Websites & Documents

Organizations

• Health Information and Management Systems Society (HIMSS) - a non-profit organization
  HIMSS (Healthcare Information and Management Systems Society) is the healthcare industry's membership organization exclusively focused on providing leadership for the optimal use of healthcare information technology and management systems for the betterment of human health. Founded in 1961 with offices in Chicago, Washington DC, and other locations across the country, HIMSS represents more than 14,000 individual members and some 220 member corporations that employ more than 1 million people. HIMSS frames and leads healthcare public policy and industry practices through its advocacy, educational and professional development initiatives to promote information and management systems' contributions to ensuring quality patient care.

  • HIMSS Medical Device Security Workgroup

    • Manufacturers Disclosure Statement for Medical Device Security (MDS²)

  • HIMSS Integrating the Healthcare Enterprise (IHE)

• American College of Clinical Engineering (ACCE) - a non-profit organization
  Founded in 1990, ACCE is committed to enhancing the profession of clinical engineering. With members in the United States and around the world, ACCE is the only professional society for clinical engineers with international recognition. ACCE’s mission is to establish a standard of competence and to promote excellence in clinical engineering practice, to promote safe and effective application of science and technology in patient care, to define the body of knowledge on which the profession is based, and to represent the professional interests of clinical engineers

• ECRI - a non-profit organization
  For more than 35 years, ECRI, a health services research agency, has provided objective, independent guidance on patient safety, as well as healthcare risk and quality management. ECRI is a Collaborating Center of the World Health Organization for patient safety, risk management, and health technology and has been designated an Evidence-based Practice Center by the US Agency for Healthcare Research and Quality.  ECRI also produced and maintains the Universal Medical Device Nomenclature System (UMDNS) that is in international use

  • ACCE ECRI Information Security for Biomedical Technology:  A HIPAA Compliance Guide

    • Guide Table of Contents

    • Order Form

• University HealthSystem Consortium (UHC)

  • Medical Device Security (whitepaper, January 2005)

• Center for Devices and Radiological Health (CDRH) Food and Drug Administration (FDA)

  • Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software (January 14, 2005)

  • FAQ: Information for Healthcare Organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software"

• Joint NEMA/COCIR/JIRA Security and Privacy Committee

  • Break-Glass – An Approach to Granting Emergency Access to Healthcare Systems (December 2004)

  • Patching Off-the-Shelf Software Used in Medical Information Systems (October 2004)

  • Remote Service Interface - Solution (A) - Version 2: IPSec over the Internet Using Digital Certificates (December 2003)

  • Defending Medical Information Systems Against Malicious Software (December 2003)

  • Identification and Allocation of Basic Security Rules In Healthcare Imaging Systems

  • Security and Privacy Requirements for Remote Servicing

  • Security And Privacy Auditing In Health Care Information Technology

  • Security and Privacy: An Introduction to HIPAA

• National Institute of Standards and Technology (NIST)

  • P 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

  • SP 800-61: Computer Security Incident Handling Guide (Jan 2004)

  • DRAFT SP 800-53: Recommended Security Controls for Federal Information Systems

  • SP 800-55: Security Metrics Guide for Information Technology Systems (July 2003)

  • SP 800-50: Building an Information Technology Security Awareness and Training Program (October 2003)

  • SP 800-42: Guideline on Network Security Testing (October 2003)

  • SP 800-35: Guide to Information Technology Security Services (October 2003)

  • SP 800-34: Contingency Planning Guide for Information Technology Systems (June 2002)

  • SP 800-30: Risk Management Guide for Information Technology Systems, (July 2002)

  • SP 800-27 Rev. A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A, (June 2004)

  • SP 800-26: Security Self-Assessment Guide for Information Technology Systems, (November 2001)

• US Department Health and Human Services (HHS)

  • Security Standards; Final Rule, Federal Register Vol. 68, No. 34; February 20, 2003, 45 CFR Parts 160, 162, and 164

• US Department of Defense (DoD)

  • U.S. Department of Defense Directorate of Medical Material—Medical Device Security

• US Department of Veterans Affairs (VA)

  • VA Medical Device Isolation Architecture Guide