Risk management for medical IT networks

from Wikipedia, the free encyclopedia
Logo of the German Institute for Standardization DIN EN 80001-1
Area Healthcare
title Application of risk management for IT networks containing medical devices - Part 1: Tasks, responsibilities and activities (IEC 80001-1: 2010)
Latest edition 2011-11
ISO -

The standard application of risk management for IT networks that contain medical devices (EN 80001-1: 2011) is mainly intended for the operators of medical IT networks (hospitals, nursing homes and medical practices, etc.). Like all other standards, this standard is not mandatory and only serves as a recommendation. The recommendations should, however, be implemented in order to counteract possible liability claims against the operator of the medical IT network (hospital operator, practice operator). The implementation and its documentation is not formal. Independent auditing is recommended.

There is currently no legal obligation to use risk management in Germany. Since the standard was published in 2011, no new regulation has become law. The General Data Protection Regulation (GDPR) does not change anything in this regard, which only deals with data protection and thus only indirectly covers data security and risk management.

The standard is published in Germany as DIN standard DIN EN 80001-1. The international standard is IEC 80001-1: 2010 "Application of risk management for IT networks incorporating medical devices".

Definitions

  • Risk management comprises all measures for the systematic identification, analysis, assessment, monitoring and control of risks.
  • Medical IT networks are IT networks in which at least one medical device is integrated. Medical devices are defined in the Medical Devices Act (MPG).
  • Medical devices are all instruments, apparatus, devices, software, substances and preparations made from substances or other objects used individually or in combination, including the software intended by the manufacturer specifically for use for diagnostic or therapeutic purposes and used by the manufacturer to ensure the proper functioning of the medical device for application to people by means of their functions for the purpose
  1. the detection, prevention, monitoring, treatment or alleviation of diseases,
  2. the detection, monitoring, treatment, alleviation or compensation of injuries or disabilities,
  3. the investigation, replacement or modification of the anatomical structure or a physiological process or
  4. of conception management

are intended to serve and whose intended main effect in or on the human body is achieved neither by pharmacologically or immunologically acting agents nor by metabolism, but their mode of action can be supported by such agents.

Internationally, the term medical product is defined in Directive 93/42 / EEC on medical products .

need

IT networks are gradually becoming more and more important in hospitals, for example for the documentation of various treatments, for the storage and transmission of images and medical data. The use of such networks can improve the quality of treatment and increase patient safety.

Due to the diversity of medical products, there are also different standards, norms and configurations for the operation of these medical products. This could lead to disruptions and impairments of the medical IT network if z. B. the new medical devices to be integrated have not been checked in advance for their suitability for the medical IT network.

In order to operate medical IT networks without failures as far as possible, a risk management system is required that detects possible network failures early on and, if a fault occurs, determines how it can be eliminated as quickly as possible.

After current IT incidents (2016: Locky , 2017: WannaCry ) as a result of which data in clinical IT networks were damaged to such an extent that important functions and networked medical devices were not sufficiently available, the importance of IT risk management has become clearer.

Responsibilities

In the vicinity of the hospital, the IT department (information technology), medical technology, building services, the purchasing department and / or the risk manager are responsible for risk management. External partners are the medical device manufacturers and possible service providers. This cooperation is regulated by a responsibility agreement (see DIN EN 80001-1: 2011).

Overall responsibility for risk management lies with the hospital operator as the “responsible organization” named in the standard.

Protection goals according to standard EN 80001-1: 2011

Protection goals are:

  • Safety: the safety of patients, users and third parties.
  • Data and system security: Security of data and data processing systems
  • Effectiveness: Effectiveness of various processes, for example a treatment measure, information transfer

This is intended to minimize or completely exclude possible hazards.

The safety goal of safety is analyzed for situations that represent hazardous situations for a medical device with regard to patient safety. For example, this could be defective hardware and software of the medical device.

The protection goal of data and system security is analyzed for situations in which the security of data is at stake, such as the availability and confidentiality of this data. For example, this could concern patient data from the hospital information system (HIS) or damage caused by manipulation of the data, as can be caused by hackers.

The protection goal effectiveness analyzes the results that were achieved with regard to the implementation of e.g. B. a health measure or clinical processes.

