New guidance shows how the risk-management process fits into the lifecycle of a shared network.
In the last decade, healthcare technologies have become increasingly interconnected and co-dependent. IT networks are supporting medical devices that have historically been segregated, and general IT networks, the backbone of a technology infrastructure, are no longer islands on their own.
While the ever-increasing capability and availability of communications technology has enabled this shift, the underlying drivers of the trend are more fundamental and important. Clinicians, patients and payers are all interested in more capable and connected systems that can drive better care and outcomes. IT, biomedical engineering and other “operational” departments within healthcare institutions are interested in achieving efficiencies by leveraging their investments in enterprise IT infrastructure. Finally, medical device manufactures, IT equipment vendors, other software and application developers, and communications service providers all seek to offer more capable, innovative and competitive solutions by leveraging and interoperating with each other's devices, applications, services and other technologies.
But with all these benefits also come new risks that need to be managed in a new way.
In 2005, the FDA encouraged the standards community to help address this looming issue. The International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) responded by forming a joint working group called JWG7. After years of work and analysis, the working group released a new standard called the “IEC 80001-1: Application of risk management for IT-networks incorporating medical devices.”
Released late last year, the new IEC 80001-1 standard is designed to help the healthcare industry minimize risks and facilitate efficiency, patient safety and network security. The standard defines a framework for applying the risk-management process incorporating medical devices onto shared enterprise IT-networks.
Below are four key recommendations for hospitals to strengthen their risk-management processes.
- Educate yourself and your internal teams about the standard. Consider the standard an aid in strengthening your hospital's current risk-management processes. Understanding the provisions of the standard is the first step. Because IEC 80001-1 is designed to clearly define positions, functions and activities needed for incorporating medical devices into IT networks, several hospital departments — including clinical engineering, IT, clinical staff and risk management —must understand the standard and each role in order to aid in the adoption of new technologies and guidelines as well as facilitate incorporation into existing risk-management practices.
- Establish risk management. IEC 80001-1 encourages hospitals to establish a clear set of policies and procedures for risk management. Risk assessment involves considering all accidents or failures that may occur that are related to operating medical devices on a network, as well as analyzing probable consequences if such events should occur. Performing this analysis with a pre-established set of scales and acceptability guidelines ensures a smoother process and better communications among the risk-team members.
This new standard is based on the risk-management methods in ISO 14971 and requires four main risk-management activities: analyze, evaluate, control and re-analyze. However, 80001-1 goes beyond ISO 14971 in that it shows how the risk-management process fits into the lifecycle of a shared network.
- Engage other collaborators. Connecting and working with the medical device manufacturers as well as the non-medical device manufacturers (e.g. server manufacturers, manufacturers and installers of network infrastructure) is vital to the implementation of the standard. Medical IT networks are complex, living super-systems of medical devices and IT equipment. While risk must be shared and ultimately controlled by those who own and maintain the network, it's important to ensure that there is appropriate information flow between the hospital, medical device manufacturer and other IT providers such that thorough risk analysis can be completed.
- Take small steps: 80001-1 is currently a voluntary standard. It took years to develop the standard, which could be considered phase one. Now we're moving into phase two, which is early implementation. This is where the standard will be put to the test. All stakeholders (hospitals, medical device manufacturers and IT suppliers) will take time to manage their compliance efforts as we proceed. 80001-1 can be applied in small steps. Choose a new project, a new portion of the network or a small list of hazards to consider in a network. Hazards can include lost connectivity, incorrect data or some security provision like unauthorized access. You could also start with a small list of faults. What are the top three or four things that could go wrong? Maybe network hardware failures, misconfiguration or timing of network maintenance. Or ask yourself if the network design is capable of managing the load of devices that you are expecting it to manage.
Also, many of the concepts in 80001-1 may already be implemented in your organization, but may not be formalized or documented. Early efforts in compliance can be simply taking credit for things you already do.
About the author
Karen Delvecchio is a lead systems designer at GE Healthcare. She is a member of the committee that drafted the 80001-1 standard and is an expert in risk management and assessment. Karen can be reached at Karen.Delvecchio@med.ge.com.
For more information on GE Healthcare: https://www2.gehealthcare.com/portal/site/usen/.