Medical network - on March 3, to implement the national requirements for network security, strengthen the supervision and guidance of medical equipment product registration, guarantee of medical device in the network security, the state food and drug supervision administration enacted the "registered medical device network security technology review guidelines" (hereinafter referred to as "guidelines"). The "guiding principles" to come into force on January 1, 2018.
One, the guiding principles for background
With the development of network technology, more and more medical devices have a network connection function for electronic data interchange or remote control, to improve medical service quality and efficiency at the same time also face the threat of cyber attacks. Medical device network security problems not only may iolate patient privacy, and may produce an unexpected run the risk of medical apparatus and instruments, leading to patients, users get hurt or die. Therefore, the network security of medical equipment is an important part of the safety and effectiveness of medical equipment, is also one part of the national cyber security.
Medical equipment network security many influence factors, wide range, strong diffusibility and sudden high characteristic, the risk is relatively high, therefore need to strengthen the regulation of the corresponding work, to ensure the safety and effectiveness of medical equipment, to ensure the safety of the people by machinery.
The formulation of the "guiding principles" launched in 2014, according to the network security law of the People's Republic of China, in the early literature research at home and abroad, corporate research, expert discussion, on the basis of combining the situation of our country actual situation, the opinions from all sides, discussed repeatedly modified shall be formulated and published on January 20, 2017, and was implemented on January 1, 2018.
Second, the main contents of "guiding principles"
(a) scope of application
The guidelines apply to have the function of network connection for electronic data interchange or remote control and the storage medium for electronic data interchange (edi) first class ii and class iii medical devices products (including domestic, import registration filing, the applicable registration way including product registration, licensing items change, the continuation of register.
(2) the registrant responsibility
Registrant shall during the whole life cycle of medical apparatus and instruments (including design, development, production, distribution, deployment, maintenance) in to ensure the safety of medical equipment products own network, so as to ensure the safety and effectiveness.
Registrant shall submit corresponding network in medical device product registration application safety declaration registration data, to prove the safety and effectiveness of medical equipment products.
(3) focus
Network security protection level of medical equipment including product level (i.e., medical apparatus and instruments product itself) and system level (i.e., medical information technology, network), guarantee measures including management measures (e.g., specifications, etc.), physical measures, such as security measures, etc.) and technical measures (such as encryption technology, etc.), the guiding principles to medical equipment data security level as the core focus on product technology assurance measures.
(4) the network security of medical equipment
Medical devices of network security is to point to keep medical equipment related data confidentiality, integrity, and availability.
Confidentiality: index according to or for unauthorized individuals, entities use the characteristics of knowledge, namely the medical equipment related data can only be authorized by the authorized users in time to access authorization way;
2. Integrity: refers to the protection of the characteristics of the data is accurate and complete, namely the medical equipment related data is accurate and complete, and has not been tampered with;
3. Availability: refers to according to the requirement of the authorized individuals and entities to access and use characteristics, namely the way of medical apparatus and instruments related data to forecast timely to access and use.
(5) medical apparatus and instruments related data
Medical apparatus and instruments related data including health data and equipment.
Health data: Ming physiological and mental health of private data (also called personal data or sensitive data, can be used for personnel identification information), involving the patients privacy information;
2. The device data refers to data describing the equipment running status, used to monitor and control the operation of equipment or used for equipment maintenance, itself does not involve the patient privacy information.
(6) network security capacity of medical equipment
Medical device network security capabilities including the recognition of network security threats, protection, detection and response, the ability to recover. Medical devices to the network security threat it shall be equipped with the appropriate identification, protection, and the intended use, the limitation of using the environment, medical apparatus and instruments for network security threat detection, response and recovery ability should be matched its product features.
(7) off-the-shelf software to network security
For off-the-shelf software belongs to the application software, should focus on the network security problems of medical instrument clinical application.
To belong to or off-the-shelf software support software, system software should focus on the security patch updates its influence on medical devices.
