Already a subscriber? 
MADCAD.com Free Trial
Sign up for a 3 day free trial to explore the MADCAD.com interface, PLUS access the
2009 International Building Code to see how it all works.
If you like to setup a quick demo, let us know at support@madcad.com
or +1 800.798.9296 and we will be happy to schedule a webinar for you.
Security check
Please login to your personal account to use this feature.
Please login to your authorized staff account to use this feature.
Are you sure you want to empty the cart?
IEEE/UL Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS--Trust, Identity, Privacy, Protection, Safety, and Security (Approved Draft), 2024
- IEEE Std 2933/UL 2933:2024 Front Cover
- Titlepage
- Important Notices and Disclaimers
- Participants
- Introduction
- Contents
- 1. Overview [Go to Page]
- 1.1 Scope
- 1.2 Purpose
- 1.3 Word usage
- 2. Normative references
- 3. Definitions, acronyms, and abbreviations [Go to Page]
- 3.1 Definitions [Go to Page]
- 3.1.1 IoT definitions
- 3.1.2 Clinical-related definitions
- 3.1.3 Clinical IoT (CIoT) related definitions
- 3.1.4 General definitions
- 3.2 Acronyms and abbreviations
- 4. Trust and identity [Go to Page]
- 4.1 Introduction
- 4.2 Overview
- 4.3 Micro view [Go to Page]
- 4.3.1 Discrete components [Go to Page]
- 4.3.1.1 Practices and processes [Go to Page]
- 4.3.1.1.1 Component inspection
- 4.3.1.1.2 Component testing
- 4.3.1.1.3 Component certification
- 4.3.1.1.4 Component traceability
- 4.3.2 Subassembly [Go to Page]
- 4.3.2.1 Practices and processes [Go to Page]
- 4.3.2.1.1 Component traceability
- 4.3.2.1.2 Component identifiers
- 4.3.2.1.3 Process traceability
- 4.3.3 Device software [Go to Page]
- 4.3.3.1 Practices and processes [Go to Page]
- 4.3.3.1.1 Designing for security
- 4.3.3.1.2 Ability to update device software
- 4.3.3.1.3 Software Bill of Materials (SBOM)
- 4.3.4 Final product
- 4.3.5 Manufacturer device registry [Go to Page]
- 4.3.5.1 Practices and processes [Go to Page]
- 4.3.5.1.1 Device identifiers (device ID)
- 4.3.5.1.2 Properties of the device
- 4.3.5.1.3 Generalized requirements for a medical device registry
- 4.3.5.1.4 Functions of the device ID
- 4.3.5.1.5 Functions not suitable for device ID
- 4.3.6 Decommissioning [Go to Page]
- 4.3.6.1 Practices and processes [Go to Page]
- 4.3.6.1.1 Recycling/repurposing
- 4.4 Macro view—Inter-device and systems [Go to Page]
- 4.4.1 User-managed software [Go to Page]
- 4.4.1.1 Practices and processes [Go to Page]
- 4.4.1.1.1 Software updates
- 4.4.1.1.2 Software as a Medical Device (SaMD)
- 4.4.2 Authentication
- 4.4.3 Identity
- 4.4.4 Context
- 4.4.5 Authorization
- 4.4.6 Accounting/Audit
- 4.4.7 Device onboarding [Go to Page]
- 4.4.7.1 Practices and processes
- 4.4.7.2 Device identities
- 4.4.7.3 Secret material protection [Go to Page]
- 4.4.7.3.1 Provisioning
- 4.4.7.3.2 Protecting secure material on the device
- 4.4.7.3.3 Confidentiality/Privacy
- 4.4.7.4 System management [Go to Page]
- 4.4.7.4.1 Code signing
- 4.4.7.4.2 Secure boot
- 4.4.7.4.3 Trust anchors
- 4.4.7.5 Tokens
- 4.4.8 Provisioning [Go to Page]
- 4.4.8.1 Practices and processes [Go to Page]
- 4.4.8.1.1 Device usage
- 4.4.8.2 Practices and processes
- 4.4.9 Deprovisioning
- 5. Privacy [Go to Page]
- 5.1 Overview
