Standard issued by the Clinical Laboratory Standards Institute (CLSI), document ID “Auto-11P”. One of several recent attempts to specify standards for IT security in medical devices. Covers network security, separation of privileges, development best practices, as well as review techniques. Many of its elements are very basic (e.g. explanations of encryption and authentication technology, what is a firewall, etc.) and rely on common sense, but then again the medical and IVD fields are about 10 years behind the technology curve as security is concerned.

The doc is targeted at 3 sensible groups; vendors (i.e. R&D and support staff), end-users and customer IT managers. There is provision made for the idea of protecting against data theft, although the prime issue in this area is data corruption by malware and other attacks. As you are probably aware, the main problem facing medical device manufacturers is the inability to consistently patch systems to respond to newly discovered threats and vulnerabilities; every “change” to the nature of a system requires a complex and expensive re-validation process.

Naturally, the solution to this is “don’t develop purely oriented towards functionality”. In plain English, don’t scrounge around for technology that just happens to be available, such as Windows XP, without proper design criteria and a fundamental evaluation and risk assessment process (what will the long-term cost be due to the fact that we used crappy technology to start out with…) I’m hoping that the suggestions and requirements in this doc will narrow down the solutions chosen for development platforms such as diagnostic data stations to technologies considered secure and reliable by other industries–which have more experience in secure development.

Unfortunately, as it’s a commercial document I can’t post the text here, but it is available at http://webstore.ansi.org/ansidocstore/dept.asp?dept_id=57 and via CD-ROM subscription from CLSI.

From the press release at http://www.clsi.org:
“Newly proposed Clinical and Laboratory Standards Institute (CLSI, formerly NCCLS) document IT Security of In Vitro Diagnostic Instruments and Software Systems; Proposed Standard (AUTO11-P) specifies technical and operational requirements, as well as technical implementation procedures related to security of IVD systems (devices, analytical instruments, data management systems, etc.) installed at a healthcare organization. This document provides a framework for communication of IT security issues between the IVD system vendor and the healthcare organization.”