1 / 26

Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton

IEC-80001-1 The application of risk management to IT-networks incorporating medical devices Specific Applications to Networked Medical Device Act 2: Execute the Project Plan Epilog: Sustain!. Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton. June 27, 2010.

lev-abbott
Download Presentation

Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IEC-80001-1The application of risk management to IT-networks incorporating medical devicesSpecific Applications to Networked Medical Device Act 2: Execute the Project Plan Epilog: Sustain! Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton June 27, 2010

  2. Starting with IEC80001 Prolog 2

  3. Is 80001 ever going to become a reality? • IEC80001-1 publication is expected in Nov, 2010. • Essential Technical Report guidance will be available in Q2, 2011: • Security, wireless, step-by-step & HDO guidance documents • Now is the time to get started with 80001 pilot projects! 3

  4. IEC 80001

  5. 80001 Roles & Responsibilities Stakeholder partnerships: • Healthcare Provider / Responsible Organization • Medical Device Manufacturers • I.T. Technology Vendors • 3rd Party Integrators • Risk Management Experts • … … shared vision & mission!

  6. RO – Top Management Policies for… • Risk Management Process • Risk Acceptability Critieria • Organizational Mission & Balancing between three KEY PROPERTIES

  7. 80001 Roles & Responsibilities Medical-IT Network Risk Manager … • Overall RM Process • Reporting to Top Management • Managing Communications – Internal & External • Design, Maintenance & Performance of RM Process Individual – not a Team!

  8. Supporting Documentation 80001-1 defines key documentation: • RO Policies & Procedures • Medical-IT Network Risk Management File • Responsibility Agreements • Accompanying Documents / Manufacturer Residual Risk Disclosure (graphic from IEC 80001-1 CDV)

  9. Starting with IEC80001ACT 1: From Problem to Plan

  10. How to get started with 80001 project? • Assemble Risk Management Policy team • Keep it very simple and WHAT must be done. • Write simple step guidance in parallel. • Use experience from Risk Management Policy to draft Responsibility Agreement. • Talk to your vendors (IT and Medical Device) • What risk information can/will they provide? • What risk discussions can they support? • What do they think of Responsibility agreement?

  11. How to get started with 80001 project? • Decide on the system under analysis (start simple) • Choose a network or segment for 80001 risk management • Define clinical workflow • Select a multidisciplinary team with a clear leader: • Medical IT Network Risk Manager (clear leader) • Network specialist • Biomedical engineer • Clinical representative • (Liaison for hospital risk management team)

  12. How to get started with 80001 project? • Follow the basic RISK MANAGEMENT template provided with IEC80001 Technical Report • Keep it simple, practical, and doable. (Beware: It is very easy to go too deep too early – enthusiastic teams often write “movie scripts”. ) • Identification of Hazards • Analyze risk • Evaluate risk • Control risk • Residual risk sign-off (go-live decision)

  13. Starting with IEC80001ACT 2: Execute the Project Plan

  14. Responsibility Agreement • Name of responsible persons • Scope of activities • List of devices and IT equipment • List of documents to be supplied • Technical information supplied for risk analysis • Definition of roles and responsibilities in event management Not a static document!

  15. Starting with IEC80001ACT 2: Execute the Project Plan

  16. Risk Management Process • Identify Hazards • Loss of data • Incorrect data • Incorrect timing of data • Degraded function of devices • Unauthorized access to private data • Etc… • Identify Causes • Overloaded link • Network configuration error • Wireless dropout • Network hardware failure • IP Addressing conflict • Security too aggressive • Faulty cabling • User/procedural error • Etc… • Identify Risk Control Measures • Network design, best practices • Pre-go-live testing • Redundancy • IT procedures, Clinical procedures • Etc…

  17. Risk Management Process • Analyze Risk • Based on Probability and Severity • Evaluate Risk • Based on Pre-defined risk acceptability criteria • Easily acceptable, Certainly unacceptable, or further evaluation needed • Control Risk • Determine GO / STOP • Systematic and Documented • Cross-functional team using same process and language

  18. Probability Scales • Severity Scales

  19. Starting with IEC80001 Epilog

  20. Supporting Documentation 80001-1 defines key documentation: • RO Policies & Procedures • Medical-IT Network Risk Management File • Responsibility Agreements • Accompanying Documents / Manufacturer Residual Risk Disclosure (graphic from IEC 80001-1 CDV)

  21. Medical IT Risk Management File • Contains full history of the project and sustaining work • Project and network description • Responsibility Agreement • Risk management documentation • Configuration documentation • …anything else that captures the Risk Management activity • Controlled document repository

  22. Event Management • Capture and document negative events • Evaluate events and propose changes (via change release management) • Track all corrective and preventive actions leading to closure • Report significant findings to Risk Manager

  23. “Permits” – risk manage the mundane • Optional – arise when system risk management is mostly complete. • What can you risk assess and allow to change? • Routine changes. • Clearly defined constraints and conditions. • Specifies how to document into the risk management file. • Examples - adding or removing users, equipment etc. up to a certain level.

  24. Closing thoughts • Get started now with pilot projects … but keep it simple. • Risk Managing the entire IT-network will take years – lookforshorttermgains with progress toward long-term success. • Always keep the healthcaremissioninmind. An unplugged machine can be very safe & secure but not help your patients! • Be ready for challengingconversations with team members, vendors, IT component suppliers etc. Keep it cool – we all want to do the right thing. • Balance, balance, balance …

  25. What will you get? • Improved risk management with documentation (due diligence) • Improved safety, effectiveness and security • Better communication, better staff relations (CE/IT convergence) • Risk awareness / transparency of risk / ownership of risk

More Related