- 5.2 Privacy requirements identification [Go to Page]
- 5.2.1 Privacy requirements
- 5.2.2 Privacy requirements for Clinical IoT data and device interoperability
- 5.3 Privacy Impact Assessment
- 5.4 Premarket and postmarket privacy requirements [Go to Page]
- 5.4.1 Premarket privacy requirements
- 5.4.2 Postmarket privacy requirements
- 5.5 Summary
- 6. Protection [Go to Page]
- 6.1 Protection overview
- 6.2 Device pairing
- 6.3 Authentication
- 6.4 Access control
- 6.5 Communication between components [Go to Page]
- 6.5.1 Communications between device and sensor
- 6.5.2 Communications between device and aggregator/gateway
- 6.5.3 Communications between aggregator/gateway and backend
- 6.5.4 End-to-end encryption
- 6.6 Updates [Go to Page]
- 6.6.1 Third-party and open-source components
- 6.6.2 Sensor
- 6.6.3 Smart device application
- 6.6.4 Backend/Gateway
- 6.6.5 Requirement for update independence
- 6.7 Backup
- 6.8 Requirements for replacements
- 6.9 Tamper-proofing and integrity
- 6.10 Resilience and fail-safe mode [Go to Page]
- 6.10.1 Updates and alerts to trouble
- 6.10.2 Signal jamming and interference [Go to Page]
- 6.10.2.1 Signal jamming
- 6.10.2.2 Signal interference
- 6.10.3 Backup and restore capabilities
- 6.10.4 Data integrity and quality
- 6.11 Documentation and labeling
- 6.12 Decommissioning [Go to Page]
- 6.12.1 Decommissioning legal and regulatory background
- 6.12.2 Decommissioning processes and practices
- 7. Safety [Go to Page]
- 7.1 Safety overview
- 7.2 Mitigating safety risks
- 7.3 Quality assurance processes
- 7.4 Other safety risk considerations
- 8. Security [Go to Page]
- 8.1 Security overview
- 8.2 Organizational cybersecurity foundation [Go to Page]
- 8.2.1 Cybersecurity governance
- 8.2.2 Security as part of the quality management system
- 8.2.3 Secure Software Development Lifecycle
- 8.2.4 Risk-based approach
- 8.2.5 Establishing security requirements
- 8.2.6 Identified security requirements
- 8.3 Basic security principles [Go to Page]
- 8.3.1 Developing a security baseline
- 8.3.2 Meeting a security baseline [Go to Page]
- 8.3.2.1 People
- 8.3.2.2 Process
- 8.3.2.3 Technology
- 8.3.3 Maintaining a security baseline
- 8.3.4 Software Bill of Materials (SBOM)
- 8.4 Communication security [Go to Page]
- 8.4.1 Interoperability and security
- 8.4.2 Communicate securely
- 8.4.3 Communicate about security
- 8.4.4 Communication as a security risk
- 8.5 Processes, practices, principles, and controls [Go to Page]
- 8.5.1 CIA triad
- 8.5.2 Confidentiality
- 8.5.3 Integrity
- 8.5.4 Availability
- 8.5.5 Preservation of authenticity
- 8.6 Security assurance
- 8.7 Risk management and security [Go to Page]
- 8.7.1 Risk management overview
- 8.7.2 Asset classification
- 8.7.3 Data classification
- 8.7.4 Vulnerabilities
- 8.7.5 Threats
- 8.7.6 Risk management cycle
- 9. Human factors and usability [Go to Page]
- 9.1 Overview
- 9.2 Summary process for Usability Engineering [Go to Page]
- 9.2.1 Prepare the technical use specification
- 9.2.2 Prepare hazard analysis related to technical user interface use cases and scenarios
- 9.2.3 Establish a technical user interface specification
- 9.2.4 Establish a technical user interface verification plan
- 9.2.5 Establish a technical user interface validation plan
