Medical devices today are designed to share data with other devices and clinical information systems, making their integration into hospital IT networks crucial for effective clinical processes and patient safety. However, this digitalization introduces new risks such as technical failures, unauthorised access, compromised information, or deliberate actions, which can threaten clinical effectiveness and patient safety. To address these threats, hospitals must establish specific IT risk management procedures for medical devices. Standards like IEC 81001-5-1 and IEC 80001-1 provide guidance for developers and operators of medical IT networks, outlining security activities and risk management measures throughout the product lifecycle. The latter standard, initially published in 2010 and updated in 2021, has also been adopted as a European standard and in various national standards. A recent study published in BMJ Health & Care Informatics focused on the development, verification and practicality of a catalogue of 49 measures and 18 indicators to help hospitals implement and evaluate risk management following IEC 80001-1.
Perceived complexity and lack of concrete measures for IEC 80001-1 implementation.
Implementing IEC 80001-1 poses challenges due to its perceived complexity and lack of concrete implementation measures. While the 2021 version offers more detailed recommendations, practical implementation remains challenging. National standards often lag behind, and there's a lack of guidance on prioritizing requirements and evaluating outcomes. To address these issues, efforts have been made to provide clearer guidelines for implementation and evaluation. This study aims to develop a comprehensive catalogue of measures to aid hospitals in implementing and evaluating risk management according to IEC 80001-1, considering the specific challenges faced in German-speaking countries.
Three steps case study to reach expert consensus
IT risk management draws from technical sciences, information sciences, and economics, utilizing both quantitative and qualitative research methods. To identify essential measures and indicators for implementing and evaluating risk management per IEC 80001-1, expert insights are crucial. A Delphi study, combining qualitative and quantitative methods, was chosen as a suitable approach. The study comprised three steps: initial interviews to develop a catalogue, further interviews to establish consensus, and a case study to assess practicability. Conducted in an Austrian hospital with 17 integrated medical devices, the case study aimed to validate the catalogue over three months. Health IT staff implemented measures and indicators based on the catalogue's recommendations, assessing effectiveness, complexity, and satisfaction using written usability testing surveys inspired by ISO 9241-11.
Implementation measures satisfactory and of low complexity in pilot hospital
Qualitative content analysis of expert interviews yielded 51 measures and 19 indicators, refined through abstraction and elimination of duplicates. Experts confirmed these results in subsequent research steps, resulting in 49 measures and 18 indicators. These were categorized into subgroups, providing detailed implementation information. Relationships between measures and indicators were identified, indicating positive effects when more measures were implemented. Validation in an Austrian hospital showed successful implementation of 78% of measures and 100% of indicators selected for evaluation. Satisfaction with catalogue instructions was high, and implementation complexity was mostly described as low.
The developed catalogue simplifies the implementation of IT risk management according to IEC 80001-1 by providing specific measures and detailed guidance, akin to a cookbook. This eliminates the need for interpreting abstract specifications and purchasing technical reports associated with the standard. The measures are derived from expert practical experience. Additionally, the catalogue suggests concrete indicators for assessing the effectiveness of implemented measures and risk management, establishing relationships between them. However, it's important to note that these indicators are based on expert opinions and do not provide a definitive causal relationship between measures and outcomes. The full catalogue of measures associated with indicators in as of today only available in german.
Source: BMJ Health & Care Informatics
Image Credit: iStock
