AUTO11-P

Vol. 26 No. 5

IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard

PLEASE

This proposed document is published for wide and thorough review in the new, accelerated Clinical and Laboratory Standards Institute (CLSI) consensus-review process. The document will undergo concurrent consensus review, Board review, and delegate voting (i.e., candidate for advancement) for 90 days. Please send your comments on scope, approach, and technical and editorial content to CLSI.

Comment period ends

18 April 2006

The subcommittee responsible for this document will assess all comments received by the end of the comment period. Based on this assessment, a new version of the document will be issued. Readers are encouraged to send their comments to Clinical and Laboratory Standards Institute, 940 West Valley Road, Suite 1400, Wayne, PA 19087-1898 USA; Fax: +610.688.0700; or to the following e-mail address: customerservice@clsi.org.

COMMENT

This document provides a framework for communication of IT security issues between the IVD system vendor and the healthcare organization. A standard for global application developed through the Clinical and Laboratory Standards Institute consensus process.

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Clinical and Laboratory Standards Institute Providing NCCLS standards and guidelines, ISO/TC 212 standards, and ISO/TC 76 standards The Clinical and Laboratory Standards Institute (CLSI, formerly NCCLS) is an international, interdisciplinary, nonprofit, standards-developing, and educational organization that promotes the development and use of voluntary consensus standards and guidelines within the healthcare community. It is recognized worldwide for the application of its unique consensus process in the development of standards and guidelines for patient testing and related healthcare issues. Our process is based on the principle that consensus is an effective and cost-effective way to improve patient testing and healthcare services.

In addition to developing and promoting the use of voluntary consensus standards and guidelines, we provide an open and unbiased forum to address critical issues affecting the quality of patient testing and health care.

PUBLICATIONS

A document is published as a standard, guideline, or committee report.

Standard A document developed through the consensus process that clearly identifies specific, essential requirements for materials, methods, or practices for use in an unmodified form. A standard may, in addition, contain discretionary elements, which are clearly identified.

Guideline A document developed through the consensus process describing criteria for a general operating practice, procedure, or material for voluntary use. A guideline may be used as written or modified by the user to fit specific needs.

Report A document that has not been subjected to consensus review and is released by the Board of Directors.

CONSENSUS PROCESS

The CLSI voluntary consensus process is a protocol establishing formal criteria for:

• the authorization of a project

• the development and open review of documents

• the revision of documents in response to comments by users

• the acceptance of a document as a consensus standard or guideline.

Most documents are subject to two levels of consensus—“proposed” and “approved.” Depending on the need for field evaluation or data collection, documents may also be made available for review at an intermediate consensus level.

Proposed A consensus document undergoes the first stage of review by the healthcare community as a proposed standard or guideline. The document should receive a wide and thorough technical review, including an overall review of its scope, approach, and utility, and a line-by-line review of its technical and editorial content.

Approved An approved standard or guideline has achieved consensus within the healthcare community. It should be reviewed to assess the utility of the final document, to ensure attainment of consensus (i.e., that comments on earlier versions have been satisfactorily addressed), and to identify the need for additional consensus documents.

Our standards and guidelines represent a consensus opinion on good practices and reflect the substantial agreement by materially affected, competent, and interested parties obtained by following CLSI’s established consensus procedures. Provisions in CLSI standards and guidelines may be more or less stringent than applicable regulations. Consequently, conformance to this voluntary consensus document does not relieve the user of responsibility for compliance with applicable regulations.

COMMENTS

The comments of users are essential to the consensus process. Anyone may submit a comment, and all comments are addressed, according to the consensus process, by the committee that wrote the document. All comments, including those that result in a change to the document when published at the next consensus level and those that do not result in a change, are responded to by the committee in an appendix to the document. Readers are strongly encouraged to comment in any form and at any time on any document. Address comments to Clinical and Laboratory Standards Institute, 940 West Valley Road, Suite 1400, Wayne, PA 19087, USA.

VOLUNTEER PARTICIPATION

Healthcare professionals in all specialties are urged to volunteer for participation in CLSI projects. Please contact us at customerservice@clsi.org or +610.688.0100 for additional information on committee participation.