- 9.2.6 Perform a technical user interface design, implementation, verification, and formative validation
- 9.2.7 Perform technical user interface summative evaluation/validation
- 9.3 Requirements for the technical aspects of the Clinical IoT device user interface [Go to Page]
- 9.3.1 9.3.1 General—Human factors requirements
- 9.3.2 Accompanying documentation—Human factors requirements
- 9.3.3 Trust—Human factors requirements
- 9.3.4 Identity—Human factors requirements
- 9.3.5 Privacy—Human factors requirements
- 9.3.6 Safety—Human factors requirements [Go to Page]
- 9.3.6.1 General safety requirements
- 9.3.6.2 Technical log safety requirements
- 9.3.7 Security—Human factors requirements
- 9.3.8 Interoperability—Human factors requirements
- 9.3.9 Verification and validation—Human factors requirements
- 10. Integrated systems design (ISD) [Go to Page]
- 10.1 ISD attributes and characteristics requirements
- 10.2 Documentation requirements
- 10.3 Research and development (R&D) and pre-production requirements
- 10.4 Postmarket requirements
- 11. CIoT reference architecture (RA) [Go to Page]
- 11.1 Context Layer requirements
- 11.2 Technology Layer requirements [Go to Page]
- 11.2.1 System software requirements
- 11.2.2 Technology Layer general requirements
- 11.2.3 Requirements associated with CIoT system hardware and firmware [Go to Page]
- 11.2.3.1 Default password requirements
- 11.2.3.2 Medical device marking and labeling requirements
- 11.2.3.3 Personal data requirements
- 11.2.3.4 Remote server requirements
- 11.3 Application Services Layer requirements
- 11.4 Healthcare Workflow Services (HWS) Layer requirements
- 11.5 End-User Services (EUS) Layer requirements [Go to Page]
- 11.5.1 Patient
- 11.5.2 Home healthcare team
- 11.5.3 Healthcare provider
- 11.5.4 End User Services (EUS) Manager [Go to Page]
- 11.5.4.1 End-User Services (EUS) Manager requirements
- 11.5.4.2 End-User Services requirements
- 11.6 Services quality and integration/reconciliation of TIPPSS (SQIRT) Layer requirements [Go to Page]
- 11.6.1 SQIRT Manager requirements
- 11.6.2 Availability Manager requirements
- 11.6.3 TIPPSS Managers [Go to Page]
- 11.6.3.1 Trust Manager requirements
- 11.6.3.2 Identity Manager requirements
- 11.6.4 Privacy Manager requirements
- 11.6.5 Protection and Safety Manager requirements
- 11.6.6 Security Manager requirements
- 11.7 Information Architecture Layer requirements
- 11.8 Governance & Policies (G & P) Layer requirements [Go to Page]
- 11.8.1 Requirements associated with interoperability and integration plans
- 11.8.2 Requirements associated with TIPPSS policies and plans
- 11.8.3 Requirements associated with system logs
- 11.9 Lifecycle design and management [Go to Page]
- 11.9.1 CIoT device manufacturer lifecycle
- 11.9.2 CIoT device supply chain management
- 11.9.3 CIoT device maintenance lifecycle
- 11.9.4 CIoT device deployment organization lifecycle
- Annex A (informative) Bibliography
- Annex B (informative) Detailed sample use cases and derived functional needs [Go to Page]
- B.1 Introduction
- B.2 Overview of the sample use cases [Go to Page]
- B.2.1 Connected monitoring device—Use Case 1
- B.2.2 Connected therapy device—Use Case 2
