Risk Manager
  • Solution
    • The Validated Approval Accelerator
      • Risk Management According to ISO 14971
      • Usability Engineering According to EN 62366
      • Essential Requirements According to MDR 2017/745 & IVDR 2017/746
      • Conformity Report for Medical Electrical Equipment According to EN 60601-1
      • Risk Management for IT Networks According to IEC 80001-1
      • Process Validation According to DIN EN ISO 13485
      • Clinical Evaluation According to MDR 2017/745 & MEDDEV 2.7.1
      • Software Lifecycle Process According to IEC 62304
    • References
      • What Our Customers Say – Success Stories
      • MST-Instrumente: Work and Time Savings
      • University Hospital rechts der Isar: Faultless Documentation and Achievement of the IEC 80001-1
      • Euroimmun: Cost Savings in Usability Engineering
      • biotrics bioimplants AG: Enrichment of the approval process by BAYOOSOFT Risk Manager
      • Selection from Our Customer List
      • Continuous Development since 1998 – Version History
  • Modules & Features
    • Modules
      • Risk Management
      • Usability Engineering
      • Essential Requirements
      • Medical Electrical Equipment
      • Machinery Directive
      • Requirements Engineering
      • Clinical Evaluation
      • Software Lifecycle Process
      • Medical IT Networks
      • REST API
      • Advanced Reporting
      • Pre-Validation Package
    • Features
      • Preliminary Hazard Analysis
      • Failure Mode and Effect Analysis
      • Structured Work According to Lifecycle Phase
      • Medical Device Classification
      • Post Market Surveillance
      • Self-Learning Knowledge Database
      • Fine-Grained Authorization Management
      • Visualizing with the Grey Box
  • Services
    • Services
      • Individual Services
      • Medical device classification
      • Software Validation – Your Service Options
      • License Model
      • System Requirements
      • Frequently Asked Questions
    • Contact
      • Upcomming Events
      • Test Now
      • Contact Request
  • Company
    • Company
      • About us
      • We think proactively
    • Our Partners
      • Get to know Our Partners
      • Become Partner now
  • Blog
  • Upcomming Events
  • Test Now
  • Customer Center
  • Search
  • Menu

Risk management for IT networks with the BAYOOSOFT Risk Manager

CRITIS-Crux at hospitals

Hospitals with at least 30,000 full-time inpatient treatment cases belong to the so-called critical infrastructures (BSI-CritisV Annex 5 Table “Facility categories and threshold values”). They are thus obliged to set up a contact point and must report IT security incidents (§ 8b (3) BISG). To maintain the required security level and to establish necessary processes and structures, organizational and technical measures must be taken at an early stage. A transition period for these hospitals is expressly not provided for.

What does CRITIS mean?

“Critical infrastructures (CRITIS) are organizations and facilities of major importance to the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruption to public safety or other dramatic consequences”.

According to the law, critical infrastructures include energy, information technology and telecommunications, transport and traffic, health, water, food, media and culture, government and administration, and finance and insurance.

Legal requirements for operators of critical infrastructures can be found in the law on the Federal Office for Information Security (BSIG). The law aims to improve the security of information technology systems in Germany. The sectors of state and administration as well as media and culture do not fall under the legal obligations.

[Source]

If a hospital is classified as a critical infrastructure for two years in a row, the operator is obliged to keep a record of the technical and organizational measures taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of the IT systems, components or processes. In addition to audits, certifications or similar proofs can also be considered.

A distinction must be made between measures that contribute

  • to increase the reliability of critical IT components

and / or

  • as a part of replacement measures to maintain critical processes in the event of an IT infrastructure failure

As soon as it becomes critical

When selecting such measures, the Federal Office for Information Security explicitly recommends the use of existing standards and best practice recommendations in its guideline “Critical Infrastructure Protection: Hospital IT Risk Analysis”.

These include international standards as well as the technical standard IEC 80001-1 for the integration of medical devices in IT networks.

The standard IEC 80001-1 describes the state of the art with regard to risk management of IT networks and defines 3 protection goals:

  • Safety for patients and employees

  • Data and system security

  • Effectiveness (orderly and uninterrupted process flows)

The software module “Risk Management according to IEC 80001-1” of the BAYOOSOFT Risk Manager allows operators of critical infrastructures to fulfill exactly these regulatory requirements and to operate a risk management considering the protection goals over the entire life cycle of their IT networks.