(eight) medical device network security updates
Medical device network security updates can be divided into major network security updates and slight network security updates.
Update: 1. The major network security refers to affect the safety or effectiveness of medical devices to the network security updates;
2. Minor update: network security refers to does not affect the safety and effectiveness of medical devices to the network security updates, such as conventional security patches.
Major medical devices (network security updates should be licensing items change, and a slight network security updates through the quality management system to control, the need for licensing items change, until the next time when registering submit registration filing accordingly.
(9) and other guidelines
"Guiding principles" is for "medical device software registration technical review guidelines" (hereinafter referred to as "software guidelines"), should be based on the relevant requirements of the software guiding principles to use "guiding principles".
Three, "guiding principles" implementation requirements
(a) implementation of the transitional period
To balance the healthy development of the medical device regulatory network security and industry relations, ensure the smooth implement the guiding principles, the implementation of the "guiding principles", set the transition will come into force as of January 1 2018.
During the transition period, the registrant shall make preparations combined with the "guiding principles" requirement, at the same time can decide whether to submit medical apparatus and instruments according to requirements of the "guiding principles" network security declaration registration information. Since the date of implementation, the registrant shall submit medical device registration filing information network security.
(2) the registration filing requirements
Product registration: registrant shall submit a separate network security description document, clear in the product technical requirements of data interface, the user access control requirements, specific network security requirements in the specification.
2. The licensing items change: registrant shall submit network security according to the network security update situation description document, regular security patches authenticity statement describing documents or no change, if applicable should be embodied in the product technical requirements and specifications changes the content of network security.
3. Continue registration: if applicable, registrant shall be separately submitted a conventional security patches description document.
(3) medical device network security documents
Medical device network security documents including network security description document, conventional security patches describing documents.
Description documents: 1. The network security includes basic information, risk management, validation and verification, maintenance plan, applicable to the product registration, major network security updates;
2. Regular security patches description document: includes case, test plans and reports, and make known to the rest of the defects that applies for minor network security updates.
(4) the registrant implementation requirements
Registrant shall be combined with its own quality management system requirements and characteristics of medical equipment products to ensure that its network security, including the listed before and after the listed requirements. Good engineering practice information security domain registrant that also can be used to improve the network security management of the medical devices.
Registrant shall be combined with the intended use of the medical devices, using the environment, the core function and the situation of the connected device to determine its network security features, and adopts the method based on risk management to ensure the network security.
Registrant shall be combined with the type of medical apparatus and instruments related data exchange, function, purpose, method and requirement to the network security problems of medical equipment products. For health data, the registrant shall follow the provisions of the laws and regulations related to privacy of patients. For equipment data, the registrant shall ensure the effective separation and health data.
Registrant shall, according to the features of the medical device to consider their ability to network security requirements, can be reference to IEC/TR 80001-2-2 improve their ability of network security construction, guarantee of medical equipment products for network security threat to the required identification, protection, and the appropriate detection, response and recovery.
Registrant off-the-shelf software should be paid great attention to network security problem, combined with the quality management system and the type of off-the-shelf software, adopting the method of risk management to ensure network security of off-the-shelf software.
Registrant shall distinguish between medical equipment update the type of network security, according to the influence degree of the network security update for medical device products, combined with the quality management system to carry out the corresponding quality assurance work, and submit the corresponding registration according to the requirements of the guiding principles to declare information. In the software version number definition, should pay attention to consider the content of the network security updates.
Registrant shall abide by the relevant national laws and regulations and the relevant network security department rules and regulations, such as the network security law of the People's Republic of China, the population health information management measure (trial) "the national health and family planning commission of advancing distance the opinions of the medical service of medical institutions", etc.
Registrant may refer to international standards and technical reports related to network security requirements to guarantee the network security of medical equipment products, improve the quality management system of network security system, such as IEC80001 series standards and technical reports, IEC 60601-1 the third edition, IEC 82304-1, IEC 27000 series standards and technical reports, ISO/DIS 27799, etc.
|
