Documente Academic
Documente Profesional
Documente Cultură
This Med-Info applies to: 3) the medical device, together with the IT network, is not
medical devices intended to be incorporated under the control of the medical device manufacturer.
into an IT network
Why does a medical device manufacturer
Background need to consider IT security?
Many medical devices are designed to allow the exchange Regulatory demands that require medical device
of data with other devices. The manufacturer of relevant manufacturers to consider IT security include:
medical devices must check whether this data exchange MDD, Annex I, Section I, General Requirements
is subject to regulatory (or legal) IT security requirements, - Item 1: The devices must be designed and
and, if so, must make sure that the medical devices comply manufactured in such a way that [] they will not
with these requirements as far as applicable. In the case compromise the clinical condition or the safety of
of medical devices, compliance with IT security requirements patients, or the safety and health of users or, where
covers technical solutions designed into the medical device applicable, other persons provided that any risks []
and descriptive information (as part of the accompanying are compatible with a high level of protection of health
documentation). and safety.
- Item 2: The solutions adopted by the manufacturer
The healthcare delivery organization needs to comply with for the design and construction of the devices must
the IT security requirements of the complete medical IT conform to safety principles, taking account of the
network system. It therefore needs to get the information generally acknowledged state of the art.
on the medical device from the medical device manufacturer EN ISO 14971:2012, clause 4.3: The manufacturer shall
and the necessary technical provisions of the medical compile documentation on known and foreseeable
device to allow for compliance with the overall IT security hazards associated with the medical device in both
demands. normal and fault conditions.
IEC 60601-1:2012, clause 14.6.1: NOTE: In addition to
When is IT security applicable the material given in Annex E of ISO 14971:2007, the
to a medical device? list of possible causes for hazards associated with
Criteria for the applicability of IT security to PEMS can include: [] lack of data security, including
medical devices: its effects on data privacy, and particularly vulnerability
1) The medical device incorporates a Programmable to tampering, unintended interaction with other
Electrical Medical System (PEMS); and programs and viruses.
2) the PEMS is designed to be connected to an
IT-network; and
TV SD Product Service GmbH, Medical and Health Services, Ridlerstr. 65, 80339 Munich
www.tuev-sued.com/medinfo