YY/T 1843-2022 Basic requirements of cybersecurity for medical electrical equipment
1 *Scope
This document specifies the basic security requirements for medical electrical equipment, medical electrical systems and medical device software.
This document is applicable to medical electrical equipment, medical electrical systems and medical device software with user access, electronic data exchange or remote control functions.
2 Normative references
N/A.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
safety
no unacceptable risk to people, property or environment
[Source: ISO/IEC GUIDE 51:2014, 3.14, modified]
3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
[Source: GB/T 29246-2017, 2.12]
3.3
malware
software designed to maliciously disrupt normal functions, collect sensitive data and/or access other connected systems
3.4
firewall
security product that analyzes the passing data flow and realizes the functions of access control and security protection
3.5
risk
combination of the probability of occurrence of harm and the severity of that harm
[Source: YY/T 0316-2016, 2.16]
3.6
risk analysis
systematic use of available information to identify hazards and to estimate the risk
[Source: YY/T 0316-2016, 2.17]
3.7
risk control
process in which decisions are made and measures are implemented, and risks are reduced to, or maintained within, specified levels
[Source: YY/T 0316-2016, 2.19]
3.8
risk management
systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk
[Source: YY/T 0316-2016, 2.22]
3.9
personal sensitive data
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
Note 1: Personal sensitive data may include ID number, personal biometric identifying information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information and personal information of children less than or equal to 14 years old.
Note 2: In GB/T 35273-2020, it is called personal sensitive information. Since this document mainly standardizes data, it is rewritten as data in this document.
Note 3: For the judgment method and type of personal sensitive data, please refer to Annex B of GB/T 35273-2020.
[Source: GB/T 35273-2020, 3.2, modified]
3.10
emergency access
access to health data by clinical users without the use of personal identification or without authorization in case of emergence (e.g., rescue, first aid)
3.11
health data
personal sensitive data that indicates physical or mental health
Note 1: Health data is generally defined in this document as a subset of personal sensitive data.
Note 2: Different privacy compliance laws and regulations are currently stipulated globally. Therefore, for example, in Europe, the requirements might be taken and references changed to “personal data” and “sensitive data”; in the USA, health data might be changed to “protected health information (PHI)”, which requires manufacturers in different countries or regions to further consider the laws or regulations in China.
[Source: IEC/TR 80001-2-2: 2012, 3.7, modified]
3.12
non-repudiation
ability to demonstrate the occurrence of the claimed event or activity and its source
[Source: GB/T 29246-2017, 2.54, modified]
Foreword i
Introduction ii
1 *Scope
2 Normative references
3 Terms and definitions
4 General requirements
5 Test methods
Annex A (Normative) Requirements for security capability test process
Annex B (Informative) Relevance between this document and other documents
Annex C (Informative) Guidelines and rationale for specific clause(s)/subclauses
Annex D (Informative) Considerations regarding personal sensitive data in this document
Bibliography
Standard
YY/T 1843-2022 Basic requirements of cybersecurity for medical electrical equipment (English Version)
Standard No.
YY/T 1843-2022
Status
valid
Language
English
File Format
PDF
Word Count
12500 words
Price(USD)
375.0
Implemented on
2023-6-1
Delivery
via email in 1 business day
Detail of YY/T 1843-2022
Standard No.
YY/T 1843-2022
English Name
Basic requirements of cybersecurity for medical electrical equipment
YY/T 1843-2022 Basic requirements of cybersecurity for medical electrical equipment
1 *Scope
This document specifies the basic security requirements for medical electrical equipment, medical electrical systems and medical device software.
This document is applicable to medical electrical equipment, medical electrical systems and medical device software with user access, electronic data exchange or remote control functions.
2 Normative references
N/A.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
safety
no unacceptable risk to people, property or environment
[Source: ISO/IEC GUIDE 51:2014, 3.14, modified]
3.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes
[Source: GB/T 29246-2017, 2.12]
3.3
malware
software designed to maliciously disrupt normal functions, collect sensitive data and/or access other connected systems
3.4
firewall
security product that analyzes the passing data flow and realizes the functions of access control and security protection
3.5
risk
combination of the probability of occurrence of harm and the severity of that harm
[Source: YY/T 0316-2016, 2.16]
3.6
risk analysis
systematic use of available information to identify hazards and to estimate the risk
[Source: YY/T 0316-2016, 2.17]
3.7
risk control
process in which decisions are made and measures are implemented, and risks are reduced to, or maintained within, specified levels
[Source: YY/T 0316-2016, 2.19]
3.8
risk management
systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk
[Source: YY/T 0316-2016, 2.22]
3.9
personal sensitive data
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
Note 1: Personal sensitive data may include ID number, personal biometric identifying information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information and personal information of children less than or equal to 14 years old.
Note 2: In GB/T 35273-2020, it is called personal sensitive information. Since this document mainly standardizes data, it is rewritten as data in this document.
Note 3: For the judgment method and type of personal sensitive data, please refer to Annex B of GB/T 35273-2020.
[Source: GB/T 35273-2020, 3.2, modified]
3.10
emergency access
access to health data by clinical users without the use of personal identification or without authorization in case of emergence (e.g., rescue, first aid)
3.11
health data
personal sensitive data that indicates physical or mental health
Note 1: Health data is generally defined in this document as a subset of personal sensitive data.
Note 2: Different privacy compliance laws and regulations are currently stipulated globally. Therefore, for example, in Europe, the requirements might be taken and references changed to “personal data” and “sensitive data”; in the USA, health data might be changed to “protected health information (PHI)”, which requires manufacturers in different countries or regions to further consider the laws or regulations in China.
[Source: IEC/TR 80001-2-2: 2012, 3.7, modified]
3.12
non-repudiation
ability to demonstrate the occurrence of the claimed event or activity and its source
[Source: GB/T 29246-2017, 2.54, modified]
Contents of YY/T 1843-2022
Foreword i
Introduction ii
1 *Scope
2 Normative references
3 Terms and definitions
4 General requirements
5 Test methods
Annex A (Normative) Requirements for security capability test process
Annex B (Informative) Relevance between this document and other documents
Annex C (Informative) Guidelines and rationale for specific clause(s)/subclauses
Annex D (Informative) Considerations regarding personal sensitive data in this document
Bibliography
