Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Opening Presentation

advertisement 
Oct. 2nd 2012, San Francisco
Opening the discussion …
• Why is it so important to manage Risk in health IT solutions?
• How can we optimally protect the privacy and integrity of patients' records?
• How can hospitals and medical device manufacturers benefit
from latest safety standards?
Dipl.-Ing. Oliver P. Christ
CEO Prosystem AG / Prosystem USA LLC
Beim Strohhause 27
20097 Hamburg
phone
+49 (0)40 47 10 36 13
14
fax
+49 (0)40 47 10 36 20
web
www.prosystem-ag.com
oliver.christ@prosystem-ag.com
oliver.christ@prosystem-ag.com
The Company
PROSYSTEM AG is an international consulting company providing
comprehensive services for the medical device industry.
The company was established in 1999 by Prof. Dr. Jürgen Stettin and his
partner Oliver P. Christ. Together with its subsidiary PROSYSTEM USA LLC,
located in San Diego, CA/USA, PROSYSTEM AG services clients in more
than 25 countries.
info@prosystem-ag.com
2
The Company
Our clients are manufacturers and developers of medical devices, suppliers,
operators, the pharmaceutical industry, universities, and Notified Bodies.
Being an active member of different standardization groups, PROSYSTEM
can provide its clients with detailed background information about the
origin, implementation and future development of respective applicable
standards.
Business activities include analysis, training, consulting services, and the
realization of projects:
• more than 150 clients in 25 countries
• app. 30% of the annual turnover outside Europe (North America / Asia)
• all services from one source
info@prosystem-ag.com
3
The Company
PROSYSTEM FORUM
On-Site Trainings and
Workshops , Seminars
in the US
Software Development,
Verification, and
Validation
info@prosystem-ag.com
On-Site Trainings and
Workshops , Seminars
4
Demanding needs of General Hospitals for a Safe & Effective Use of Medical
Devices and Health Software
Ventilator
Clinician
Care Unit 1
Secure
Remote
Access
Monitoring Network
Patient Room
Router
OEM
Gateway
PC
ADT
Applications:
Admissions,
Bed Management,
Interface Engines...
Enterprise Network
Care Unit 2...
Bed X-Ref
Table
Patient
monitor
Internet
Internet
OEM
Employee
OEM Vendor
Source: Julian Goldman
EMR
Application and
Interfaces and other
Interface
components:
Servers (virtual)
Medical Equipment,
eMAR, Allergies,
Labs, Problem List...
Requirements from accreditors?
IOM Report a “Game Changer”?
American Institute of Medicine (IOM) Report, Published late 2011, 220 pages
Key findings:
 Health IT may lead to safer care and/or introduce new
safety risks
 Safety is a characteristic of a sociotechnical system
that includes people, process, environment, organization
and technology
 System-level failures occur almost always because of
unforeseen combinations of component failures
Recommendations:
 Health care accrediting organizations should adopt
criteria relating to EHR safety.
 All health IT vendors should be required to publicly
register and list their products
 Health IT vendors should be required to adopt quality
and risk management processes
 Reporting of health IT– related adverse events should
be mandatory for vendors and voluntary and confidential
for users.
Industry is using Risk Management for Medical Devices
8
Focus on Patient Safety
How does Risk Management focus on Patients?
The Intended Use of a medical device can be depicted using an idealized functional
input/output diagram:
Functional
Inputs
Functional
Outputs
Medical
Device
User (Operator)
Medical Benefit
Time
Patient
Patient
Industry is using Safety Standards for Medical Devices
info@prosystem-ag.com
10
Electrical Safety: IEC 60601-1 (3rd edition)
In an environment of 1,5 m
around an (accommodated)
Patient …
… increased requirements for Medical
Electrical Equipment do apply including
their connection to (medical) IT networks.
