五、注册申报资料要求 1.软件研究资料 注册申请人应单独提交一份网络安全描述文档,具体要求详见第四节。 2.产品技术要求 注册申请人应在产品技术要求性能指标中明确数据接口、用户访问控制的要求: (1)数据接口:传输协议/存储格式; (2)用户访问控制:用户身份鉴别方法、用户类型及权限。 3.说明书 说明书应提供关于网络安全的相关说明,明确运行环境(含硬件配置、软件环境和网络条件)、安全软件(如杀毒软件、防火墙等)、数据与设备(系统)接口、用户访问控制机制、软件环境(含系统软件、支持软件、应用软件)与安全软件更新的相关要求。 (二)许可事项变更 1.软件研究资料 医疗器械许可事项变更应根据网络安全更新情况提交变化部分对产品安全性与有效性影响的研究资料: (1)涉及重大网络安全更新:单独提交一份网络安全描述文档,具体要求详见第四节; (2)仅发生轻微网络安全更新:单独提交一份常规安全补丁描述文档,具体要求详见第四节; (3)未发生网络安全更新:出具真实性声明。 2.产品技术要求 如适用,产品技术要求应体现关于网络安全的变更情况。 3.说明书 如适用,说明书应体现关于网络安全的变更内容。 如适用,医疗器械延续注册产品分析报告第(六)项应单独提交一份常规安全补丁描述文档,具体要求详见第四节。 六、参考文献 (一)《中华人民共和国网络安全法》(中华人民共和国主席令第五十三号) (二)国务院办公厅关于促进和规范健康医疗大数据应用发展的指导意见(国办发〔2016〕47号) (三)《医疗器械注册管理办法》(国家食品药品监督管理总局令第4号) (四)《医疗器械说明书和标签管理规定》(国家食品药品监督管理总局令第6号) (五)国家食品药品监督管理总局关于公布医疗器械注册申报资料要求和批准证明文件格式的公告(国家食品药品监管总局公告2014年第43号) (六)国家食品药品监督管理总局关于发布医疗器械软件注册技术审查指导原则的通告(国家食品药品监管总局通告2015年第50号) (七)《医疗器械召回管理办法(试行)》(原卫生部令第82号) (八)《人口健康信息管理办法(试行)》(国卫规划发〔2014〕24号) (九)国家卫生计生委关于推进医疗机构远程医疗服务的意见(国卫医发〔2014〕51号) (十)GB/T 20271-2006《信息安全技术信息系统通用安全技术要求》 (十一)GB/T 20984-2007 《信息安全技术信息安全风险评估规范》 (十二)GB/T 22080-2016《信息技术安全技术信息安全管理体系要求》 (十三)GB/T 22081-2016《信息技术安全技术信息安全管理实用规则》 (十四)GB/T 29246-2012《信息技术安全技术信息安全管理体系概述和词汇》 (十五)GB/Z 24364-2009《信息安全技术信息安全风险管理指南》 (十六)YY/T
0287-2003《医疗器械质量管理体系用于法规的要求》 (十七)YY/T 0316-2016《医疗器械风险管理对医疗器械的应用》 (十八)YY/T 0664-2008《医疗器械软件软件生存周期过程》 (十九)YY/T 1474-2016 《医疗器械可用性工程对医疗器械的应用》 (二十)FDA, Cybersecurity
for Networked Medical Devices Containing Off-the-Shelf Software, 2005-1-14 (二十三)FDA, Postmarket
Management ofCybersecurity in Medical Devices – Draft Guidance for Industry and
Food and Drug Administration Staff, 2016-1-22 (二十四)FDA, Design
Considerations and Pre-market SubmissionRecommendations for
InteroperableMedical Devices – Draft Guidance for Industry and Food and Drug
Administration Staff, 2016-1-26 (二十五)IEC
60601-1Edition3.1:2012, Medical electrical equipment - Part 1: General
requirements for basic safety and essential performance (二十六)IEC 82304-1, Health
Software - Part 1: General requirements for product safety (二十七)IEC80001-1:2010,
Application of risk management for IT-networks incorporating medical devices -
Part 1: Roles,responsibilities and activities (二十八)IEC/TR
80001-2-1:2012, Application of risk management for IT-networks incorporating
medical devices - Part 2-1: Step-by-step risk management of medical IT-networks
- Practical applications and examples (二十九)IEC/TR
80001-2-2:2012, Application of risk management for IT-networks incorporating
medical devices - Part 2-2: Guidance for the disclosure and communication of
medical device security needs, risks and controls (三十)IEC/TR
80001-2-3:2012, Application of risk management for IT-networks incorporating
medical devices - Part 2-3: Guidance for wireless networks (三十一)IEC/TR
80001-2-4:2012, Application of risk management for IT-networks incorporating
medical devices - Part 2-4: Application guidance - General implementation
guidance for healthcare delivery organizations (三十二)IEC/TR
80001-2-5:2014, Application of risk management for IT-networks incorporating
medical devices - Part 2-5: Application guidance - Guidance on distributed
alarm systems (三十三)ISO/TR
80001-2-6:2014, Application of risk management for IT-networks incorporating
medical devices -Part 2-6: Application guidance - Guidance for responsibility
agreements (三十四)ISO/TR
80001-2-7:2015, Application of risk management for IT-networks incorporating
medical devices -Application guidance -Part 2-7: Guidance for Healthcare
Delivery Organizations (HDOs) on how to self-assess their conformance with IEC
80001-1 (三十五)IEC/TR
80001-2-8:2016, Application of risk management for IT-networks incorporating medical
devices - Part 2-8: Application guidance - Guidance on standards for
establishing the security capabilities identified in IEC/TR 80001-2-2 (三十六)IEC/TR 80001-2-9,
Application of risk management for IT-networks incorporating medical devices -
Part 2-9: Application guidance - Guidance for use of security assurance cases
to demonstrate confidence in IEC/TR 80001-2-2 security capabilities (三十七)ISO/DIS 27799Health
informatics - Information security management in health using ISO/IEC 27002 (三十八)HIMSS/NEMA
HN 1-2013, Manufacturer Disclosure Statement for Medical Device Security (三十九)NEMA/MITA CSP 1-2016,
Cybersecurity for Medical Imaging (四十)IMDRF/SaMD
WG/N12FINAL:2014, Software as a Medical Device (SaMD): Possible Framework for
Risk Categorization and Corresponding Considerations, 2014-9-18 [1]在信息安全领域availability译为可用性,而在医疗器械领域usability译为可用性,为避免引起歧义本指导原则将availability译为可得性。 [2]在信息安全领域,IEC 27000系列标准规范了信息安全管理体系(ISMS)认证要求,本指导原则不要求制造商进行ISMS认证,但建议制造商参考相关标准要求。 [3]详见IEC/TR 80001-2-2:2012Application of risk management
for IT-networks incorporating medical devices - Part 2-2: Guidance for the
disclosure and communication of medical device security needs, risks and
controls |