Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton June 27, 2010 IEC-80001-1 The application of risk management to IT-networks

Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton

June 27, 2010

IEC-80001-1The application of risk management to IT-networks incorporating medical devices

What the clinical engineer needs to know?Act 1: Starting with 80001

Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27

Starting with IEC80001

Prologue: Where are we? What do we need to do?

Q: “Is there really a problem with medical devices being integrated into general I.T. networks?”

A: “Oh, yes!!!”

JWG7 to Brian Fitzgerald (FDA) 2007.01:

FDA Testimony to ONC 2010.02.25:Nevertheless, certain HIT vendors have voluntarily registered and listed their software devices with the FDA, and some have provided submissions for premarket review. Additionally, patients, clinicians, and user facilities have voluntarily reported HIT-related adverse events. In the past two years, we have received 260 reports of HIT-related malfunctions with the potential for patient harm – including 44 reported injuries and 6 reported deaths. Because these reports are purely voluntary, they may represent only the tip of the iceberg in terms of the HIT-related problems that exist.

(Dr. Jeffrey Shuren, Director FDA/CDRH to ONC HIT Policy Committee Adoption/Certification Workgroup, 2010.02.25)

Mankovich, et al. AAMI ~ Tampa Florida ~ 2010.06.27 3

Is 80001 ever going to become a reality?

IEC80001-1 publication is expected in Nov, 2010. Essential Technical Report guidance will be available in Q2, 2011:

Security, wireless, step-by-step & HDO guidance documents Now is the time to get started with 80001 pilot projects!



ACT 1: From Problem to Plan


The first meeting – PROBLEMS!

Context: The meeting is set up by the Head of Biomedical Engineering (BME “Rick”) who notes

Our equipment has moved to a network-connected IT base We have confusion about how we manage risk associated with that

technology. Involved are: Caregiver, BME, IT, vendors We have had problems – remember the 4th Floor NICU “near miss” We have been struggling with IT – we can’t seem “to just get along”

on this issue. They want security but seem blind to safety. We seem to them to be currying to the doctors with no concern for security.

Vendors are not cooperating with our needs for information relating to security risk.

We need a way forward…


The first meeting – possibility in 80001-1

There is a new standard that may help.It is high-level enough that I think I can shape it to our needs.If we don’t find some way to do this, someone is going to be hurt.

Application of Risk Management for IT-networks Incorporating Medical Devices

Recognizes joint responsibilities: BME, IT, vendors (really makes our bosses responsible!).

Provides a way to work together through some high level processes (IT and BME and eventually with our vendors).

Requires the vendors to provide risk-relevant information about their products (IT should like that w/r to security).

Provides a means to reach agreement on risk responsibility.

Downside: it creates new work for us in explicitly managing the risks of connecting our devices on a network. Someone will have to become the “IT-Network Risk Manager”.





The first meeting – move forward?

BME Proposal: I would like to work with IT to see if we can come up with a plan to try

out IEC80001-1 on our new network project in 3 West. I can’t do this without the participation of IT.

Since it focuses on the IT-network, I think we can run that simple 2-device project through the 80001 processes to see if we can use it more broadly.

We can learn from this small application what is and is not possible.

COO: WHAT WILL IT COST?• That is tough to answer. I think we should start with a commitment to put in 8-

12 hours to come up with a first proposal to you two.• Give me Susan (IT Security Specialist) and I think we can work over the next

few weeks and get you a proposal in 1 month.

CIO: OK, BUT REMEMBER:• I have no budget this year for this!


Building the proposal – 1st meeting

• Context: Karen (IT) is assigned and Rick (BME) has called a meeting to plan for the plan.

• Karen: What did you get me into? I have to start working on the 3-West network requirements - I have a lot to do.

• Rick: we have really been struggling with these it safety and security issues. I think we can do better and all look like heroes.

This 80001 standard lets us work together to bring the vendors to better serve our needs.

