Upload
june-norton
View
219
Download
3
Tags:
Embed Size (px)
Citation preview
Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton
June 27, 2010
IEC-80001-1The application of risk management to IT-networks incorporating medical devices
What the clinical engineer needs to know?Act 1: Starting with 80001
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
Starting with IEC80001
Prologue: Where are we? What do we need to do?
Q: “Is there really a problem with medical devices being integrated into general I.T. networks?”
A: “Oh, yes!!!”
JWG7 to Brian Fitzgerald (FDA) 2007.01:
FDA Testimony to ONC 2010.02.25:Nevertheless, certain HIT vendors have voluntarily registered and listed their software devices with the FDA, and some have provided submissions for premarket review. Additionally, patients, clinicians, and user facilities have voluntarily reported HIT-related adverse events. In the past two years, we have received 260 reports of HIT-related malfunctions with the potential for patient harm – including 44 reported injuries and 6 reported deaths. Because these reports are purely voluntary, they may represent only the tip of the iceberg in terms of the HIT-related problems that exist.
(Dr. Jeffrey Shuren, Director FDA/CDRH to ONC HIT Policy Committee Adoption/Certification Workgroup, 2010.02.25)
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 3
Is 80001 ever going to become a reality?
IEC80001-1 publication is expected in Nov, 2010. Essential Technical Report guidance will be available in Q2, 2011:
Security, wireless, step-by-step & HDO guidance documents Now is the time to get started with 80001 pilot projects!
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 4
Starting with IEC80001
ACT 1: From Problem to Plan
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 5
The first meeting – PROBLEMS!
Context: The meeting is set up by the Head of Biomedical Engineering (BME “Rick”) who notes
Our equipment has moved to a network-connected IT base We have confusion about how we manage risk associated with that
technology. Involved are: Caregiver, BME, IT, vendors We have had problems – remember the 4th Floor NICU “near miss” We have been struggling with IT – we can’t seem “to just get along”
on this issue. They want security but seem blind to safety. We seem to them to be currying to the doctors with no concern for security.
Vendors are not cooperating with our needs for information relating to security risk.
We need a way forward…
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 6
The first meeting – possibility in 80001-1
There is a new standard that may help.It is high-level enough that I think I can shape it to our needs.If we don’t find some way to do this, someone is going to be hurt.
Application of Risk Management for IT-networks Incorporating Medical Devices
Recognizes joint responsibilities: BME, IT, vendors (really makes our bosses responsible!).
Provides a way to work together through some high level processes (IT and BME and eventually with our vendors).
Requires the vendors to provide risk-relevant information about their products (IT should like that w/r to security).
Provides a means to reach agreement on risk responsibility.
Downside: it creates new work for us in explicitly managing the risks of connecting our devices on a network. Someone will have to become the “IT-Network Risk Manager”.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 7
Starting with IEC80001
ACT 1: From Problem to Plan
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 8
The first meeting – move forward?
BME Proposal: I would like to work with IT to see if we can come up with a plan to try
out IEC80001-1 on our new network project in 3 West. I can’t do this without the participation of IT.
Since it focuses on the IT-network, I think we can run that simple 2-device project through the 80001 processes to see if we can use it more broadly.
We can learn from this small application what is and is not possible.
COO: WHAT WILL IT COST?• That is tough to answer. I think we should start with a commitment to put in 8-
12 hours to come up with a first proposal to you two.• Give me Susan (IT Security Specialist) and I think we can work over the next
few weeks and get you a proposal in 1 month.
CIO: OK, BUT REMEMBER:• I have no budget this year for this!
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 9
Building the proposal – 1st meeting
• Context: Karen (IT) is assigned and Rick (BME) has called a meeting to plan for the plan.
• Karen: What did you get me into? I have to start working on the 3-West network requirements - I have a lot to do.
• Rick: we have really been struggling with these it safety and security issues. I think we can do better and all look like heroes.
This 80001 standard lets us work together to bring the vendors to better serve our needs.
