标准摘要
[中文适用范围]: IEC TS 81001-2-2:2025 提供了一组有关健康软件和健康信息科技(Health IT)系统生命周期中通用的高层次安全相关能力及额外考虑事项的信息性内容,适用于健康软件制造商(包括医疗设备制造商)、医疗服务提供组织(HDOs)及其他利益相关方之间的信息交换。本标准适用于运行在任何平台及环境(如云、本地或混合)上的健康软件。然而,以下内容不在本文件范围内:a)HDO 的安全政策;b)制造商的产品和服务安全政策;c)HDO 或制造商对风险容忍度的判断;d)需要保护个人数据的临床研究。由于健康信息科技系统和健康信息科技基础设施中的任何产品都可能引发安全风险,本文件中的考虑事项也可适用于非健康软件的其他产品。IEC TS 81001-2-2:2025 取代并替代以下文件:– IEC TR 80001-2-2,应用于包含医疗设备的IT网络的风险管理——第2-2部分:医疗设备安全需求、风险和控制的沟通指南;– IEC TR 80001-2-8,应用于包含医疗设备的IT网络的风险管理——第2-8部分:应用指南;– 关于建立IEC TR 80001-2-2中识别的安全能力的标准指南。本文件包括以下重大变更:a)合并并更新了IEC TR 80001-2-2和IEC TR 80001-2-8的内容;b)将适用范围从仅限医疗设备软件扩展至健康软件;c)与ISO 81001-1:2021及更新后的IEC 80001-1中的内容和定义相一致;d)删除了“安全功能配置(CNFS)”能力,因为任何可配置的安全能力都应明确沟通;e)将安全控制映射到多个新标准,如IEC TR 60601-4-5、IEC 62443-4-2、ISO/IEEE 11073-40102以及旧标准的最新版本,如ISO/IEC 27002和NIST 800-53版本5。 [外文原描述]: IEC TS 81001-2-2:2025 presents an informative set of common, high-level security-related capabilities and additional considerations to be used across the life cycle of health software and health IT systems, for the information exchange between the health software manufacturers (including medical device manufacturers), healthcare delivery organizations (HDOs) and other stakeholders. It is applicable to health software running on any platform and in any environment such as cloud, on premise or hybrid. While important security topics, the following are outside the scope of this document: a) the security policies of the HDO, b) the product and services security policies of the manufacturer, c) determinations of risk tolerance by the HDO or manufacturer, and d) clinical studies where there is a need to secure personal data. As security risks can be caused by any product on health IT systems and health IT Infrastructure, considerations in this document can be applied for other products that are not health software. IEC TS 81001-2-2:2025 withdraws and replaces: – IEC TR 80001-2-2, Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the communication of medical device security needs, risks and controls – IEC TR 80001-2-8, Application of risk management for IT-networks incorporating medical devices – Part 2-8: Application guidance – Guidance on standards for establishing the security capabilities identified in IEC TR 80001-2-2 This document includes the following significant changes: a) Combines and updates the contents of IEC TR 80001-2-2 and IEC TR 80001-2-8; b) Extends the scope to health software instead to only medical device software; c) Aligns contents and definitions to ISO 81001-1:2021 and the updated IEC 80001-1; d) Removed the Configuration of Security Features (CNFS) capability, as any configurable security capability shall be clearly communicated. e) Provide security control mappings to several new standards, e.g. IEC TR 60601-4-5, IEC 62443-4-2, ISO/IEEE 11073-40102 and the recent versions of previous standards, e.g. ISO/IEC 27002 and NIST 800-53 version 5.
英文名称Health software and health IT systems safety, effectiveness and security - Part 2-2: Coordination - Guidance for the implementation, disclosure and communication of security needs, risks and controls