Here is a summary of 80001-1…


IEC 80001


80001-1 Key Aspects

Federated Risk Management Model … All stakeholders are included:

• Care Provider Top Management & Staff• Medical Device Manufacturers• Other Information Technology Vendors

Responsibilities defined for each stakeholder

Detailed tasks defined for each process

Required documents defined


80001 Roles & Responsibilities

Stakeholder partnerships:

Healthcare Provider / Responsible Organization

Medical Device Manufacturers I.T. Technology Vendors 3rd Party Integrators Risk Management Experts …

… shared vision & mission!



Responsible Organization … Overall responsibility for

Risk Management stays within the RO!

Owner of the Risk Management Process, incl.:

• Planning

• Design

• Installation

• Device Connection

• Configuration

• …


RO – Top Management

Policies for… Risk Management

Process Risk Acceptability

Critieria Organizational Mission &

Balancing between three KEY PROPERTIES



Resource Management for…

Allocation to perform processes

Qualified Personnel to perform activities

Assignment of Medical IT-Network Risk Manager & Supporting Teams

Responsibility Agreement Enforcement



Process Management to…

Establish a clear connection with other RO activities

Ensure Suitability & Effectiveness of Policies & Processes

Periodic Review of Process Results



Medical-IT Network Risk Manager …

Overall RM Process Reporting to Top Management Managing Communications –

Internal & External Design, Maintenance &

Performance of RM Process

Individual – not a Team!



Medical Device Manufacturer …

Provide Accompanying Documents to support RO RM Process

• Intended Use of Connection

• Instructions for Safe & Effective Use

Additional information per Responsibility Agreement, incl. Residual Risk Disclosure necessary for RO RM.



IT Technology Providers … Provide documentary

information to RO:

• Technical Information

• Recommended Configurations

• … Support RO RM process:

• Test strategies

• Test Acceptance Criteria

• Failure Mode Disclosure

• Reliability Statistics

• Safety Cases

• …


80001 Activities Life Cycle

Key elements …

Project Focus

Change Control / Management

Change Permits

Configuration management

Event management

…

… to balance the key properties


Focus on Network Change Management

Emphasis has moved from a relatively simple overlay of a risk management process onto an IT-network to a more complex change-release management process that includes risk management as its core patient-safety mechanism.

Aligned with ISO 2000 – a standard for IT service management.


Risk Management Life Cycle Process

Some definitions…


(graphic from IEC 80001-1 CDV)

Supporting Documentation

RO Policies & Procedures

Medical-IT Network Risk Management File

Responsibility Agreements

Accompanying Documents / Manufacturer Residual Risk Disclosure

80001-1 defines key documentation:


Medical IT-Network Risk Management File

For each identified hazard, traceability to:

Risk Analysis

Risk Evaluation

Risk Control Measures Implementation & Verification

Residual Risk Assessment Acceptability & Approval

…



Responsibility Agreement (contract) MDM Residual Risk Documentation

Intended Use of MD (on IT-Network)

Required Performance / Configuration

…

Summary of info from MDM for Responsible Org. to perform it’s risk management process!



Building the proposal – 1st meeting

Karen: It sounds overly complicated – why can’t we just give the technical requirements and refuse to buy equipment that does not satisfy them.

Rick: Sigh…

Karen: OK, the boss says to do it, what do we do?Rick: OK, so we have 1 month here is how we might organize:

• Each of us read 80001-1 and any guidance information we can find.

• From BME, I will focus on the HDO and Step-by-Step Guidance

• Karen will focus on the Wireless and Security Guidance• Let’s convene in 3 days to decide on steps. Likely we should meet every

other day to keep this moving.


Building the proposal –2nd meeting

• Karen: this seems awfully complex but it does fit our service deliver framework (based on ISO 20000).

• Rick: OK. Well, we have to be clear to the C’s what we need to do. Remember, we are writing a proposal sufficient to scope the work and provide some idea of the resources required.

• Looking at 80001, here are some areas we need to hit:

• Our getting a basic understanding of the fundamentals: harm hazard, hazardous situations, risk, risk control measures, etc.