Measures for the introduction of a risk management

According to the standard, the following measures in particular are essential for the introduction of risk management:

  • Definition of responsibilities
  • Appointment of a risk manager
  • Introduction of a risk management process

The risk management process must be carried out for all three of the above-mentioned protection goals.

Supplementary standards for risk management IEC / TR 80001-2-1

  • Technical Report IEC / TR 80001 Part-2-1 2012 - Step by step risk management of medical IT networks; Practical applications and examples
  • Technical Report IEC / TR 80001 Part-2-2: 2012 - Guidance for the communication of medical device security needs, risks and controls
  • Technical Report IEC / TR 80001 Part-2-3: 2012 - Guidance for wireless networks
  • Technical Report IEC / TR 80001 Part-2-4: 2012 - General implementation guidance for healthcare delivery organizations
  • Technical Report IEC / TR 80001 Part-2-5: 2014 - Guidance for distributed alarm systems
  • Technical Report ISO / TR 80001 Part 2-6: 2014 - Guidance for responsibility agreements
  • Technical Report ISO / TR 80001 Part-2-7: 2015 - Guidance for healthcare delivery organizations (HDOs) on how to self-assess their conformance with IEC 80001-1
  • Technical Report IEC / TR 80001 Part-2-8: 2016- Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2
  • Technical Report IEC / TR 80001 Part-2-9: 2017- Guidance for use of security assurance cases to demonstrate confidence in Part-2-2 security capabilities

Important laws and accompanying standards

10 point plan

The risk analysis is carried out on the basis of the Technical Report TR 719 “Step by Step Risk Management of Medical IT Networks”. This is done as part of a 10-point plan:

This is divided into 5 sections:

  1. Capture risks
  2. Qualitative risk analysis
  3. Quantitative risk analysis
  4. Plan risk responses
  5. Monitor and control risks

Before starting the “10-point plan”, it makes sense to carry out an actual analysis of all networks and medical devices that can be connected to such a network. The DKG brochure recommends that an inventory be drawn up and a network plan for the networks. This inventory is an important tool for the risk manager and is stored in the risk management file.

Risk management file

The results of all analyzes, necessary documents, records, files, etc. are stored and managed in the risk management file. This is done by the risk manager, who also has a duty to report to the responsible management on all processes and changes.

Legal regulation

According to a resolution of the Federal Joint Committee dated January 23, 2014, clinical risk management (in accordance with Section 137 (1) Clause 3 No. 1 SGB V on the basic requirements for in-house quality management for hospitals approved according to Section 108 SGB V in the version dated June 21, 2005 (BAnz No. 242 p. 16 896)), will soon become mandatory for hospitals.

Web links

literature

DKG brochure Application of risk management for IT networks that contain medical devices (DIN EN 80001-1: 2011) . 1st edition. Deutsche Krankenhaus Verlagsgesellschaft mbH, Düsseldorf 2011, ISBN 978-3-942734-19-6 , pp. 81 .

Individual evidence

  1. http://www.dkgev.de/dkg.php/cat/129/aid/8953/start/10/title/DKG-Broschuere_%E2%80%9EAnendung_des_Risikomanagements_fuer_IT_Netzwerke__die_Medizinprodukte_beinhalten_(DIN_EN_80001-1%E3A2011%) 9C .
  2. http://www.dkgev.de/dkg.php/cat/129/aid/8953/start/10/title/DKG-Broschuere_%E2%80%9EAnendung_des_Risikomanagements_fuer_IT-Netzwerke__die_Medizinprodukte_beinhalten_(DIN_EN_80001-1%E2A%9E) 80% 9C .
  3. http://www.dkgev.de/dkg.php/cat/129/aid/8953/start/10/title/DKG-Broschuere_%E2%80%9EAnendung_des_Risikomanagements_fuer_IT-Netzwerke__die_Medizinprodukte_beinhalten_(DIN_EN_80001-1%E2A%9E) 80% 9C .
  4. http://www.g-ba.de/downloads/39-261-1919/2014-01-23_KQM-RL_137-1d.pdf PDF file of the Federal Joint Committee, accessed on March 25, 2014.
  5. https://www.g-ba.de Website of the Federal Joint Committee, accessed on February 25, 2014.
  6. http://www.johner-institut.de/wissen/2014/gesundheitwesen/risikomanagement-in-krankenhaeusern .