Here is a summary of 80001-1…
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
IEC 80001
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001-1 Key Aspects
Federated Risk Management Model … All stakeholders are included:
• Care Provider Top Management & Staff• Medical Device Manufacturers• Other Information Technology Vendors
Responsibilities defined for each stakeholder
Detailed tasks defined for each process
Required documents defined
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001 Roles & Responsibilities
Stakeholder partnerships:
Healthcare Provider / Responsible Organization
Medical Device Manufacturers I.T. Technology Vendors 3rd Party Integrators Risk Management Experts …
… shared vision & mission!
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001 Roles & Responsibilities
Responsible Organization … Overall responsibility for
Risk Management stays within the RO!
Owner of the Risk Management Process, incl.:
• Planning
• Design
• Installation
• Device Connection
• Configuration
• …
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
RO – Top Management
Policies for… Risk Management
Process Risk Acceptability
Critieria Organizational Mission &
Balancing between three KEY PROPERTIES
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
RO – Top Management
Resource Management for…
Allocation to perform processes
Qualified Personnel to perform activities
Assignment of Medical IT-Network Risk Manager & Supporting Teams
Responsibility Agreement Enforcement
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
RO – Top Management
Process Management to…
Establish a clear connection with other RO activities
Ensure Suitability & Effectiveness of Policies & Processes
Periodic Review of Process Results
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001 Roles & Responsibilities
Medical-IT Network Risk Manager …
Overall RM Process Reporting to Top Management Managing Communications –
Internal & External Design, Maintenance &
Performance of RM Process
Individual – not a Team!
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001 Roles & Responsibilities
Medical Device Manufacturer …
Provide Accompanying Documents to support RO RM Process
• Intended Use of Connection
• Instructions for Safe & Effective Use
Additional information per Responsibility Agreement, incl. Residual Risk Disclosure necessary for RO RM.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001 Roles & Responsibilities
IT Technology Providers … Provide documentary
information to RO:
• Technical Information
• Recommended Configurations
• … Support RO RM process:
• Test strategies
• Test Acceptance Criteria
• Failure Mode Disclosure
• Reliability Statistics
• Safety Cases
• …
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
80001 Activities Life Cycle
Key elements …
Project Focus
Change Control / Management
Change Permits
Configuration management
Event management
…
… to balance the key properties
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
Focus on Network Change Management
Emphasis has moved from a relatively simple overlay of a risk management process onto an IT-network to a more complex change-release management process that includes risk management as its core patient-safety mechanism.
Aligned with ISO 2000 – a standard for IT service management.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
Risk Management Life Cycle Process
Some definitions…
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
(graphic from IEC 80001-1 CDV)
Supporting Documentation
RO Policies & Procedures
Medical-IT Network Risk Management File
Responsibility Agreements
Accompanying Documents / Manufacturer Residual Risk Disclosure
80001-1 defines key documentation:
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
Medical IT-Network Risk Management File
For each identified hazard, traceability to:
Risk Analysis
Risk Evaluation
Risk Control Measures Implementation & Verification
Residual Risk Assessment Acceptability & Approval
…
Supporting Documentation
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
Responsibility Agreement (contract) MDM Residual Risk Documentation
Intended Use of MD (on IT-Network)
Required Performance / Configuration
…
Summary of info from MDM for Responsible Org. to perform it’s risk management process!
Supporting Documentation
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 26
Building the proposal – 1st meeting
Karen: It sounds overly complicated – why can’t we just give the technical requirements and refuse to buy equipment that does not satisfy them.
Rick: Sigh…
Karen: OK, the boss says to do it, what do we do?Rick: OK, so we have 1 month here is how we might organize:
• Each of us read 80001-1 and any guidance information we can find.
• From BME, I will focus on the HDO and Step-by-Step Guidance
• Karen will focus on the Wireless and Security Guidance• Let’s convene in 3 days to decide on steps. Likely we should meet every
other day to keep this moving.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 27
Building the proposal –2nd meeting
• Karen: this seems awfully complex but it does fit our service deliver framework (based on ISO 20000).
• Rick: OK. Well, we have to be clear to the C’s what we need to do. Remember, we are writing a proposal sufficient to scope the work and provide some idea of the resources required.
• Looking at 80001, here are some areas we need to hit:
• Our getting a basic understanding of the fundamentals: harm hazard, hazardous situations, risk, risk control measures, etc.
