1 Basic Operation
As per its intended use, the patient monitor operates in the patient vicinity and contains personal and
sensitive patient data. It also includes controls to allow you to adapt the monitor to the patient's care
To ensure the patient's safety and protect their personal health information you need a security
concept that includes:
Physical security access measures - access to the monitor must be limited to authorized users.
It is essential that you consider physical security measures to ensure that unauthorized users
cannot gain access.
Operational security measures - for example, ensuring that patients are discharged after
monitoring in order to remove their data from the monitor.
Procedural security measures - for example, assigning only staff with a specific role the right to
use the monitors.
In addition, any security concept must consider the requirements of local country laws and regulations.
Always consider data security aspects of the network topology and configuration when connecting
patient monitors to shared networks. Your medical facility is responsible for the security of the
network, where sensitive patient data from the monitor may be transferred.
When a monitor is returned for repair, disposed of, or removed from your medical facility for other
reasons, always ensure that all patient data is removed from the monitor by ending monitoring for the
last patient (see "Ending Monitoring for a Patient" on page 89).
Log files generated by the monitors and measurement modules are used for system troubleshooting
and do not contain protected health data.
About HIPAA Rules
If applicable, your facility's security strategy should include the standards set forth in the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), introduced by the United States
Department of Health and Human Services. You should consider both the security and the privacy
rules and the HITECH Act when designing policies and procedures. For more information, please
About the EU Directives
If applicable, your facility's security strategy should include the practices set forth in the Directive on
the protection of individuals with regard to the processing of personal data and on the free movement
of such data (Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995). In addition, your facility should also take into account any additional, more
stringent standards put forward by any individual EU countries; that is, Germany, France, and so on.
Philips Product Security Policy Statement
Additional security and privacy information can be found on the Philips product security web site at: