESPONSIBILITY AGREEMENTS.

a) the name of the person responsible for RISK MANAGEMENT for the activities covered by the

IEC 80001-1:2010, 4.3.4 a) requires provision of the name of the responsible person for the RISK MANAGEMENT

project at each of the legal entities, e.g., RESPONSIBLE AGREEMENT between different stakeholders by the

NOTE Documentation of this information in a separate attachment allows for a more efficient search and

2) This person should have the authority to perform or initiate and control the tasks covered by the

3) For the RESPONSIBLE ORGANIZATION this person is usually the MEDICAL IT-NETWORK RISK MANAGER.