NEMA HN 1-2008 Manufacturer Disclosure Statement for Medical Device Security1.pdf

HIMSS/NEMA Standard HN 1-2008 Manufacturer Disclosure Statement for Medical Device Security Published by National Electrical Manufacturers Association 1300 North 17th Street, Suite 1752 Rosslyn, Virginia 22209 www.nema.org © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. All rights including translation into other languages, reserved under the Universal Copyright Convention, the Berne Convention for the Protection of Literary and Artistic Works, and the International and Pan American Copyright Conventions. NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of persons engaged in the development and approval of the document at the time it was developed. Consensus does not necessarily mean that there is unanimous agreement among every person participating in the development of this document. The National Electrical Manufacturers Association (NEMA) standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this publication. While NEMA administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. NEMA disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. NEMA disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any of your particular purposes or needs. NEMA does not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide. In publishing and making this document available, NEMA is not undertaking to render professional or other services for or on behalf of any person or entity, nor is NEMA undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. NEITHER HEALTHCARE INFORMATION MANAGEMENT SYSTEMS SOCIETY (HIMSS) NOR NEMA HAVE POWER, NOR DO THEY UNDERTAKE TO POLICE OR ENFORCE COMPLIANCE WITH THE CONTENTS OF THIS DOCUMENT. NEITHER HIMSS NOR NEMA CERTIFY, TEST, OR INSPECT PRODUCTS, DESIGNS, OR INSTALLATIONS FOR SAFETY OR HEALTH PURPOSES. ANY CERTIFICATION OR OTHER STATEMENT OF COMPLIANCE WITH ANY HEALTH OR SAFETY RELATED INFORMATION IN THIS DOCUMENT SHALL NOT BE ATTRIBUTABLE TO HIMSS OR NEMA AND IS SOLELY THE RESPONSIBILITY OF THE CERTIFIER OR MAKER OF THE STATEMENT. HN 1-2008 Page i CONTENTS Page Foreword ii Section 1GENERAL.1 1.1Scope.1 1.1.1The Role of Healthcare Providers in the Security Management Process 1 1.1.2The Role of Medical Device Manufacturers in the Security Management Process1 1.2References 1 1.3Definitions2 1.4Acronyms.3 Section 2INSTRUCTIONS FOR OBTAINING, USING AND COMPLETING MDS2 FORM4 2.1Obtaining the MDS2 Form (Providers).4 2.2Using the MDS2Form (Providers).4 2.2.1Section 1 Questions 1-19.4 2.2.2Section 2 Explanatory notes 4 2.3Completing the MDS2 Form (Manufacturers)4 2.3.1General4 2.3.2MDS2Form Completion Guidance4 Section 3MDS2FORM8 © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. ? HN 1-2008 Page ii Foreword This document consists of the Manufacturer Disclosure Statement for Medical Device Security (MDS2 form) and related instructions how to complete the form. The intent of the MDS2 form is to supply healthcare providers with important information to assist them in assessing the VULNERABILITY and risks associated with protecting ELECTRONIC PROTECTEDHEALTHINFORMATION (ePHI) transmitted or maintained by medical devices. Because security risk assessment spans an entire organization, this document focuses on only those elements of the security risk assessment process associated with medical devices and systems that maintain or transmit ePHI. A standardized form 1) allows manufacturers to quickly respond to a potentially large volume of information requests from providers regarding the security- related features of the medical devices they manufacture; and 2) facilitates the providers review of the large volume of security-related information supplied by the manufacturers. The manufacturer-completed MDS2 form should: (1) Be useful to healthcare provider organizations worldwide. While the form does supply information important to providers who must comply with HIPAA privacy and security rules, the information presented may be useful for any healthcare provider who aspires to have an effective information security RISK MANAGEMENT program. Outside the US, providers would therefore find the MDS2 form an effective tool to address regional regulations such as EU 95/46 (Europe), Act on the Protection of Personal Information (Act No. 57 of 2003, Japan), and PIPEDA (Canada). (2) Include device specific information addressing the technical security-related attributes of the individual device model. (3) Provide a simple, flexible way of collecting the technical, device-specific elements of the common/typical information needed by provider organizations (device users/operators) to begin medical device information security (i.e., confidentiality, integrity, availability) risk assessments. (4) HIMSS and NEMA grant permission to make copies and use this form. PLEASE BE ADVISEDThe MDS2 form is not intended to nor should it be used as the sole basis for medical device procurement. Writing procurement specifications requires a deeper and more extensive knowledge of security (including the individual facilitys/providers situation) and the healthcare mission. Using the information provided by the manufacturer in the MDS2 form together with information collected about the care delivery environment (e.g., through tools like ACCE / ECRIs Guide for Information Security for Biomedical Technology), the providers multidisciplinary risk assessment team can review assembled information and make informed decisions on implementing a local security management plan. This form was originally adapted from portions of the ACCE / ECRI Biomedical Equipment Survey Form, a key tool found in Information Security for Biomedical Technology: A HIPAA Compliance Guide (ACCE / ECRI, 2004). The initial form was published in 2004, “MDS2 v. 1.0 (2004-11-01)“ and is now published for the first time as a joint HIMSS/NEMA standard. HIMSS and NEMA recommend that the information in the MDS2 form be