- B.2.3 Hospital @Home use case—Use Case 3
- B.2.4 Home-to-Hospital use case—Use Case 4
- B.3 Use case process
- B.4 TIPPSS stakeholder roles
- B.5 Use Case 1—Connected monitoring device [Go to Page]
- B.5.1 Use case description
- B.5.2 Use case narrative
- B.5.3 Use case actions
- B.5.4 Actors and stakeholders
- B.5.5 Use Case 1—Details [Go to Page]
- B.5.5.1 Use Case 1—Action #1
- B.5.5.2 Use Case 1—Action #2
- B.5.5.3 Use Case 1—Action #3
- B.5.5.4 Use Case 1—Action #4
- B.5.5.5 Use Case 1—Action #5
- B.6 Use Case 2—Connected therapy device [Go to Page]
- B.6.1 Use Case 2a—Connected automated implanted cardioverter defibrillator (AICD) [Go to Page]
- B.6.1.1 Use Case 2a description
- B.6.1.2 Use Case 2a narrative
- B.6.2 Use Case 2b—Connected automated insulin delivery (AID) system [Go to Page]
- B.6.2.1 Use Case 2b description
- B.6.2.2 Use Case 2b narrative
- B.6.3 Use case actions
- B.6.4 Actors and stakeholders
- B.6.5 Use Case 2—Details [Go to Page]
- B.6.5.1 Use Case 2—Action #1
- B.6.5.2 Use Case 2—Action #2
- B.6.5.3 Use Case 2—Action #3
- B.6.5.4 Use Case 2—Action #4
- B.6.5.5 Use Case 2—Action #5
- B.6.5.6 Use Case 2—Action #6
- B.6.5.7 Use Case 2—Action #7
- B.6.5.8 Use Case 2—Action #8
- B.7 Use Case 3—Hospital @Home [Go to Page]
- B.7.1 Use case description
- B.7.2 Use case narrative
- B.7.3 Pre-conditions
- B.7.4 Use case actions
- B.7.5 Actors and stakeholders
- B.7.6 Use Case 3—Details [Go to Page]
- B.7.6.1 Use Case 3—Action #1
- B.7.6.2 Use Case 3—Action #2
- B.7.6.3 Use Case 3—Action #3
- B.7.6.4 Use Case 3—Action #4
- B.7.6.5 Use Case 3—Action #5
- B.7.6.6 Use Case 3—Action #6
- B.7.6.7 Use Case 3—Action #7
- B.8 Use Case 4—Home-to-Hospital [Go to Page]
- B.8.1 Use case description
- B.8.2 Use case narrative
- B.8.3 Pre-conditions
- B.8.4 Use case actions
- B.8.5 Actors and stakeholders
- B.8.6 Use Case 4—Details [Go to Page]
- B.8.6.1 Use Case 4—Action #1
- B.8.6.2 Use Case 4—Action #2
- B.8.6.3 Use Case 4—Action #3
- B.8.6.4 Use Case 4—Action #4
- B.8.6.5 Use Case 4—Action #5
- B.8.6.6 Use Case 4—Action #6
- B.9 Other CIoT use cases [Go to Page]
- B.9.1 Use cases from AAMI 2700-1:2019 ICE (Integrated Clinical Environment)
- B.9.2 Use cases from NITRD
- B.9.3 Use cases from ONC/AHIC common device connectivity
- B.9.4 Remote surveillance (minutes to treat)
- B.9.5 Remote monitoring (seconds to treat)
- B.9.6 Automated documentation of CIoT data
- B.9.7 Other use cases
- Annex C (informative) Lead/Support/Consult (L/S/C) table
- Annex D (informative) Integrated systems design and the conceptual reference architecture [Go to Page]
- D.1 Introduction
- D.2 Context for integrated systems design for Clinical IoT with TIPPSS
- D.3 Purpose and goal of integrated systems design
- D.4 Extensible and inclusive integrated systems design
- D.5 Overview of the reference architecture (RA)
- D.6 Application of the RA to the Hospital@Home example use case
- Annex E (informative) Overview of privacy frameworks [Go to Page]
- E.1 OECD—Fair Information Practices (FIPs)
- E.2 EU—General Data Protection Regulation (GDPR) Privacy Principles
- E.3 U.S. NIST—Privacy Framework
- E.4 U.S. HIPAA—Privacy Rule
- E.5 U.S. California—Consumer Privacy Act (CCPA) privacy principles
- E.6 Australia—Privacy Principles (APP)
