UL-2900-2-1:2017 pdf free download – STANDARD FOR SAFETY Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems.
12.1.3 Processes for Quality Management (QM) shall reflect:
a) Allocation of adequate security resources to product development;
NOTE: Compliance can be determined by demonstrating compliance with Clauses 13-20 of this standard
b) Establishing policies and criteria for security risk acceptability for the product based on applicable international, national or regional regulations; and
c) Ongoing re-assessment of the continued suitability of the security risk management process at planned intervals, including documentation of decisions and actions taken.
12.2 Risk evaluation
12.2.1 The risk evaluation shall be conducted in accordance with 12.3 and 12.4 in the Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1.
12.3 Risk control
12.3.1 The risk controls identified in Sections 7 — 11 of the Standard for Software Cybersecurity for
Network-Connectable Products, Part 1: General Requirements, UL 2900-1, and the security capabilities
of the Application of Risk Management for IT-Networks Incorporating Medical Devices — Part 2-2:
Guidance for the Disclosure and Communication of Medical Device Security Needs, Risks and Controls,
IEC/TR 80001 -2-2, shall be considered for risk management.
12.3.2 Any security measures contraindicated by the risk analysis are to be designated as Not Applicable (NA) with justification(s) in the Risk Management File or explanation of alternative measures.
12.3.3 A security risk management plan shall be constructed and documented to reflect the following processes, including rationale for any qualitative or quantitative measures used:
a) Identification of assets, threats, and vulnerabilities;
b) Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
c) Assessment of the likelihood of a threat and of a vulnerability being exploited;
d) Determination of risk levels and suitable mitigation strategies; and
e) Assessment of residual risk and risk acceptance criteria.
f) Security-relevant data logging when applicable
12.3.4 The vendor shall provide a risk management artifact to reflect hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with the product, including:
a) A specific list of all cybersecurity risks that were considered in the design of the product;
b) A specific list and justification for all cybersecurity risk controls that were established for the product;
c) A means of demonstrating traceability that links product cybersecurity risk controls to the cybersecurity risks that were considered;
d) A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the product to continue to assure its safety and effectiveness;
e) A summary describing cybersecurity risk controls that are in place to assure that the product software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that product leaves the control of the vendor; and
f) Product instructions for use and product specifications related to recommended cybersecurity risk controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).