used to help complete the ACCE / ECRI form and associated processes as part of each organizations HIPAA security compliance efforts. In the preparation of this standards publication, input of users and other interested parties has been sought and evaluated. © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. ? HN 1-2008 Page iii Inquiries, comments, and proposed or recommended revisions should be submitted to the concerned NEMA product sub-division by contacting the: Vice President, Engineering National Electrical Manufacturers Association 1300 North 17th Street, Suite 1752 Rosslyn, Virginia 22209 © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. ? HN 1-2008 Page iv © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. ? HN 1-2008 Page 1 Section 1 GENERAL 1.1 SCOPE Information provided on the MDS2 form is intended to assist professionals responsible for security risk assessment processes in their management of medical device security issues. The information on the MDS2 form is not intended, and may be inappropriate for, other purposes. 1.1.1 The Role of Healthcare Providers in the Security Management Process The provider organization has the ultimate responsibility for providing effective security management. Device manufacturers can assist providers in their security management programs by offering information describing: ! the type of data maintained/transmitted by the manufacturers device or system; ! how data is maintained/transmitted by the manufacturers device or system; ! any security-related features incorporated in the manufacturers device or system. In order to effectively manage medical information security and comply with relevant regulations, healthcare providers must employ ADMINISTRATIVE,PHYSICAL, and TECHNICAL SAFEGUARDSmost of which are extrinsic to the actual device. 1.1.2 The Role of Medical Device Manufacturers in the Security Management Process The greatest impact manufacturers can have on medical device security is to incorporate TECHNICAL SAFEGUARDS (i.e., security features) in their devices to facilitate healthcare providers efforts in maintaining effective security programs and meeting any relevant regulatory requirements and/or standards. The medical device manufacturing industry is increasingly aware of the importance of having effective security functionality in their devices and systems. Manufacturers are generally including such security-related requirements in the production of new devices and systems based on provider needs and requirements. 1.2 REFERENCES The following reference documents are included herein as suggested further reading, supportive material, and related publications. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191. Health Insurance Reform: Security Standards; Final Rule, 45 CFR pts.160, 162, 164 (2003). EC Data Protection Directive, 95/46/EC (EU 95/46), 1995. Act on the Protection of Personal Information (Act No. 57 of 2003, Japan). Personal Information Protection and Electronic Documents Act (PIPEDA), Statutes of Canada, 2000. Guide for Information Security for Biomedical Technology: A HIPAA Compliance Guide, May 2004, American College of Clinical Engineering (ACCE) / ECRI. © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. ? HN 1-2008 Page 2 1.3 DEFINITIONS administrative safeguards: Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ELECTRONIC PROTECTED HEALTHINFORMATION and to manage the conduct of the covered entitys workforce in relation to the protection of that information. 45 CFR Part 164 anti-virus software: See VIRUS SCANNER audit trail: Data collected and potentially used to facilitate a security audit 45 CFR Part 142 biometric ID: A biometric identification system identifies a human from a measurement of a physical feature or repeatable action of the individual (e.g., hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, handwritten signature). 45 CFR Part 142 electronic media: (1) Electronic storage media, including memory devices in computers (hard drives) and any removable/transportable digital memory media, such as magnetic tapes or disks, optical disks, or digital memory cards. (2) Transmission media used to exchange information already in electronic storage media, including, for example, the Internet (wide open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, and private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper via facsimile and of voice via telephone, are not considered to be transmissions via ELECTRONIC MEDIA because the information being exchanged did not exist in electronic form before the transmission. 45 CFR Part 160.103 electronic protected health information (ePHI):INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION(IIHI) that is (1) transmitted by or (2) maintained in ELECTRONIC MEDIA. 45 CFR Part 160.103 individually identifiable health information (IIHI): INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 CFR Part 160.103. personal identification number (PIN): A number or code assigned to an individual and used to provide verification of identity. 45 CFR Part 142 physical safeguards: The physical measures, policies, and procedures to protect a covered entitys electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 45 CFR Part 164 remote service: A support service (e.g., testing, diagnostics, software upgrades) while not physically or directly connected to the device (e.g., remote access via modem, network, Internet). removable media: See ELECTRONIC MEDIA risk analysis: Conducting an accurate and thorough assessment of the potential risks and VULNERABILITIES to the integrity, availability, and confidentiality of ELECTRONIC PROTECTED HEALTH INFORMATION. 45 CFR Part 164 risk management: (1) The ongoing process of assessing risk, taking steps to reduce risk to an © Copyright 2008 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society. ? HN 1-2008 Page 3 acceptable level, and maintaining that level of risk. NIST SP 800-26