Clinical and Laboratory Standards Institute AUTO11—Information Technology Security of In Vitro Diagnostic Instruments and Software Systems specifies technical and operational requirements and technical implementation procedures related to security of in vitro diagnostic (IVD) systems (devices, analytical instruments, data management systems, etc.) installed at a health care delivery organization (HDO). The intended users for CLSI AUTO11 are medical device and IVD system manufacturers, users (eg, laboratory personnel), and information technology management of HDOs.

CLSI AUTO11-Ed3 replaces CLSI AUTO11-A2, published in 2014. Several changes were made in this edition. Compared with CLSI AUTO11-A2, all the existing requirements have been reviewed. For these, the requirement numbers have been kept as they were. However, some requirements have been moved to new subchapters. Additionally, new requirements have been added, starting with [Req-1001]. 

The types of changes to the previously existing requirements can be categorized as: 

• Adaption to new terminology, such as from “vendor” to “MDM,” from “HCO” to “HDO” (eg, Req-0251), and from “antivirus and antispyware” to “antimalware” (ie, Req-0321)
• Clarification by text addition, such as from “system” to “IVD system” (ie, Req-0111, Req-0141, Req-0531), or by being more specific (ie, “risks to an acceptable level as defined by the HDO” in Req-0212, “system by MDMs and HDOs” in Req-0621, “instrument and system” in Req-0162) 
• Clarification by rewording (ie, Req-0112, Req-0121, Req-0131, Req-0171, Req-0231, Req-0511) 
• Removal of requirement (eg, Req-0742 because of the addition of Req-1061, which provides a broader requirement to follow national regulations and laws)

CLSI AUTO11 specifies technical and operational requirements and technical implementation procedures related to information technology (IT) security of in vitro diagnostic (IVD) systems (devices, analytical instruments, data management systems, etc.) installed at a health care delivery organization (HDO). 

CLSI AUTO11 also provides guidance on meeting and using existing technical standards for medical device IT security and recommendations on identifying the parties responsible for implementing these requirements. 

CLSI AUTO11 is primarily meant to be used by manufacturers (ie, medical device manufacturers [MDMs], IVD system manufacturers) and HDOs. Regulatory agencies may also find useful information in CLSI AUTO11. CLSI AUTO11 is not intended for use as the final written policy for the HDO. For example, local organizations need to include in their own documentation the technical and process aspects of medical device security addressed by other standards organizations, such as the International Organization for Standardization (ISO) and Institute of Electrical and Electronics Engineers (IEEE). In addition, CLSI AUTO11 may not apply to certain devices used in health care (see Subchapter 3.10). 

The suggested best practices contained in CLSI AUTO11 are based on the state of technology at the time of publication. These best practices are distinguished from the requirements through their inclusion in a text box. 

Some requirements, procedures, and guidelines specified by CLSI AUTO11 may not be necessary or desired for IVD systems during clinical trials. The HDO and manufacturer should clearly state in the corresponding contract how CLSI AUTO11 would be applied during clinical trials. In addition, some requirements, procedures, and guidelines specified by CLSI AUTO11 may not be practical, technically or financially, for legacy IVD systems or HDO IT departments to implement. In these situations, the manufacturer and HDO should use their best judgment to decide what to implement. It is important for the manufacturer and HDO to clearly document any deviations from CLSI AUTO11.