• Get top management to understand and accept responsibilities
• Create policy/procedure for Risk Management that includes definition of probability and severity of Harm, risk acceptability scales, etc.
• Start with the basic WHAT and find some HOW examples (80001 Technical Reports).
• Creation of a basic Responsibility Agreement.
• Identifying the goal and players/roles in our pilot project.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 28
Starting with IEC80001
ACT 1: From Problem to Plan
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 29
Proposing – elements
1. Team to write IT-Network Risk Management process – 1 month, 3 people. Focus on the “What” of IT-network Risk Management.
a) Make practical by reviewing Step-by-step and Guide to HDO Technical Reports*
b) Approval by CIO/COO and Executive Management
2. Engagement with vendors – 1 month, BME/IT
a) Legal to take first pass at Responsibility Agreement
b) Vendor briefing – what can they offer?
3. Alignment with IT processes - 2 weeks, IT
a) Cross-reference from 80001 into existing processes
b) Where IT missing processes, create new ones or insert as possible into overall new IT-Network Risk Management process
* IEC80001 Technical Report: Step-by-step with Examples and Technical Report: HDO Implementation Guidance currently in draft, not yet available.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 30
Proposing – elements (cont’d)
4. Description of startup – Document all done.a) Appoint IT Risk Manager for this Network.
b) Form Project Risk Team (BME, IT, Caregiver,…)
c) Brief Team based on step-by-step and that this is a “learning initiative”
d) Brief the vendors (MDM and IT) on their roles
e) Following step-by-step – 10 steps
f) If we are missing elements, grow them over time. First project can proceed w initial Risk Assessment and first mitigations.
5. Document and present residual risks to Management (CIO/COO).
6. Go-live - connect the devices, test, operate.
7. Review process and improve.
8. Decide go/no go on future use of 80001.
9. Fill in missing policy and procedural elements to keep this IT-network compliant.
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 31
Proposing – C’s respond
COO: So, this looks like it will require > ½ man-year. Why are we doing this again?
Standard points of resistance: We don’t know how to do this kind of risk management. We don’t have time or staff. How will we pay for this? This seems only an attempt to shift risk from device/IT vendors to us. This just does not fit our existing organizational structure.
Why bother? Permits planning before acting Encourages communication and transparency of risk Produces evidence of due diligence “First do no harm…”
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 32
Proposing – getting the “go ahead”
COO and CIO: You can do it on this one project.
Prepare a presentation for the Top Management Verify they support policies, resources, risk management
Finalize your project plan Identify resources required Meet w department heads and review plan Work out a status reporting structure
Start the project!
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 33
Starting with IEC80001
ACT 1: From Problem to Plan
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 34
1. Assemble Risk Management Policy team• Keep it very simple and WHAT must be done.• Write simple step guidance in parallel.
2. Use experience from Risk Management Policy to draft Responsibility Agreement.
3. Talk to your vendors (IT and Medical Device) What risk information can/will they provide? What risk discussions can they support? What do they think of Responsibility agreement?
How to get started with 80001 project?
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
How to get started with 80001 project?
4. Decide on the system under analysis (start simple) Choose a network or segment for 80001 risk
management Define clinical workflow
5. Select a multidisciplinary team with a clear leader: Medical IT Network Risk Manager (clear leader) Network specialist Biomedical engineer Clinical representative (Liaison for hospital risk management team)
35
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 36
6. Follow the basic RISK MANAGEMENT template provided with IEC80001 Technical Report
Keep it simple, practical, and doable. (Beware: It is very easy to go too deep too early – enthusiastic teams often write “movie scripts”. )
Identification of HazardsAnalyze risk Evaluate risk Control riskResidual risk sign-off (go-live decision)
How to get started with 80001 project?
Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27
Closing thoughts
• Get started now with pilot projects … but keep it simple.
• Risk Managing the entire IT-network will take years – look for short term gains with progress toward long-term success.
• Always keep the healthcare mission in mind. An unplugged machine can be very safe & secure but not help your patients!
• Be ready for challenging conversations with team members, vendors, IT component suppliers etc. Keep it cool – we all want to do the right thing.
• Balance, balance, balance …
37