1
/
of
12
PayPal, credit cards. Download editable-PDF & invoice in 1 second!
YY/T 1843-2022 English PDF (YYT1843-2022)
YY/T 1843-2022 English PDF (YYT1843-2022)
Regular price
$380.00 USD
Regular price
Sale price
$380.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click YY/T 1843-2022
Historical versions: YY/T 1843-2022
Preview True-PDF (Reload/Scroll if blank)
YY/T 1843-2022: Basic requirements of cybersecurity for medical electrical equipment
YY/T 1843-2022
YY
PHARMACEUTICAL INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 11.040.01
CCS C 30
Basic requirements of cybersecurity for medical electrical
equipment
ISSUED ON: MAY 18, 2022
IMPLEMENTED ON: JUNE 01, 2023
Issued by: National Medical Products Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 General requirements ... 10
5 Test methods ... 22
Appendix A (Normative) Requirements for the security capability testing process ... 23
Appendix B (Informative) Relevance between this document and other documents . 27
Appendix C (Informative) Guidance and rationale for specific clauses ... 28
Appendix D (Informative) Considerations regarding personal sensitive data in this
document ... 36
References ... 38
Basic requirements of cyber security for medical electrical
equipment
1 Scope
This document specifies the basic requirements for cyber security of medical
electrical equipment, medical electrical system and medical device software.
This document applies to medical electrical equipment, medical electrical system
and medical device software with functions of user access, electronic data exchange
or remote control.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
The following terms and definitions are applicable to this document.
3.1 Safety
Do not pose an unacceptable risk to persons, property or the environment.
[Source: ISO/IEC GUIDE 51:2014, 3.14, modified]
3.2 Confidentiality
The characteristic that information is not available or disclosed to unauthorized
persons, entities or processes.
[Source: GB/T 29246-2017, 2.12]
3.3 Malware
Software designed to maliciously disrupt normal functionality, collect sensitive data,
and/or access other connected systems.
3.4 Firewall
A network security product that analyzes the passing data stream and realizes access
control and security protection functions.
3.5 Risk
The combination of the probability of occurrence of an injury and the severity of that
injury.
[Source: YY/T 0316-2016, 2.16]
3.6 Risk analysis
The process of systematically using available information to identify hazard (sources)
and estimate risks.
[Source: YY/T 0316-2016, 2.17]
3.7 Risk control
The process of making decisions and implementing measures to reduce risk or
maintain risk at a specified level.
[Source: YY/T 0316-2016, 2.19]
3.8 Risk management
The systematic application of management policies, procedures and practices for risk
analysis, evaluation, control and monitoring.
[Source: YY/T 0316-2016, 2.22]
3.9 Personal sensitive data
Personal information which, once leaked, illegally provided or misused, may
endanger personal information and property safety, and may easily lead to damage or
discriminatory treatment to personal reputation, physical and mental health.
Note 1: Personal sensitive data may include ID number, personal bioinformation,
bank account number, communication records and content, property
information, credit information, whereabouts, accommodation information,
health and physiological information, transaction information, and personal
information of children under or of the age of 14.
Note 2: In GB/T 35273-2020, it is called personal sensitive information. Since this
document mainly regulates data, it is rewritten as data in this document.
Note 3: For the determination method and type of personal sensitive data, refer to
Appendix B in GB/T 35273-2020.
[Source: GB/T 35273-2020, 3.2, modified]
3.10 Emergency access
Through the technical processing of personal sensitive data, the subject of personal
sensitive data cannot be identified or associated, and the processed information
cannot be restored.
[Source: GB/T 35273-2020, 3.14, modified]
3.17 De-identification
Through the technical processing of personal sensitive data, the subject of personal
sensitive data cannot be identified or associated without additional information.
Note: De-identification is based on individuals, retaining the individual granularity,
and using technical means such as pseudonyms, encryption, and hash
functions to replace the identification of personal sensitive data.
[Source: GB/T 35273-2020, 3.15, modified]
3.18 Equipment data
Data describing the operating status of the equipment, which is used to monitor and
control the operation of the equipment or for the maintenance of the equipment, and
does not involve personal sensitive data itself.
3.19 Audit logging
Data about information security events, which is collected for review and analysis,
as well as ongoing monitoring.