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

AUTO11-P ISBN 1-56238-593-3

Volume 26 Number 5 ISSN 0273-3099

IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard Andrzej J. Knafel, PhD David Chou, MD Bryan Crocker Randy R. Davis Eric Olson Douglas O. Wood Edwin O. Heierman, PhD Abstract Clinical and Laboratory Standards Institute document AUTO11-P—IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard specifies technical and operational requirements, as well as technical implementation procedures related to security of IVD systems (devices, analytical instruments, data management systems, etc.) installed at a healthcare organization. The intended users for this standard are vendors (IVD system manufacturers), users (e.g., laboratory personnel), and IT management of the healthcare organizations. Clinical and Laboratory Standards Institute (CLSI). IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard. CLSI document AUTO11-P (ISBN 1-56238-593-3). Clinical and Laboratory Standards Institute, 940 West Valley Road, Suite 1400, Wayne, Pennsylvania 19087-1898 USA, 2006.

The Clinical and Laboratory Standards Institute consensus process, which is the mechanism for moving a document through two or more levels of review by the healthcare community, is an ongoing process. Users should expect revised editions of any given document. Because rapid changes in technology may affect the procedures, methods, and protocols in a standard or guideline, users should replace outdated editions with the current editions of CLSI/NCCLS documents. Current editions are listed in the CLSI catalog, which is distributed to member organizations, and to nonmembers on request. If your organization is not a member and would like to become one, and to request a copy of the catalog, contact us at: Telephone: 610.688.0100; Fax: 610.688.0700; E-Mail: customerservice@clsi.org; Website: www.clsi.org

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Number 5 AUTO11-P

ii

This publication is protected by copyright. No part of it may be reproduced, stored in a retrieval system, transmitted, or made available in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission from Clinical and Laboratory Standards Institute, except as stated below. Clinical and Laboratory Standards Institute hereby grants permission to reproduce limited portions of this publication for use in laboratory procedure manuals at a single site, for interlibrary loan, or for use in educational programs provided that multiple copies of such reproduction shall include the following notice, be distributed without charge, and, in no event, contain more than 20% of the document’s text.

Reproduced with permission, from CLSI publication AUTO11-P—IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard (ISBN 1-56238-593-3). Copies of the current edition may be obtained from Clinical and Laboratory Standards Institute, 940 West Valley Road, Suite 1400, Wayne, Pennsylvania 19087-1898, USA.

Permission to reproduce or otherwise use the text of this document to an extent that exceeds the exemptions granted here or under the Copyright Law must be obtained from Clinical and Laboratory Standards Institute by written request. To request such permission, address inquiries to the Executive Vice President, Clinical and Laboratory Standards Institute, 940 West Valley Road, Suite 1400, Wayne, Pennsylvania 19087-1898, USA. Copyright ©2006. Clinical and Laboratory Standards Institute. Suggested Citation (Clinical and Laboratory Standards Institute. IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard. CLSI document AUTO11-P [ISBN 1-56238-593-3]. Clinical and Laboratory Standards Institute, 940 West Valley Road, Suite 1400, Wayne, Pennsylvania 19087-1898 USA, 2006.) Proposed Standard January 2006 ISBN 1-56238-593-3 ISSN 0273-3099

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Volume 26 AUTO11-P

iii

Committee Membership Area Committee on Automation and Informatics Paul J. Mountain, MSc, MT(ASCP) Chairholder Flamborough, Ontario, Canada David Chou, MD Vice-Chairholder Univ. of Washington Medical Center Seattle, Washington James V. Callaghan, MT(ASCP) FDA Center for Devices and Radiological Health Rockville, Maryland Randy R. Davis Dade Behring Inc. Newark, Delaware Charles D. Hawker, PhD, MBA, FACB ARUP Laboratories, Inc. Salt Lake City, Utah Andrzej J. Knafel, PhD Roche Instrument Center AG Rotkreuz, Switzerland Gary W. Kramer, PhD National Institute of Standards and Technology Gaithersburg, Maryland Rodney S. Markin, MD, PhD Univ. of Nebraska Medical Center Omaha, Nebraska Advisors Michael G. Bissell, MD, PhD, MPH Ohio State University Columbus, Ohio

