By K. Richard Douglas
Standards are a form of published or codified guidance. As such, they can be voluntary or based on enforceable regulations. Objective advice, solidly based on historical data or experience and evidence, is the best source for guidance. A standard then provides a goal, baseline or minimal acceptable level for proceeding.
You cannot have a standard until you set a standard. You cannot set a standard until you have evidence that provides guidance for that standard. The standard can be set unilaterally by a government agency, accreditation authority or standards-setting organization. The standard can also be developed with input from those in the field who are pledged to its precepts, when implemented.
This collaboration, to develop standards, utilizes the expertise of professionals and non-professionals in every field of work. This collaborative effort, which is a frequent source of standards, seeks consensus from those with expertise in the field.
A perfect example of a source of standards is the International Organization of Standardization (ISO), which relies on “groups of experts that represent every sector imaginable from soaps to spacecraft, MP3 to coffee,” according to the group’s website. ISO depends on experts who work in the field and have first-hand experience, on a daily basis, in the sector that they work. ISO also depends on consumers for feedback.
Risk-based standards, like ISO 9001, provide a quality management system with an eye on continual improvements. Underwriters Laboratories Inc. (UL) is another example of a developer of standards that come through consensus.
There is also a difference between standards and regulations. Regulations have the force of law behind them. Standards alone are voluntary. Regulations take precedence when considering both.
Health care requires its own standards and depends on several professional organizations and government agencies for those standards. To acquire and maintain accreditation, health care facilities have to meet, or exceed, certain standards. The Joint Commission (TJC) and Det Norske Veritas Germanischer Lloyd (DNV GL) are two examples of accrediting organizations. Health care facilities, which depend on government reimbursements for much of the care they provide, must maintain compliance with the Centers for Medicare and Medicaid Services (CMS) to continue to receive reimbursements.
In addition to TJC and DNV GL, there are approximately 15 other organizations that can accredit hospitals, many with “deeming” power for Medicare and Medicaid. The Joint Commission accredits more than 4,000 hospitals.
Also, the medical devices used to diagnose and treat patients, are monitored by the FDA. The FDA regulates device manufacturers. At some point, there are standards that must be met and maintained, around every corner.
Another source of guidance for health care facilities is the National Fire Protection Association NFPA 99, which is going through a revision process, with more than 200 revisions made to the code. The next edition will be available in 2021. The public-input stage ended in May.
For any imaging service professional or company that services medical imaging equipment, there is the NEMA/MITA 2 standard. MITA says that it developed this standard because; “Until now, there have not been any QMS Standards developed specifically for servicing of medical imaging devices. MITA saw this as a critical gap that needed to be filled in order to protect patient safety and device integrity.”
In the health care environment, standards provide guidance for the safety and security of patients, staff and visitors.
FDA Standards Update
The FDA regulates more than 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide.
The FDA is considering if further regulations are necessary as they apply to the servicing of medical devices. In particular, whether or not there is a compelling distinction between servicing by the OEM versus servicing by a third-party and any impact the results would have on the public.
There are several stakeholders who have provided the agency input into this exploratory discussion, with interested parties expressing their analysis and data to bolster their position on the matter. In its resulting response, the FDA has drawn the distinction between servicing and remanufacturing, to address data on clinical adverse events and deaths that have been reported pursuant to the discussion.
The agency has recognized that regulations can become over-burdensome when there is not a clear public safety hazard and when both OEM and third-party service providers appear to provide an effective outcome.
The agency also recognized the important role of third-party service providers to the efficacy of the U.S. health care system.
In the January 2018 issue of TechNation, it states that the FDA “has the role of regulating the companies that design, manufacture, repackage, relabel and import medical devices through its Center for Devices and Radiological Health (CDRH).”
The FDA also is one of the watchdogs over the cybersecurity of medical devices along with the Department of Homeland Security (DHS), OEMs, end users and security experts.
“Since our May 2018 report to Congress, FDA Report on the Quality, Safety, and Effectiveness of Servicing of Medical Devices, the FDA issued the Medical Device Servicing Remanufacturing – White Paper, opened a Docket for public comments on it, and held the December 10-11, 2018 Public Workshop – Medical Device Servicing and Remanufacturing Activities,” says Deborah Kotz, press officer in the Office of Media Affairs/Office of External Affairs at the U.S. Food and Drug Administration.
“We also plan on issuing a servicer versus remanufacturer draft guidance sometime this year. It’s on CDRH’s A-list for issuance,” Kotz says. (https://www.fda.gov/medical-devices/guidance-documents-medical-devices-and-radiation-emitting-products/cdrh-fiscal-year-2019-fy-2019-proposed-guidance-development).
For the agency’s latest efforts regarding cybersecurity, Alison Hunt, MPH, press officer in the Office of Media Affairs at the FDA, suggests these resources: October 2018 Commissioner Statement: Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients.
The FDA provides guidance to medical device manufacturers and health care delivery organizations to help mitigate cybersecurity risks.
“Our cybersecurity page includes updates such as safety communications, final and draft guidance’s, Memorandums of Understanding, meetings/workshops, and other news: https://www.fda.gov/medical-devices/digital-health/cybersecurity,” Hunt says.
