Help for incorporating medical devices into IT networks
New guidance shows how the risk-management process fi ts into the lifecycle of a shared network. By Karen Delvecchio
n the last decade, healthcare technologies have become increasingly interconnected and co-depen- dent. IT networks are supporting medical devices that have historically been segregated, and general IT networks, the backbone of a technology infrastructure, are no longer islands on their own. In 2005, the FDA encouraged the standards community to help address this looming issue. The International Elec- trotechnical Commission (IEC) and International Orga- nization for Standardization (ISO) responded by forming a joint working group called JWG7. After years of work and analysis, the working group released a new standard called the “IEC 80001-1: Application of risk management for IT networks incorporating medical devices.” Released late last year, the new IEC 80001-1 stan- dard is designed to help the healthcare industry minimize risks and facilitate efficiency, patient safety and network security. The
Karen Delvecchio is a lead systems designer at GE Healthcare.
For more information on GE Healthcare solutions: www.rsleads.com/106ht-202
standard defi nes a framework for applying the risk- management process incorporating medical devices onto shared enterprise IT networks.
Below are four key recommendations for hospitals to strengthen their risk-management processes.
Educate yourself and your internal teams Because IEC 80001-1 is designed to clearly defi ne positions, functions and activities needed for incorporat- ing medical devices into IT networks, several hospital departments – including clinical engineering, IT, clini- cal staff and risk management – must understand the standard and each role in order to aid in the adoption of new technologies and guidelines as well as facilitate incorporation into existing risk-management practices.
Establish risk management
Risk assessment involves considering all accidents or failures that may occur that are related to operating medi- cal devices on a network, as well as analyzing probable consequences if such events should occur. Performing
10 June 2011
this analysis with a pre-established set of scales and ac- ceptability guidelines ensures a smoother process and better communications among the risk-team members. This new standard is based on the risk-management methods in ISO 14971 and requires four main risk- management activities: analyze, evaluate, control and re-analyze. However, 80001-1 goes beyond ISO 14971 in that it shows how the risk-management process fi ts into the lifecycle of a shared network.
Engage other collaborators
Connecting and working with the medical device manu- facturers as well as the non-medical device manufacturers (e.g., server manufacturers, manufacturers and installers of network infrastructure) is vital to the implementation of the standard. Medical IT networks are complex, living super-systems of medical devices and IT equipment. While risk must be shared and ultimately controlled by those who own and maintain the network, it’s important to ensure that there is appropriate information fl ow between the hos- pital, medical device manufacturer and other IT providers such that thorough risk analysis can be completed.
Take small steps: 80001-1 is currently voluntary It took years to develop the standard, which could be considered phase one. Now we’re moving into phase two, which is early implementation. This is where the standard will be put to the test; 80001-1 can be applied in small steps. Choose a new project, a new portion of the network or a small list of hazards to consider in a network. Hazards can include lost connectivity, incorrect data or some security provision like unauthorized access. You could also start with a small list of faults. What are the top three or four things that could go wrong? Maybe network hardware failures, misconfi guration or timing of network maintenance. Or ask yourself if the network design is capable of managing the load of devices that you are expecting it to manage.
Also, many of the concepts in 80001-1 may already be implemented in your organization but may not be formal- ized or documented. Early efforts in compliance can be simply taking credit for things you already do.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com