Microsoft Word - Document in Microsoft Internet Explorer

lpadding=10 cellspacing=0 width=100%>Yahoo! is not affiliated with the authors of this page or responsible for its content.
Microsoft Word - Document in Microsoft Internet Explorer
Adapted from Information Security for Biomedical Technology: A HIPAA Compliance Guide, ACCE/ECRI, 2004.
ACCE the American College of Clinical Engineering; ECRI formerly the Emergency Care Research Institute.
MDS
2
v 1.0 (2004-11-01) Side
1
�
2004, HIMSS. All rights reserved.
Manufacturer Disclosure Statement for Medical Device Security MDS
2

Device Category
Manufacturer
Document ID
Document Release Date
Device Model
Software Revision
Software Release Date
Name Title
Department
Manufacturer or
Representative
Contact Information:
Company Name
Telephone #
e-mail
MANAGEMENT OF ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI)
As defined by HIPAA Security Rule, 45 CFR Part 164)

Yes No N/A Note #
1. Can this device transmit or maintain electronic Protected Health Information (ePHI)?

............................................. _____ ______
2. Types of ePHI data elements that can be maintained by the device:
a. Demographic (e.g., name, address, location, unique identification number)? .................................................... _____ ______
b. Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? ........... _____ ______
c. Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying characteristics)? . _____ ______
d. Open, unstructured text entered by device user/operator? ............................................................................. _____ ______
3. Maintaining ePHI: Can the device
a. Maintain ePHI temporarily in volatile memory (i.e., until cleared on by power-off or reset)?................................ _____ ______
b. Store
ePHI
persistently on local media?........................................................................................................ _____ ______
c. Import/export
ePHI with other systems? ...................................................................................................... _____ ______
4. Mechanisms used for the transmitting, importing/exporting of ePHI: Can the device
a. Display ePHI (e.g., video display)? ............................................................................................................. _____ ______
b. Generate hardcopy reports or images containing ePHI? ................................................................................. _____ ______
c. Retrieve
ePHI
from or record ePHI to removable media
(e.g., disk, DVD, CD-ROM, tape, CF/SD card, memory stick)
?. _____ ______
d. Transmit/receive
or
import/export
ePHI via dedicated cable connection
(e.g., IEEE 1073, serial port, USB, FireWire)
? ... _____ ______
e. Transmit/receive ePHI via a network connection (e.g., LAN, WAN, VPN, intranet, Internet)? ............................... _____ ______
f.
Transmit/receive ePHI via an integrated wireless connection (e.g., WiFi, Bluetooth, infrared)? ........................... _____ ______
g. Other ____________________________________ ? .......................... _____ ______

ADMINISTRATIVE SAFEGUARDS
Yes No N/A Note #
5. Does manufacturer offer operator and technical support training or documentation on device security features?........... _____ ______
6. What underlying operating system(s) (including version number) are used by the device? _____ ______
PHYSICAL SAFEGUARDS
Yes No N/A Note #
7. Are all device components maintaining ePHI
(other than removable media)
physically secure
(i.e., cannot remove without tools)
? ____ ______
8. Does the device have an integral data backup capability
(i.e., backup onto removable media such as tape, disk)
? ................. _____ ______
9. Can the device boot from uncontrolled or removable media
(i.e., a source other than an internal drive or memory component)
? _____ ______
TECHNICAL SAFEGUARDS
Yes No N/A Note #
10. Can software or hardware not authorized by the device manufacturer be installed on the device? ............................... _____ ______
11. Can the device be serviced remotely
(i.e., maintenance activities performed by service person via network or remote connection)
?. _____ ______
a. Can the device restrict remote access to specific devices or network locations (e.g., specific IP addresses)? ........ _____ ______
b. Can the device log provide an audit trail of remote-service activity? ............................................................... _____ ______
c. Can security patches or other software be installed remotely?......................................................................... _____ ______
12. Level of owner/operator service access to device operating system: Can the device owner/operator
a. Apply device manufacturer-validated security patches? .................................................................................. _____ ______
b. Install or update antivirus software? ............................................................................................................ _____ ______
c. Update virus definitions on manufacturer-installed antivirus software? ............................................................. _____ ______
d. Obtain administrative privileges (e.g., access operating system or application via local root or admin account)? .. _____ ______
13. Does the device support user/operator specific ID and password? .......................................................................... _____ ______
14. Are access sessions terminated after a predetermined length of inactivity (e.g., auto logoff)? ................................... _____ ______
15. Events recorded in device audit log (e.g., user, date/time, action taken): Can the audit log record
a. Login and logout by users/operators? ......................................................................................................... _____ ______
b. Viewing
of ePHI? ...................................................................................................................................... _____ ______
c. Creation,
modification
or deletion of ePHI? .................................................................................................. _____ ______
d. Import/export or transmittal/receipt of ePHI? .............................................................................................. _____ ______
16. Does the device incorporate an emergency access (break-glass) feature that logs each instance of use? .................. _____ ______
17. Can the device maintain ePHI (e.g., by internal battery) during power service interruptions? .................................... _____ ______
18. Controls when exchanging ePHI with other devices:
a. Transmitted only via a physically secure connection (e.g., dedicated cable)? .................................................... _____ ______
b. Encrypted prior to transmission via a network or removable media? ............................................................... _____ ______
c. Restricted to a fixed list of network addresses (i.e., host-based access control list)? ......................................... _____ ______
19. Does the device ensure the integrity of the ePHI data with implicit or explicit error detection/correction technology? .... _____ ______

Recommend use of ECRIs Universal Medical Device Nomenclature System (UMDNS).
Adapted from Information Security for Biomedical Technology: A HIPAA Compliance Guide, ACCE/ECRI, 2004.
ACCE the American College of Clinical Engineering; ECRI formerly the Emergency Care Research Institute.
MDS
2
v 1.0 (2004-11-01) Side
2
�
2004, HIMSS. All rights reserved.
Manufacturer Disclosure Statement for Medical Device Security MDS
2

RECOMMENDED SECURITY PRACTICES

EXPLANATORY NOTES (from questions 1 19):
IMPORTANT: Refer to Instructions for the Manufacturers Disclosure Statement for Medical Device Security for the proper interpretation of
information provided in this form.
1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

MDS
2
v 1.0 (2004-11-01)
Page 1 of 7
�
2004, HIMSS. All rights reserved.
Instructions for the
Manufacturer Disclosure Statement for Medical Device Security MDS
2

Version 1.0
Introduction
In light of increased focus on medical device security and the upcoming April 21, 2005 deadline for compliance with the
HIPAA Security Rule, the HIMSS Medical Device Security Workgroup has created a standard Manufacturer Disclosure
Statement for Medical Device Security (MDS
2
). The intent of the MDS
2
is to supply healthcare providers with important
information that can assist them in assessing the vulnerability and risks associated with electronic Protected Health
Information (ePHI)
1
transmitted or maintained by medical devices. Because security risk assessment is a broad,
organization-wide effort, this document focuses on only those elements of the risk assessment process associated with
medical devices and systems that maintain or transmit ePHI. A standardized form allows manufacturers

Download

Electricity-Tool

Microsoft Word - Document in Microsoft Internet Explorer