Oct . 2 nd 2012, San Francisco .
Openingthediscussion …• Why is it so important to manage Risk in health IT solutions?• How can we optimally protect the privacy and integrity of patients' records?• How can hospitals and medical device manufacturers benefit from latest safety standards?
Dipl.-Ing. Oliver P. Christ
CEO Prosystem AG / Prosystem USA LLC
Software Development, Verification, and Validation
On-Site Trainings and Workshops , Seminars
On-Site Trainings and Workshops , Seminars in the US
Source: Julian Goldman
American Institute of Medicine (IOM) Report, Published late 2011, 220 pages
How does Risk Management focus on Patients?The Intended Use of a medical device can be depicted using an idealized functional input/output diagram:
In an environment of 1,5 maround an (accommodated) Patient …
… increased requirements for Medical Electrical Equipment do apply including their connection to (medical) IT networks.
14.13. PEMS intended to be connected to an IT-Network
If the pems is intended to be incorporated into an it-network that is not validated by the pemsmanufacturer, the manufacturershall make available instructions for implementing such connection including the following:
a) the purpose of the pems’s connection to an it-network;
b) the required characteristics of the it-network incorporating the pems;
c) the required configuration of the it-network incorporating the pems;
d) the technical specifications of the network connection of the pems including security specifications;
and ESSENTIAL PERFORMANCE (see also Clause H.6 and IEC 80001-1:2010).
f) a list of the hazardous situations resulting from a failure of the it-network to provide the characteristics required to meet the purpose of the pems connection to the it-network.
Compliance is checked by inspection of the instructions.
In the accompanying documents the manufacturer shall instruct the responsible organisationthat:– connection of the pems to an it-network that includes other equipment could result in previously unidentified risks to patient, operators or third parties;– the responsible organisation should identify, analyze, evaluate and control these risks;– subsequent changes to the it-network could introduce new risks and require additional analysis; and– changes to the it-network include: • changes in the IT-network configuration;• connection of additional items to the it-network;• disconnecting items from the it-network;• update of equipment connected to the it-network; • upgrade of equipment connected to the it-network.
NOTE 3: IEC 80001-1 provides guidance for the RESPONSIBLE ORGANIZATION to address these risks.
Compliance is checked by inspection of the accompanying documents.
The Issues are
Data- & System Security
Medical Devices Manufacturer
Part 1: Roles, ResponsibilitiesandActivities
IEC 80001-XReferences to otherIT Standards / Spec
ISO/IEC 20000-1:2005IEC 62304:2006IEEE 11073-ffHL7, DICOM
Y = 1: Step-byStep RMY = 2: SecurityY = 3: WirelessY = 4: HDO Guidance
On July 19, 2012 threenew Technical Reports hasbeenpublished:
IEC 80001-2-1 TR Ed.1.0 - Application of risk management for IT-networks incorporating medical devices - Part 2-1: Step by step risk management of medical IT-networks - Practical applications and examples IEC 80001-2-2 TR Ed.1.0 - Application of risk management for IT-networks incorporating medical devices - Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controlsIEC 80001-2-3 TR Ed.1.0 - Application of risk management for IT-networks incorporating medical devices - Part 2-3: Guidance for wireless networks