• Get top management to understand and accept responsibilities

• Create policy/procedure for Risk Management that includes definition of probability and severity of Harm, risk acceptability scales, etc.

• Start with the basic WHAT and find some HOW examples (80001 Technical Reports).

• Creation of a basic Responsibility Agreement.

• Identifying the goal and players/roles in our pilot project.





Proposing – elements

1. Team to write IT-Network Risk Management process – 1 month, 3 people. Focus on the “What” of IT-network Risk Management.

a) Make practical by reviewing Step-by-step and Guide to HDO Technical Reports*

b) Approval by CIO/COO and Executive Management

2. Engagement with vendors – 1 month, BME/IT

a) Legal to take first pass at Responsibility Agreement

b) Vendor briefing – what can they offer?

3. Alignment with IT processes - 2 weeks, IT

a) Cross-reference from 80001 into existing processes

b) Where IT missing processes, create new ones or insert as possible into overall new IT-Network Risk Management process

* IEC80001 Technical Report: Step-by-step with Examples and Technical Report: HDO Implementation Guidance currently in draft, not yet available.


Proposing – elements (cont’d)

4. Description of startup – Document all done.a) Appoint IT Risk Manager for this Network.

b) Form Project Risk Team (BME, IT, Caregiver,…)

c) Brief Team based on step-by-step and that this is a “learning initiative”

d) Brief the vendors (MDM and IT) on their roles

e) Following step-by-step – 10 steps

f) If we are missing elements, grow them over time. First project can proceed w initial Risk Assessment and first mitigations.

5. Document and present residual risks to Management (CIO/COO).

6. Go-live - connect the devices, test, operate.

7. Review process and improve.

8. Decide go/no go on future use of 80001.

9. Fill in missing policy and procedural elements to keep this IT-network compliant.


Proposing – C’s respond

COO: So, this looks like it will require > ½ man-year. Why are we doing this again?

Standard points of resistance: We don’t know how to do this kind of risk management. We don’t have time or staff. How will we pay for this? This seems only an attempt to shift risk from device/IT vendors to us. This just does not fit our existing organizational structure.

Why bother? Permits planning before acting Encourages communication and transparency of risk Produces evidence of due diligence “First do no harm…”


Proposing – getting the “go ahead”

COO and CIO: You can do it on this one project.

Prepare a presentation for the Top Management Verify they support policies, resources, risk management

Finalize your project plan Identify resources required Meet w department heads and review plan Work out a status reporting structure

Start the project!





1. Assemble Risk Management Policy team• Keep it very simple and WHAT must be done.• Write simple step guidance in parallel.

2. Use experience from Risk Management Policy to draft Responsibility Agreement.

3. Talk to your vendors (IT and Medical Device) What risk information can/will they provide? What risk discussions can they support? What do they think of Responsibility agreement?

How to get started with 80001 project?



4. Decide on the system under analysis (start simple) Choose a network or segment for 80001 risk

management Define clinical workflow

5. Select a multidisciplinary team with a clear leader: Medical IT Network Risk Manager (clear leader) Network specialist Biomedical engineer Clinical representative (Liaison for hospital risk management team)

35


6. Follow the basic RISK MANAGEMENT template provided with IEC80001 Technical Report

Keep it simple, practical, and doable. (Beware: It is very easy to go too deep too early – enthusiastic teams often write “movie scripts”. )

Identification of HazardsAnalyze risk Evaluate risk Control riskResidual risk sign-off (go-live decision)



Closing thoughts

• Get started now with pilot projects … but keep it simple.

• Risk Managing the entire IT-network will take years – look for short term gains with progress toward long-term success.

• Always keep the healthcare mission in mind. An unplugged machine can be very safe & secure but not help your patients!

• Be ready for challenging conversations with team members, vendors, IT component suppliers etc. Keep it cool – we all want to do the right thing.

• Balance, balance, balance …

37