Standards and Guides for Implementing Security and Privacy for Health Information Technology

In this chapter, the authors survey security standards and guides applicable to healthcare industry including control objective for information and related technologies (COBIT), ISO/IEC 27001:2005 (which has been revised by ISO/IEC 27001:2013), ISO/IEC 27002:2005 (which has been revised by ISO/IEC 27002:2013), ISO 27799:2008 (which has been revised by ISO 27799:2016), ISO 17090:2008 (which has been revised by ISO 17090:2015), ISO/TS 25237:2008, HITRUST common security framework (CSF), NIST Special Publication 800-53, NIST SP 1800, NIST SP 1800-8, and building code for medical device software security. This survey informs the audience of currently available standards that can guide the implementation of information security programs in healthcare organizations, and provides a starting point for IT management in healthcare organizations to select a standard suitable for their organizations.

Medical Device Apps: An Introduction to Regulatory Affairs for Developers

The Poly Implant Prothèse (PIP) scandal in France prompted a revision of the regulations regarding the marketing of medical devices. The new Medical Device Regulation (MDR [EU]) 2017/745 was developed and entered into force on May 25, 2017. After a transition period of 3 years, the regulations must be implemented in all EU and European Economic Area member states. The implementation of this regulation bears many changes for medical device development and marketing, including medical device software and mobile apps. Medical device development and marketing is a complex process by which manufacturers must keep many regulatory requirements and obligations in mind. The objective of this paper is to provide an introduction and overview of regulatory affairs for manufacturers that are new to the field of medical device software and apps with a specific focus on the new MDR, accompanying harmonized standards, and guidance documents from the European Commission. This work provides a concise overview of the qualification and classification of medical device software and apps, conformity assessment routes, technical documentation, clinical evaluation, the involvement of notified bodies, and the unique device identifier. Compared to the previous Medical Device Directive (MDD) 93/42/EEC, the MDR provides greater detail about the requirements for software qualification and classification. In particular, rule 11 sets specific rules for the classification of medical device software and will be described in this paper. In comparison to the previous MDD, the MDR is more stringent, especially regarding the classification of health apps and software. The implementation of the MDR in May 2020 and its interpretation by the authorities will demonstrate how app and software manufacturers as well as patients will be affected by the regulation.