- E.7 Canada—Personal Information Protection and Electronic Documents Act (PIPEDA)
- E.8 International—ISO/IEC 29100 Privacy Principles
- E.9 OECD—Council of Europe Convention, EU Data Protection Directive, and the Asia-Pacific Economic Cooperation (APEC)
- Annex F (informative) Comparison of privacy regulations/guidance
- Annex G (informative) Direct and indirect patient safety impact [Go to Page]
- G.1 Direct safety impact [Go to Page]
- G.1.1 Disruption of the clinical data flow
- G.1.2 Disruption of patient engagement
- G.1.3 Inability to use the clinical devices [Go to Page]
- G.1.3.1 Hospital-based CIoT with TIPPSS devices
- G.1.3.2 Wearable devices and sensors (portable, attachable, implantable/embedded, ingestible)
- G.1.3.3 Types of wearable devices as defined by the National Library of Medicine
- G.1.3.4 Inability to receive data from the CIoT with TIPPSS devices and sensors
- G.1.3.5 Integrity of the patient identification
- G.1.3.6 Preventable severe adverse events
- G.1.4 Regulated devices
- G.2 Indirect safety impact [Go to Page]
- G.2.1 Device monitoring systems (environmental)
- G.2.2 Device monitoring systems (clinical)
- G.2.3 DICOM data flows and interpretation
- G.2.4 Clinical orders and e-prescribing
- G.2.5 Device lifecycle management
- G.3 Operational and business impact [Go to Page]
- G.3.1 Environmental monitoring
- G.3.2 Disruption to workflow automation [Go to Page]
- G.3.2.1 Business disruption
- G.3.2.2 Loss of intellectual property
- G.3.2.3 Loss of sensitive data
- G.3.2.4 Compromise of user or network credentials
- Annex H (informative) Examples and rationale for ISD-derived requirements [Go to Page]
- H.1 Overview
- H.2 Documentation requirements
- H.3 Research and development (R&D) and pre-production requirements
- H.4 Postmarket requirements
- H.5 Context Layer requirements
- H.6 Technology Layer requirements [Go to Page]
- H.6.1 System software requirements
- H.6.2 Technology Layer general requirements
- H.6.3 Requirements associated with CIoT system hardware and firmware [Go to Page]
- H.6.3.1 Default password requirements
- H.6.3.2 Medical device marking and labeling requirements
- H.6.3.3 Personal data requirements
- H.6.3.4 Remote server requirements
- H.7 Application Services Layer requirements
- H.8 Healthcare Workflow Services (HWS) Layer requirements
- H.9 End-User Services (EUS) Layer requirements [Go to Page]
- H.9.1 End-User Services (EUS) Manager requirements
- H.9.2 End-User Services requirements
- H.10 Services Quality and Integration/Reconciliation of TIPPSS (SQIRT) Layer requirements [Go to Page]
- H.10.1 SQIRT Manager requirements
- H.10.2 Availability Manager requirements
- H.10.3 TIPPSS Managers [Go to Page]
- H.10.3.1 Trust Manager requirements
- H.10.3.2 Identity Manager requirements
- H.10.4 Privacy Manager requirements
- H.10.5 Protection and Safety Manager requirements
- H.10.6 Security Manager requirements
- H.11 Information Architecture Layer requirements
- H.12 Governance & Policies (G & P) Layer requirements [Go to Page]
- H.12.1 Requirements associated with interoperability and integration plans
- H.12.2 Requirements associated with TIPPSS policies and plans
- H.12.3 Requirements associated with system logs
- Back Cover [Go to Page]