Mary F. Burritt, PhD Mayo Clinic Rochester, Minnesota Suzanne H. Butch, MA, MT(ASCP), SB The University of Michigan Ann Arbor, Michigan Al DeStefano Sysmex Corporation Tucson, Arizona Robert J. Dominici Cholestech Corp. Alamo, California Jeffrey A. DuBois, PhD NOVA Biomedical Corp. Waltham, Massachusetts Louis J. Dunka, Jr., PhD LifeScan, Inc. Milpitas, California Robert H. Engel, PhD Engel Associates Duxbury, Massachusetts Arden W. Forrey, Jr., PhD, FACB University of Washington Seattle, Washington Masayoshi Hayashi Sysmex Corporation - Japan Kobe, Japan David A. Herold, MD, PhD VA (San Diego) Medical Center San Diego, California Georg E. Hoffmann, MD Trillium GmbH Grafrath, Germany

Stephen Howlett Beckman Coulter, Inc. Miami, Florida Brian Richard Jackson, MD ARUP Laboratories Salt Lake City, Utah Michael D. McNeely, MD MDS Metro Laboratory Services Victoria, British Columbia, Canada Richard A. McPherson, MD Medical College of Virginia Hospital Richmond, Virginia David O’Bryan, PhD Hibernia Consulting Kennett Square, Pennsylvania Paul J. Orsulak, PhD VA North Texas Health Care System Dallas, Texas Jeff Quint, PhD Beckman Coulter, Inc. Brea, California Richard Seaberg North Shore University Hospital Manhasset, New York Hiroshi Sekiya Olympus America Inc. Irving, Texas Russell H. Tomar, MD John H. Stroger, Jr. Hospital of Cook County Chicago, Illinois

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Number 5 AUTO11-P

iv

Subcommittee on IT Security of IVD Instruments and Software Systems Andrzej J. Knafel, PhD Chairholder Roche Instrument Center AG Rotkreuz, Switzerland Lynn Ballard Beckman Coulter, Inc. Fullerton, California David Chou, MD Univ. of Washington Medical Center Seattle, Washington Bryan Crocker Capital Health Halifax, Nova Scotia, Canada Randy R. Davis Dade Behring Inc. Bear, Delaware

Eric Olson DPC Instrument Systems Division Flanders, New Jersey Douglas O. Wood FDA Center for Devices and Radiological Health Rockville, Maryland Advisors Ed Heierman, PhD Abbott Laboratories Irving, Texas Jeff Johnson Diagnostic Products Corporation Los Angeles, California

Michele Taylor Sonicwall Sunnyvale, California Staff Clinical and Laboratory Standards Institute Wayne, Pennsylvania John J. Zlockie, MBA Vice President, Standards David E. Sterry, MT(ASCP) Staff Liaison Donna M. Wilhelm Editor Melissa A. Lewis Assistant Editor

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Volume 26 AUTO11-P

v

Contents

Abstract ....................................................................................................................................................i

Committee Membership........................................................................................................................ iii

Foreword.............................................................................................................................................. vii

1 Scope..........................................................................................................................................1

2 Definitions .................................................................................................................................1 2.1 Acronyms......................................................................................................................1

3 Delineation of Vendor and HCO Responsibilities .....................................................................2

4 Technical Design Guidelines Related to Regulatory Requirements ..........................................3 4.1 Preventing Unauthorized Application Usage................................................................3 4.2 Preventing Unauthorized Data Access..........................................................................7 4.3 Protection From Malicious Software ..........................................................................12 4.4 Security Monitoring....................................................................................................15 4.5 Preventing Loss of Data..............................................................................................17

5 Process and Operational Requirements....................................................................................18 5.1 IT Security Requirements Engineering and Management ..........................................19 5.2 IT Security Hazard Analysis and Risk Management ..................................................19 5.3 Vendor System Validation/Verification .....................................................................19 5.4 Vendor Security Audits/Assessments/Tests ...............................................................20 5.5 Documents for HCO ...................................................................................................20 5.6 Preventive Actions (software patches, virus definitions)............................................21

6 Applicability to Device Classes ...............................................................................................22

References.............................................................................................................................................31

Additional References...........................................................................................................................32

The Quality System Approach..............................................................................................................34

Related CLSI/NCCLS Publications ......................................................................................................35

