National Electrical Manufacturers Association (NEMA): Setting Standards for Excellence

MITA Security & Privacy Documents

• White Papers
• HIPAA Business Associate Contract Sample Language
• Press Releases
• Presentations

White Papers

• Remote Services in Healthcare-Use Cases and Obligations for Customer and Service Organizations ( 125 k) September 2008
  Remote service techniques can improve uptime of medical IT systems and save money, but security and privacy concerns often lead customers to avoid its use. This paper describes the appropriate uses of and benefits from remote service, and the good practices for the technologies and processes to assure security and effectiveness. The use of technologies and practices that are discussed in this paper offer the opportunity for healthcare providers to achieve real benefits for their operations in terms of uptime and cost effective use of resources. This document presents typical situations in which remote service is used, and describes the respective responsibilities of both the manufacturer and providers in the provision and proper maintenance of equipment. It also discusses some specific policies and practices that support the secure and effective operation of remote service.
• Information Security Risk Management for Healthcare Systems (143k) October 2007
  This white paper helps device manufacturers manage IT security risks in healthcare systems by detailing the steps in security risk assessment in the context of security risk management. The process for managing healthcare systems IT security-related risks is very similar to long-standing device safety processes. This paper recommends that similar methods be applied to security risks to healthcare systems. In detailing security risk management, this paper presents a set of examples which provide insight into healthcare trends and vulnerabilities leading to the relevant steps in how to design for confidentiality, integrity and availability of systems, while maintaining an appropriate level of safety, healthcare effectiveness, privacy for both patient and staff, and interoperability.
• Management of Machine Authentication Certificates (143k) May 2007
  This paper helps healthcare providers and medical device engineering organizations decide how to use digital certificates to secure machine-to-machine communications.  There is a focus on privacy and security in healthcare. The breaches in security over the past five years have shown that using a “moat” approach of firewalls without further internal security is not effective. To properly secure a network environment the machines (e.g., imaging device, PACS archive, laptop, a system implementing an IHE profile, internet kiosk) that are going to receive or transmit sensitive data must be identified.  This introduces a need to authenticate both machine identities and person identities. The focus of this paper is machine identity management.
• Impacts of the British Columbia Act 73-2004 (an amendment to the Freedom of Information and Protection of Privacy Act) on Medical Device Support in British Columbia  (489k) August 2005
  This paper is aimed at assessing the impacts of the Act on MedIS support, patient care, and business costs to the Canadian Healthcare System, resulting from unanticipated changes to MedIS equipment maintenance practices.
• Break-Glass – An Approach to Granting Emergency Access to Healthcare Systems
  (238k) December 2004
  This white paper discusses a simple yet effective emergency-access solution, sometimes called "break-glass". The purpose of break-glass is to allow operators emergency access to the system in cases where the normal authentication cannot be successfully completed or is not working properly. The systems include medical data acquisition devices as well as information systems which are collectively referred to as Medical Information Systems (MedIS).
• Patching Off-the-Shelf Software Used in Medical Information Systems (143k) October 2004
  The purpose of this white paper is to make healthcare providers aware of the special requirements imposed on MedIS vendors and the practical constraints involved in patching COTS software. Medical Information Systems (MedIS) often incorporate commercial-off-the-shelf (COTS) software, e.g. operating systems, browsers, databases. COTS software vendors often issue patches, also called “hotfixes” or “updates,” to fix a variety of security, privacy, or stability problems. Typically, COTS software vendors’ procedures for testing or updating do not address the safety and effectiveness requirements mandated for MedIS. This means that healthcare providers must follow different procedures when patching COTS software incorporated in MedIS.
• Remote Service Interface - Solution (A) - Version 2: IPSec over the Internet Using Digital Certificates (430k) December 2003
  The purpose of this white paper is to define one possible, reasonable, and practical solution for remote servicing of medical equipment addressing possible security threats to ensure availability, confidentiality, and integrity of the transmitted data. The paper describes in detail how to configure IPSec over the Internet using cryptographic certificates, and how to distribute the certificates out-of-band. It further defines the supporting conditions at the HCF and RSC. With this document vendors and health care facilities can configure a single access point using off-the-shelf-equipment.
• Defending Medical Information Systems Against Malicious Software (218k) December 2003
  This white paper informs both vendors (manufacturers and integrators of Medical Information Systems (MedIS) and users (for example, hospitals and medical practices) about possible malicious software (malware) attacks. Malicious software (or malware), also referred to as a virus or malicious logic, includes such things as Trojan horses, denial of service attacks, trap doors, time bombs, and worms. The paper suggests ways to protect against such attacks that make use of exploitable MedIS vulnerabilities and offers a list of recommendations for both vendors and users to make the MedIS they produce and operate more secure. Vendors and users must cooperate to meet the challenge of safeguarding the security and privacy of data in healthcare.

HIPAA Business Associate Contract Sample Language

• Introduction to the NEMA HIPAA Business Associate Contract Sample Language
  (69k)
• NEMA HIPAA Business Associate Contract Sample Language: PDF Version (94k) Word Version (75k)

Press Releases

• NEMA, AHA Update Sample Business Associate Agreement  (94k)
• Defending Medical Information Systems Against Malicious Software (94k)
• Patching COTS Software (96k)
• NEMA, AHA Create Sample Business Associate Agreement (92k)
• SPC to Propose a Standard Solution for Remote Servicing (63k)
• Tri-Continental Initiative Launched (68k)

Presentations

• Patching Off-the_Shelf Software Used in Medical Information Systems  (200k)
• Post-testimony submission to NCVHS (188k). As a result of this hearing, NCVHS sent recommendations to the Secretary of DHHS: http://www.ncvhs.hhs.gov/050304lt.htm
• NCVHS (DHHS Advisory Committee) Testimony - Medical Device Security, November 19, 2004 (970k)
• EUROPACS 2004 - Malicious Software (296k)
• SCAR 2004 Defending Medical Information Systems Against Malicious Software 
  (283k)
• SCAR 2004 Special Session Learning Objectives & Intro (824k)
• SCAR 2004 Security Policy Talk - Gobuty (131k)
• SCAR 2004 Remote Service - Leetz (344k)
• French Congress of Radiology 2003 Remote Service (190k)

*PDF files require the free Adobe Acrobat Reader, downloadable at www.acrobat.com.