[Source: GB/T 25068.1-2020, 3.4]
3.20 Security capability
Technical measures – based on risk management – enabling product data and/or
functions to have acceptable levels of confidentiality, integrity, availability and other
cyber security features.
Note: In this document, in order to distinguish the Chinese characters of security and
safety, security is called cyber security, and safety is called safety.
[Source: IEC/TR 80001-2-2:2012, 3.27, modified]
3.21 Security capability description
The document – clarifying the security capability of the product – whose main
purpose is to serve as a basis for the tester to test the product.
Note: The form of security capability description – which is not specified in this
document – can be a document, a set of documents, or a part of a document.
3.22 Integrity
The attribute that data shall not be altered in an unauthorized manner since it is
created, transmitted or stored.
[Source: ISO/IEC 29167-19:2016, 3.40]
3.23 IT-network
One or more systems consisting of communication nodes and transmission links, to
provide a physical link or wireless transmission between two or more designated
communication nodes.
[Source: IEC/TR 80001-2-2:2012, 3.10]
3.24 Medical device software
A developed software system included in a medical device, or a software system
developed for use as a medical device itself.
[Source: YY/T 0664-2020, 3.11]
3.25 Medical electrical equipment
ME equipment
Electrical equipment that has an applied part or transmits or obtains energy to the
patient or detects the transmitted or obtained energy. Such electrical equipment:
a) has no more than one connection to a specified power supply mains; and
b) its manufacturer intends to use it for:
1) diagnosis, treatment or monitoring of patients; or
2) eliminating or reducing disease, damage or disability.
[Source: GB 9706.1-2020, 3.63]
3.26 Medical electrical system
ME system
A combination of several devices that are functionally connected or connected to
each other by a multi-position socket under the manufacturer’s regulations. At least
one of the combination is an ME equipment.
[Source: GB 9706.1-2020, 3.64]
3.27 Medical IT-network
4.1.1.3 The security capability description shall clarify the security capability
according to the application of the product, in accordance with the requirements of
4.1.4 ~ 4.1.20.
4.1.1.4 The cyber security characteristics stated in the security capability description
shall be testable or verifiable.
4.1.2 *Classification
4.1.2.1 According to the type of expected access network, it can be divided into
products expected to access private network and public network.
4.1.2....
Get QUOTATION in 1-minute: Click YY/T 1843-2022
Historical versions: YY/T 1843-2022
Preview True-PDF (Reload/Scroll if blank)
YY/T 1843-2022: Basic requirements of cybersecurity for medical electrical equipment
YY/T 1843-2022
YY
PHARMACEUTICAL INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 11.040.01
CCS C 30
Basic requirements of cybersecurity for medical electrical
equipment
ISSUED ON: MAY 18, 2022
IMPLEMENTED ON: JUNE 01, 2023
Issued by: National Medical Products Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 General requirements ... 10
5 Test methods ... 22
Appendix A (Normative) Requirements for the security capability testing process ... 23
Appendix B (Informative) Relevance between this document and other documents . 27
Appendix C (Informative) Guidance and rationale for specific clauses ... 28
Appendix D (Informative) Considerations regarding personal sensitive data in this
document ... 36
References ... 38
Basic requirements of cyber security for medical electrical
equipment
1 Scope
This document specifies the basic requirements for cyber security of medical
electrical equipment, medical electrical system and medical device software.
This document applies to medical electrical equipment, medical electrical system
and medical device software with functions of user access, electronic data exchange
or remote control.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
The following terms and definitions are applicable to this document.
3.1 Safety
Do not pose an unacceptable risk to persons, property or the environment.
[Source: ISO/IEC GUIDE 51:2014, 3.14, modified]
3.2 Confidentiality
The characteristic that information is not available or disclosed to unauthorized
persons, entities or processes.
[Source: GB/T 29246-2017, 2.12]
3.3 Malware
Software designed to maliciously disrupt normal functionality, collect sensitive data,
and/or access other connected systems.
3.4 Firewall
A network security product that analyzes the passing data stream and realizes access
control and security protection functions.
3.5 Risk
The combination of the probability of occurrence of an injury and the severity of that
injury.
[Source: YY/T 0316-2016, 2.16]
3.6 Risk analysis
The process of systematically using available information to identify hazard (sources)
and estimate risks.
