Help for incorporating medical devices into IT networks
By Karen Delvecchio, June 2011
New guidance shows how the risk-management process fits into the lifecycle of a shared network.
In the last decade, healthcare technologies have become increasingly interconnected and co-dependent. IT networks are supporting medical devices that have historically been segregated, and general IT networks, the backbone of a technology infrastructure, are no longer islands on their own.
In 2005, the FDA encouraged the standards community to help address this looming issue. The International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) responded by forming a joint working group called JWG7. After years of work and analysis, the working group released a new standard called the "IEC 80001-1: Application of risk management for IT networks incorporating medical devices."
Released late last year, the new IEC 80001-1 standard is designed to help the healthcare industry minimize risks and facilitate efficiency, patient safety and network security. The standard defines a framework for applying the risk-management process incorporating medical devices onto shared enterprise IT networks.
Below are four key recommendations for hospitals to strengthen their risk-management processes.
Educate yourself and your internal teams
Because IEC 80001-1 is designed to clearly define positions, functions and activities needed for incorporating medical devices into IT networks, several hospital departments — including clinical engineering, IT, clinical staff and risk management — must understand the standard and each role in order to aid in the adoption of new technologies and guidelines as well as facilitate incorporation into existing risk-management practices.
Establish risk management
Risk assessment involves considering all accidents or failures that may occur that are related to operating medical devices on a network, as well as analyzing probable consequences if such events should occur. Performing this analysis with a pre-established set of scales and acceptability guidelines ensures a smoother process and better communications among the risk-team members.
This new standard is based on the risk-management methods in ISO 14971 and requires four main risk-management activities: analyze, evaluate, control and re-analyze. However, 80001-1 goes beyond ISO 14971 in that it shows how the risk-management process fits into the lifecycle of a shared network.
Engage other collaborators
Connecting and working with the medical device manufacturers as well as the non-medical device manufacturers (e.g., server manufacturers, manufacturers and installers of network infrastructure) is vital to the implementation of the standard. Medical IT networks are complex, living super-systems of medical devices and IT equipment. While risk must be shared and ultimately controlled by those who own and maintain the network, it's important to ensure that there is appropriate information flow between the hospital, medical device manufacturer and other IT providers such that thorough risk analysis can be completed.
Take small steps: 80001-1 is currently voluntary
It took years to develop the standard, which could be considered phase one. Now we're moving into phase two, which is early implementation. This is where the standard will be put to the test; 80001-1 can be applied in small steps. Choose a new project, a new portion of the network or a small list of hazards to consider in a network. Hazards can include lost connectivity, incorrect data or some security provision like unauthorized access. You could also start with a small list of faults. What are the top three or four things that could go wrong? Maybe network hardware failures, misconfiguration or timing of network maintenance. Or ask yourself if the network design is capable of managing the load of devices that you are expecting it to manage.
Also, many of the concepts in 80001-1 may already be implemented in your organization but may not be formalized or documented. Early efforts in compliance can be simply taking credit for things you already do.
Karen Delvecchio is a lead systems designer at GE Healthcare.
Click Here for more information on GE Healthcare solutions