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Number 5 AUTO11-P

vi

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Volume 26 AUTO11-P

vii

Foreword The IT security requirements related to various laboratory systems (devices, analytical instruments, data management systems, etc.) are growing, mainly caused by new international regulations applicable to healthcare organizations,1 an increase in the degree of integration of the IVD systems in the IT environment of healthcare institutions, and attacks observed in healthcare organizations from a multitude of sources. The real and potential threats for the systems and the organizations are also growing. Listed below are several examples illustrating how systems could be compromised by malicious software/people: • change of processed/static data (e.g., test applications, calibration), resulting in the production of

incorrect results; • stealing of Patient Electronic Health Records by querying the LIS/HIS from compromised laboratory

systems (e.g., laboratory instrument with CLSI/NCCLS document LIS2—Specification for Transferring Information Between Clinical Laboratory Instruments and Information Systems (formerly ASTM E1394) query protocol);

• stealing or manipulating of patient/sample results from the system; • damage of the software of the IVD system requiring reinstallation, resulting in down-time for the user

and service costs for the vendor; • misuse of the IVD system as a means for compromising other systems in the IT environment of the

healthcare organization; and • misuse of the IVD system as a means for entering the vendor’s corporate network.

This document provides a framework for communication of IT security issues between the IVD system vendor and the healthcare organization. Invitation for Participation in the Consensus Process An important aspect of the development of this and all Clinical and Laboratory Standards Institute (CLSI) documents should be emphasized, which is the consensus process. Within the context and operation of CLSI, the term “consensus” means more than agreement. In the context of document development, “consensus” is a process by which CLSI, its members, and interested parties 1) have the opportunity to review and to comment on any CLSI publication; and 2) are assured that their comments will be given serious, competent consideration. Any CLSI document will evolve as will technology affecting laboratory or healthcare procedures, methods, and protocols, and therefore, is expected to undergo cycles of evaluation and modification. The Area Committee on Automation and Informatics has attempted to engage the broadest possible worldwide representation in committee deliberations. Consequently, it is reasonable to expect that issues remain unresolved at the time of publication at the proposed level. The review and comment process is the mechanism for resolving such issues. The CLSI voluntary consensus process is dependent upon the expertise of worldwide reviewers whose comments add value to the effort. At the end of a 90-day comment period, each subcommittee is obligated to review all comments and to respond in writing to all which are substantive. Where appropriate, modifications will be made to the document, and all comments along with the subcommittee’s responses will be included as an appendix to the document when it is published at the next consensus level.

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Number 5 AUTO11-P

viii

Key Words Access control, authentication, authorization, encryption, hardening, IT security

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.

Volume 26 AUTO11-P

©Clinical and Laboratory Standards Institute. All rights reserved. 1

IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard

1 Scope This standard specifies technical and operational requirements, as well as technical implementation procedures related to IT security of IVD systems (devices, analytical instruments, data management systems, etc.) installed at a healthcare organization. This standard also provides guidance to meet and use existing technical standards for medical device IT security and recommendations for identifying the parties responsible for implementing these requirements. The intended users for this standard are vendors (IVD system manufacturers), users (e.g., laboratory personnel), and IT management of healthcare organizations. This standard is not intended for use as the final written policy for the healthcare organization. For example, local organizations will need to include in their own documentation, the technical and process aspects of medical device security addressed by other standards organizations, such as ISO, IEEE, etc. The suggested best practices contained in this document are based on the current state of technology at the time of publication. These best practices are distinguished from the requirements by a text box. 2 Definitions authentication – process of determining that an entity (someone or something) is the one claimed to be. authorization – process of granting rights or access to systems, applications, or networks; NOTE: Authorization determines who is trusted for a given purpose. device end user – end user in the HCO familiar with the medical device and its operation. healthcare organization (HCO) – all components of an organization where the IVD is installed. IT support – customer support staff with familiarity of computer hardware, operating system software, commercial off-the-shelf (COTS) software components, and networking environment. validation – confirmation, through the provision of objective evidence that requirements for a specific intended use or application have been fulfilled (ISO 9000).2 verification – confirmation, through the provision of the objective evidence that specified requirements have been fulfilled (ISO 9000).2 2.1 Acronyms BIOS basic input/output system COTS commercial off-the-shelf CRC cyclical redundancy check DBMS database management system DMZ demilitarized zone EOL end of life FTP file transfer protocol HIPAA Health Insurance Portability and Accountability Act

This is a preview of "AUTO11-P". Click here to purchase the full version from the ANSI store.