[Source: YY/T 0316-2016, 2.17]
3.7 Risk control
The process of making decisions and implementing measures to reduce risk or
maintain risk at a specified level.
[Source: YY/T 0316-2016, 2.19]
3.8 Risk management
The systematic application of management policies, procedures and practices for risk
analysis, evaluation, control and monitoring.
[Source: YY/T 0316-2016, 2.22]
3.9 Personal sensitive data
Personal information which, once leaked, illegally provided or misused, may
endanger personal information and property safety, and may easily lead to damage or
discriminatory treatment to personal reputation, physical and mental health.
Note 1: Personal sensitive data may include ID number, personal bioinformation,
bank account number, communication records and content, property
information, credit information, whereabouts, accommodation information,
health and physiological information, transaction information, and personal
information of children under or of the age of 14.
Note 2: In GB/T 35273-2020, it is called personal sensitive information. Since this
document mainly regulates data, it is rewritten as data in this document.
Note 3: For the determination method and type of personal sensitive data, refer to
Appendix B in GB/T 35273-2020.
[Source: GB/T 35273-2020, 3.2, modified]
3.10 Emergency access
Through the technical processing of personal sensitive data, the subject of personal
sensitive data cannot be identified or associated, and the processed information
cannot be restored.
[Source: GB/T 35273-2020, 3.14, modified]
3.17 De-identification
Through the technical processing of personal sensitive data, the subject of personal
sensitive data cannot be identified or associated without additional information.
Note: De-identification is based on individuals, retaining the individual granularity,
and using technical means such as pseudonyms, encryption, and hash
functions to replace the identification of personal sensitive data.
[Source: GB/T 35273-2020, 3.15, modified]
3.18 Equipment data
Data describing the operating status of the equipment, which is used to monitor and
control the operation of the equipment or for the maintenance of the equipment, and
does not involve personal sensitive data itself.
3.19 Audit logging
Data about information security events, which is collected for review and analysis,
as well as ongoing monitoring.
[Source: GB/T 25068.1-2020, 3.4]
3.20 Security capability
Technical measures – based on risk management – enabling product data and/or
functions to have acceptable levels of confidentiality, integrity, availability and other
cyber security features.
Note: In this document, in order to distinguish the Chinese characters of security and
safety, security is called cyber security, and safety is called safety.
[Source: IEC/TR 80001-2-2:2012, 3.27, modified]
3.21 Security capability description
The document – clarifying the security capability of the product – whose main
purpose is to serve as a basis for the tester to test the product.
Note: The form of security capability description – which is not specified in this
document – can be a document, a set of documents, or a part of a document.
3.22 Integrity
The attribute that data shall not be altered in an unauthorized manner since it is
created, transmitted or stored.
[Source: ISO/IEC 29167-19:2016, 3.40]
3.23 IT-network
One or more systems consisting of communication nodes and transmission links, to
provide a physical link or wireless transmission between two or more designated
communication nodes.
[Source: IEC/TR 80001-2-2:2012, 3.10]
3.24 Medical device software
A developed software system included in a medical device, or a software system
developed for use as a medical device itself.
[Source: YY/T 0664-2020, 3.11]
3.25 Medical electrical equipment
ME equipment
Electrical equipment that has an applied part or transmits or obtains energy to the
patient or detects the transmitted or obtained energy. Such electrical equipment:
a) has no more than one connection to a specified power supply mains; and
b) its manufacturer intends to use it for:
1) diagnosis, treatment or monitoring of patients; or
2) eliminating or reducing disease, damage or disability.
[Source: GB 9706.1-2020, 3.63]
3.26 Medical electrical system
ME system
A combination of several devices that are functionally connected or connected to
each other by a multi-position socket under the manufacturer’s regulations. At least
one of the combination is an ME equipment.
[Source: GB 9706.1-2020, 3.64]
3.27 Medical IT-network
4.1.1.3 The security capability description shall clarify the security capability
according to the application of the product, in accordance with the requirements of
4.1.4 ~ 4.1.20.
4.1.1.4 The cyber security characteristics stated in the security capability description
shall be testable or verifiable.
4.1.2 *Classification
4.1.2.1 According to the type of expected access network, it can be divided into
products expected to access private network and public network.
4.1.2....
Share
