Source:
Position paper of the German Association for Electrical, Electronic & Information Technologies DGBMT – German Society for Biomedical Engineering in the VDE (date: November 2012).
IEC 80001-1: Risk management in hospitals – how safe are you?
Are you sure that your CRITIS is secure? This is a question that is closely linked to the IEC 80001-1 standard. Because this describes the risk management for the operation of IT systems and networks in critical infrastructures (CRITIS), such as hospitals, over the entire product life cycle.
Hacker attacks, sabotage or manual errors in the interconnection of medical and IT networks – all this can cause harm to people. That’s why IEC 80001-1 specifies protection goals and defines roles. What are these? And who decides what? We have summarised it for you.
A case study from the VDE: In a large hospital, a ventilator is connected to an intensive care information management system (IMS) so that data can be easily transmitted. After an unspecified period of time, the ventilator suddenly switched off – without any prior error message or alarm signal. What happened?
The device driver of the PDMS regularly repeated a data request. Each time, a new process was generated in the ventilator without releasing the memory area. In the course of time, a memory overflow occurred. The memory area essential for the operation of the ventilator was overwritten and the operating software crashed completely.
An error that can have fatal consequences. In order to avoid such cases, IEC 80001-1 describes objectives to protect patients, users and third parties.
What are the protection goals of the IEC 80001-1 standard?
IEC 80001-1 specifies three protection goals:
Just like risk management for IT networks containing medical devices, the protection goals also apply to the entire life cycle. However, the three objectives cannot be considered separately, because they are interdependent.
So how do you ensure that no one hacks the IT system? How can you integrate a new medical device securely into the CRITIS network so that the day-to-day operations in the hospital run effectively? In order to fulfil questions like these and thus the protection goals, the standard specifies processes and defines responsibilities.
What processes does the standard mention? And who is responsible?
In order to create an acceptable level of safety for patients, users and third parties, IEC 80001-1 specifies various requirements and processes as well as responsible parties.
Responsible organisation
According to IEC 80001-1, you have the overall responsibility for the risk management of the medical IT network. This includes the entire process from planning, development and installation of medical devices to connection, configuration, safe use, maintenance and ultimately decommissioning. Thus, the responsible organisation assumes the liability risk, as it is responsible for the proper operation of the devices.
As top management, you create guidelines, provide and coordinate resources (including appointing a Med-IT risk manager) and monitor the risk management process. The risk management includes a 10-point plan with the main topics:
- Risk analysis
- Risk assessment
- Risk governance
- Residual risk assessment and report
Top management
Med-IT risk manager
As the designated risk manager, you organise and implement the risk management process with a view to the defined protection goals. While you report to top management, internal and external communication (e.g. with the manufacturer) is also part of the responsibility. Even if tasks such as carrying out the risk management process are delegated, the responsibility still remains with the Med-IT risk manager.
What needs to be considered if the medical device is not used as standalone software but integrated into the IT network? Questions like these are answered by the medical device manufacturers.
You must provide information about the product and its intended use. You must also include the requirements necessary for the integration of the medical device in the IT network of the CRITIS, such as technical specifications.
Medical device manufacturer
Goot to know:
The responsible organisation is required by IEC 80001-1 to create and maintain a risk management file for the medical IT network. Information about the associated configuration management must also be included – as a document or by reference.
Who decides what?
With responsibility, of course, comes decision-making power. We have shown you above who has what responsibilities according to IEC 80001-1. Delegating tasks in order to be able to fulfil the requirements does not, of course, exclude responsibility. And this responsibility – for the overall process of compliance with risk management – is borne by the top management.
How can the goals of IEC 80001-1 be reached and processes fully documented?
Hospital operators are required to ensure that the operation of a medical IT network is trouble-free and fail-safe and to identify potential risks at an early stage. Documentation of risk management activities that is always comprehensible and focuses on the dependency of critical processes contributes significantly to the safety of patients. Software solutions that focus on comprehensible documentation and completeness support this process.