Digression: ISO 27002

Another existing standard recommended by the BSI is ISO 27002 as a guideline for information security management. The guidelines contain principles and orientation aids for the initiation, implementation, operation and improvement of information security management within an organization.

A separate chapter is dedicated to the topic of access control. Access control means taking measures that enable users to gain controlled access to (physical) and/or access to (logical) information. Rules and regulations are to be established to ensure that users only get the access they really need for their daily work (need-to-know principle). Also the allocation of passwords is to be controlled by a formal administration process.

The BAYOOSOFT ACCESS MANAGER can support you in implementing these requirements. The automated software solution for transparent and easy-to-understand permission and identity management improves information security while at the same time significantly reducing the operational effort in the IT department through self-service.

The process-oriented solution helps you to free yourself from the document jungle and let the software do the documentation work as far as possible. At a central location you store all requirements to be mapped, such as those for the manufacturers of medical devices and network components, make changes and monitor the process.

The principle of risk analysis and action management, which has been proven to comply with ISO 14971, is transferred to reduce possible hazards caused by the interconnection of IT networks and medical devices. The structured and field-tested user interface of the BAYOOSOFT Risk Manager supports you with the early detection of risks. The self-learning system dynamically links information in a fine-grained manner and avoids redundant data storage.

Structured risk management

The standard also describes the role of an IT risk manager, who collects the information and documents it in the form of a risk management file and reports to the top management as the person responsible.

It is precisely here that specialists from IT, risk management and medical technology must work together and pool their respective competencies. Risk management for critical network structures is particularly focused on the aspects of network reliability, data integrity and a strict assessment of risks. For the responsible risk managers, this aspect is often uncharted territory and there is a danger of losing the overview between information and contact persons.

“Thanks to the BAYOOSOFT Risk Manager we were able to avoid the time-consuming manual workload. The software guides us through the process without errors, you can’t deviate, you can’t forget anything and you get a perfect result”.

Knut Lauter

Klinikum recht der Isar of the Technical University Munich

Success Story

The proven structure in BAYOOSOFT Risk Manager simplifies and professionalizes this work without compromising the security and proper documentation of IT networks. The software solution provides a fixed order for the recording of individual IT components and manufacturers as well as for the definition of change authorizations and monitoring activities. All requirements for your medical IT networks, as well as for communication and monitoring, are systematically recorded and permanently connected in a traceable manner. Special attention is paid to ensuring the three protective goals of security, effectiveness, and data and system security.

Summary

As operators of critical infrastructures, clinics incur high personnel and organizational expenses for setting up a contact point, setting up a reporting system for IT security incidents, maintaining an appropriate security level and providing the necessary evidence.

At this point, the BAYOOSOFT Risk Manager supports you as a process accelerator to meet the requirements of IEC 80001-1 in an efficient and accurate way – of course taking into account the protection goals of safety for patients and employees, data and system security as well as effectiveness.

Instead of investing time in the form, you can concentrate on the content.

Learn more about using BAYOOSOFT Risk Manager in critical infrastructures!

Register now for one of our open webinars or an individual product presentation.

Upcoming online product presentations

  • Digitize your processes with BAYOOSOFT management solution (ger) – 22.03.2023
    • Digitize your processes with BAYOOSOFT management solution (ger) – 26.04.2023
        Please accept marketing cookies to submit the form.
        Click here to allow marketing cookies.
        Wird geladen
        • Privacy Policy

        News

        • IEC 80001-1 Risikomanagement und KRITIS Risiko Critis RiskmanagementAre you sure that your CRITIS is secure?15. March 2023 - 14:04
        • BAYOOSOFT @ MEDICA 202231. October 2022 - 18:52
        • Medizintechnik Klinische BewertungClinical Evaluation: Seamless documentation13. October 2022 - 13:32
        Contacts at BAYOOSOFT 

        Svenja Winkler
        CEO
        [email protected]

         

         

        Franziska Weiß
        Head of Sales [email protected]

        Darmstadt
        Lise-Meitner-Straße 10
        64293 Darmstadt

        Munich
        Aidenbachstraße 54
        81379 München

        Berlin 
        Mariendorfer Damm 1-3
        12099 Berlin

        Phone: +49 (0) 6151 – 86 18 – 0
        Fax: +49 (0) 6151 – 86 18 – 150

        Contact: [email protected]oo.net
        Support: [email protected]
        Jobs: [email protected]
        Press: [email protected]

        • Privacy Policy
        • Legal
        Partnership with HEX Approach BAYOOSOFT Risk Manager @ MEDICA 2020
        Scroll to top