As more and more medical devices are connected to hospital networks, the risks and challenges are increasing. Problems involving device interfaces, upgrades, and security measures are only some of the issues that can impact patient safety and hospital operations. The IEC 80001-1 standard is designed to help hospitals cope. What should you know about it?
The world of networked medical devices is changing. Historically, healthcare facilities have placed medical devices (e.g., physiologic monitoring systems) on their own vendor-supplied network(s). While some vendor-supplied networks may still be appropriate in certain situations, healthcare facilities are more frequently placing medical devices on the hospital IT network. This means that an ever-increasing amount of medical data can be delivered to electronic medical records and exchanged between different information systems that reside on the hospital network.
As medical devices are added to the hospital network, numerous issues become much more challenging such as reliability and security. For example, a medical device manufacturer can predict the performance of its stand-alone network. But this becomes impractical once devices are placed on a hospital’s IT network. Consequently, the healthcare facility must share responsibility with the medical device supplier for ensuring effective and reliable operation of the medical system.
Hospitals need guidance to understand, manage, and control the risks involved with incorporating medical devices on the hospital IT network. The ANSI/AAMI/IEC 80001-1:2010 standard, commonly referred to as IEC (International Electrotechnical Commission) 80001-1, was designed as a first step toward addressing these issues. Three technical reports to supplement the standard are in development. The reports will focus on detailed risk management processes for medical IT-networks, security, and wireless networks.
Here are answers to 5 vital questions about this standard.
What is IEC 80001-1?
IEC 80001-1 is an international standard that was developed by the ISO/TC 215-IEC/SC 62A Joint Working Group (JWG) 7 and ratified in 2010. It is entitled Application of Risk Management for IT Networks Incorporating Medical Devices-Part 1: Roles, Responsibilities and Activities.
The standard focuses on the high-level actions that a healthcare facility should undertake when connecting medical devices to the hospital IT network. It aims to preserve and balance the following key properties of such an incorporated network:
ο Data and system security
IEC 80001-1 applies to wired or wireless networks that include at least one medical device; it refers to these as “medical IT-networks.”
Why is IEC 80001-1 needed?
There are many benefits to be gained from using hospital IT networks, including an increased exchange of data, less overall networking equipment, and potentially streamlined work processes. But this development also introduces new risks, such as unexpected device performance or communication failures. These risks can stem from an inherent limitation or error within any of the networked devices, interfaces, or IT-based systems. They can also result from problems related to installation, or from operational activities such as software upgrades, cybersecurity efforts, or remote servicing of medical or IT system components. Any of these can result in operational inefficiencies, unauthorized access to information, or delayed, lost, or corrupted data. They can even pose a threat to patient safety.
IEC 80001-1 is designed to provide guidance and support for hospitals trying to manage the risks that can result from combining the highly regulated medical device arena with the constantly changing and dynamic IT environment. The standard can help establish the framework upon which to base a risk management approach to medical IT-networks.
How will the standard address the hazards described above?
IEC 80001-1 stipulates that a risk management process be carried out during the entire life cycle of the medical IT-network, from implementation to discontinuation. Such a process entails identifying, evaluating, and addressing possible risks. Before a medical device is connected to the medical IT-network or any change (e.g., upgrades, modifications) is made, the hospital needs to understand and mitigate any risks at this early stage. After the appropriate risk control measures have been taken, any residual risk is evaluated for its acceptability. Once a device has been connected to the network or a modification has been implemented, ongoing monitoring is required, including a formalized event management process to address any problems experienced.
What role do medical device manufacturers and IT vendors have within the standard?
The standard requires that medical device manufacturers provide documentation to healthcare facilities that will allow them to safely place the devices onto the medical IT-network. This documentation includes information such as the intended use of the medical device and the network, required characteristics and configurations of the network, technical specifications, and security requirements.
IT suppliers, including large network providers, application software vendors, and middleware vendors, are also required to support the hospital’s risk management efforts. They need to provide documentation such as recommended configurations, known incompatibilities or constraints, operational requirementss, and cybersecurity notices. As appropriate, they should also provide information such as test criteria and protocols, known possible failure modes, system reliability statistics, and other data relevant to the performance of the network.
Is IEC 80001-1 mandatory?
IEC 80001-1 is a voluntary standard. Compliance may be a major undertaking, requiring a thorough review of internal processes. , However, it is our belief that the standard will become a healthcare norm. Hospitals should seriously consider the philosophy and recommendations of IEC 80001-1 and apply whatever policies, procedures, or practices are needed to minimize risks inherent to medical IT networks to ensure patient safety.
Patient safety depends as much on the safe and secure exchange of medical information as it does on the safe performance of medical devices. Hospitals should start now to understand the risks involved in networking medical devices, identify all medical devices connected to an IT network, and determine whether they have the resources and processes to deal with the convergence of medical and IT technologies using today’s best practices. Change to processes and culture can be difficult, but the earlier these transformations occur, the better it is for everyone-including the hospital and the patient.
This article is based on a May 2010 guidance article published in ECRI Institute’s Health Devices journal, a component of membership in Health Devices System. To learn more, visit www.ecri.org/healthdevices or call (610) 825-6000, ext. 5891.