The statement, from FDA Commissioner Scott Gottlieb, M.D., last fall, outlines the agency’s steps to work with all stakeholders in a proactive approach to mitigating the cybersecurity threat in health care.
An excerpt from that statement shows the agency’s approach to dealing with the threat to medical devices.
“Our efforts have yielded tools to advance cybersecurity awareness and readiness. For example, we’ve supported the development of a tool to help health care delivery organizations (HDOs), such as hospitals, better respond to medical device cybersecurity incidents. Following recent cybersecurity attacks, the FDA recognized a need to close a gap in HDO readiness and response tactics to incidents or exploits affecting medical devices. Today, I’m pleased to announce that the MITRE Corporation, with support from the FDA, released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.”
The Joint Commission
The Joint Commission offers the publication: “2019 Environment of Care Essentials for Health Care” as an “easy-to-use compendium of environment of care (EC), emergency management (EM), and life safety (LS) standards and elements of performance for all health care settings” and a guide that can help prepare for a survey.
Today, The Joint Commission is looking at suicide prevention, sterilization and preventing needle sticks, along with evaluating the frequency and completeness of preventative maintenance programs or AEMs. Hospitals with deficiencies have been on the rise in recent years.
AAMI Update
AAMI offers a number of publications that cover the topic of standards. One of those standards is EQ56.
EQ56 has been around for a long time, but is in the midst of updates. The benchmarking guidelines for medical equipment management have set the standard for HTM departments for 20 years.
According to AAMI’s Patrick Bernat, director of HTM standards, the information below is from the approved New Work Item Proposal (NWIP) outlining anticipated updates to EQ56. Bernat says he expects the revision to be completed by year-end, although it’s difficult to say with certainty because it has to go through balloting, public comment, etcetera.
“The scope of the previous EQ56 did not include quality management principles or processes. Recently, the FDA report on device servicing recommended that service providers adopt quality management principles and systems. This NWIP is proposing to include these principles in the new standard’s scope, including an effort to align with concepts in ISO 20000,” Bernat says.
“Additionally, the EQ Committee conducted a gap analysis to identify other gaps that need to be addressed in an EQ56 revision. As a result of that exercise, the EQ Committee is also proposing to address the items below in a revision,” he says.
Bernat says there were six critical gaps in the existing EQ56 document that were identified as needing to be addressed. There are currently no requirements in EQ56 addressing these six items:
- Quality Management: Standardized quality management principles across the patient care continuum will allow for analysis and consistent delivery of quality services. Quality management includes service measurement, trending and reporting. Service measurement identifies, quantifies and collects information on how healthcare technology services are contributing to client requirements as well as measuring any trends and indicators of service risks, issues, and improvement opportunities. Service reporting documents strategic, performance and operational results including any developments related to achieving targets related to service level agreements (SLAs), availability, capacity, finance, etc. made to stakeholders and decision makers in a manner that facilitates action. The current EQ56 is silent on CAPA and a continuous improvement loop (e.g Plan, Do, Check, Act).
- Service level management: Existing gaps include operational agreements developed to satisfy SLAs, and associated costs of services.
- Capacity Management: Identifying, planning and managing the resources required to meet client’s healthcare technology related requirements at agreed upon service levels. This includes capacity forecasting, planning, monitoring and performance analysis.
- Information security management: Identifying sensitive information (data) created by, transmitted and/or stored in healthcare technology and establishing policies, procedures and processes necessary to safeguard that information from compromises to data availability, integrity or confidentiality. This was identified by FDA and in public comments as being a gap in the current EQ56.
- Service Continuity and Availability Management: Identifying and managing risks that could adversely impact the ability to deliver a healthcare technology service over a period of time. The risk assessment process includes severity and probability of adverse impact.
- Change (Including Release and Deployment) Management: The current EQ56 does not include a change management process. The change management process prioritizes and documents all planned and requested changes (including to assets, policies, infrastructure, etcetera) and obtains approval from those clients/users — and others as appropriate — that may be affected before implementing any change. It is also a process used for controlled distribution of updates/changes to healthcare technology assets across the organization’s infrastructure in a manner that maintains agreed upon service levels.
Secondary Gaps
Bernat also points out that there are Secondary Gaps. “The following five issues are partially addressed in the existing EQ56. They have been identified as needing additional attention in the next version,” he says.
- Budgeting and accounting for services: Enhancement of the budgeting section is needed.
- Relationship management: The current document is limited to communications between HTM and service providers. It is recommended that the revision include clinical input in the discussions about the HTM program.
- Incident and service request management: The gap analysis identified a lack of management process for prioritizing service requests and reporting key performance indicators (KPIs) corresponding to the agreed upon service levels to the client and management.
- Problem management: The existing EQ56 does not include a process addressing the identification and resolution of the root cause of one or more healthcare technology related incidents.
- Configuration management: Although the current EQ56 addresses inventory, that section does not include a process to identify and define healthcare technology asset version, the relationships between different assets and services, configuration, connectivity and current status.
Bernat says that, in conclusion, the EQ Committee proposes incorporating the above items into a revision of EQ56.
Continued vigilance in maintaining and reviewing standards, and revisions to these standards, allows the biomed shop to operate in a safe and secure environment, while protecting patients, staff and visitors.