Requirements on the operating environment
These operating environment requirements for information security and
privacy (ISP), set in compliance with point 17(4) and 18(8) of Annex I of the
EU Medical Device Regulation 2017/745, must be implemented and used in
connection with the use of the Agfa medical device by the Customer (User).
These are minimum requirements and designed to protect against
unauthorised access that could hamper the device from functioning as
intended.
Although Agfa has defined these ISP Operating Environment Requirements
for implementation by the Customer, Agfa makes no warranties, expressed or
implied regarding those ISP Operating Environment Requirements.
Agfa disclaims all liability if a security incident would occur despite the
implementation of these ISP Operating Environment Requirements by the
Customer.
Agfa reserves the right to revise these ISP Operating Environment
Requirements and to make changes to them at any time. Possible revisions of
the ISP Operating Environment Requirements will only be available in an
electronic form, on request, via our website, by using the user documentation
request form
http://www.agfahealthcare.com/global/en/library/index.jsp
.
The information presented herein is sensitive and is company confidential.
Without written authority from Agfa, further distribution outside the
company is not allowed.
• Perimeter firewalls shall be in place and appropriately configured in order
to ensure that communications between medical devices and external
resources are either denied or restricted to just the communications that
are essential for the medical devices to properly function.
• Network Intrusion Detection/Prevention Systems (NIDS/NIPS) shall be in
place at the perimeter and appropriately configured, in order to provide
early warning of an attack attempt or successful compromise of a medical
device as well as to attempt to prevent compromise of medical devices.
• A Network Time Protocol Server shall be configured in the medical devices
in order to synchronize the time in the audit logs with the time on the NTP
server.
• Medical devices shall be on an isolated network segment that restricts
communication of the medical devices to the systems that are required for
the device to function.
• Internal firewalls shall be put in place to improve upon network
segmentation and to further restrict communications of medical devices to
the systems (internal and external) that they need to interact with.
• Medical device configurations shall be backed up in a secure separate
device.
• Security controls shall be put in place to ensure that physical access to
medical devices is limited only to authorized individuals and that physical
theft of the device is prohibited.
Dry 2.4M | Introduction |
47
2652B EN 20210601 1655