oliver.christ@prosystem-ag.com
11
PEMS = Programmable Electrical Medical Systems
IEC 60601-1/A1 - FDIS (verteilt als 62A/805/FDIS; vom 27.4.2012)
14.13. PEMS intended to be connected to an IT-Network
If the PEMS is intended to be incorporated into an IT-NETWORK that is not validated by
the PEMS MANUFACTURER, the MANUFACTURER shall make available instructions for
implementing such connection including the following:
a) the purpose of the PEMS’s connection to an IT-NETWORK;
b) the required characteristics of the IT-NETWORK incorporating the PEMS;
c) the required configuration of the IT-NETWORK incorporating the PEMS;
d) the technical specifications of the network connection of the PEMS including
security specifications;
•
e) the intended information flow between the PEMS the IT-NETWORK and other devices
on the IT-NETWORK, and the intended routing through the IT-NETWORK; and
NOTE 1 This can include aspects of effectiveness and data and system security as related to BASIC SAFETY
and ESSENTIAL PERFORMANCE (see also Clause H.6 and IEC 80001-1:2010).
f) a list of the HAZARDOUS SITUATIONS resulting from a failure of the IT-NETWORK to provide
the characteristics required to meet the purpose of the PEMS connection to the IT-NETWORK.
Compliance is checked by inspection of the instructions.
oliver.christ@prosystem-ag.com
12
IEC 60601-1/A1 - FDIS (verteilt als 62A/805/FDIS; vom 27.4.2012)
(continue)
In the ACCOMPANYING DOCUMENTS the MANUFACTURER shall instruct the RESPONSIBLE
ORGANISATION that:
– connection of the PEMS to an IT-NETWORK that includes other equipment could
result in previously unidentified RISKS to PATIENT, OPERATORS or third parties;
– the RESPONSIBLE ORGANISATION should identify, analyze, evaluate and control
these RISKS;
– subsequent changes to the IT-NETWORK could introduce new RISKS and require
additional analysis; and
– changes to the IT-NETWORK include:
• changes in the IT-network configuration;
NOTE 3: IEC 80001-1
• connection of additional items to the IT-NETWORK;
provides guidance for
• disconnecting items from the IT-NETWORK;
the RESPONSIBLE
• update of equipment connected to the IT-NETWORK;
ORGANIZATION to
• upgrade of equipment connected to the IT-NETWORK. address these RISKS.
Compliance is checked by inspection of the ACCOMPANYING DOCUMENTS.
oliver.christ@prosystem-ag.com
13
oliver.christ@prosystem-ag.com
14
Scope and Key Properties of IEC 80001-1: 2010
“ This standard defines roles,
responsibilities and activities
that are necessary for RISK
MANAGEMENT of IT-NETWORKS
incorporating MEDICAL DEVICES
to address
 SAFETY,
 EFFECTIVENESS
 DATA & SYSTEM SECURITY
(the KEY PROPERTIES), …
oliver.christ@prosystem-ag.com
15
The „Medical IT-Network“ (protection goal of IEC 80001-1)
• Originally separate Medical Devices get connected via an
(unsafe & unsecure) IT-Network of the Responsible Organization
• Out of this „general“ IT-Network emerge a new
„Medical IT-Network“
The Issues are
• Heavily regulated „safe Medical Devices“ get connected with
„off-the-shelf IT-Hardware“
• There is no clear Responsibilities established (MT vs. IT)
• Disturbances/Overload at an IT-Network could compromise
the safety of Medical Devices
• IT-Networks are supposed to „run“ 24/7
info@prosystem-ag.com
16
Risk-Management Planning for each Key Propery
• Definition for each Medical IT-Network (separately)
• Key Properties for Risk-Management are:
Safety
 for Patient, User/Operator und Third Parties
Effectiveness
 for intended workflows supported by the IT-Network
ability to produce the intended result for the PATIENT and the RESPONSIBLE ORGANIZATION
Data- & System Security
 reasonable protection from degradation of confidentiality,
integrity and availability (of information assets)
oliver.christ@prosystem-ag.com
17
Requirements to:
oliver.christ@prosystem-ag.com
18
Important roles and responsibilities in IEC 80001-1
Responsible Organization
Top Management
Risk-Manager
reports
assigns
provide Information
Others
Medical Devices Manufacturer
oliver.christ@prosystem-ag.com
19
The structure of the IEC 80001-1 series
IEC 80001-1
Part 1: Roles,
Responsibilities and
Activities
IEC 80001-X
References to other
IT Standards / Spec
IEC 80001-2-Y
Technical
Reports
ISO/IEC 20000-1:2005
IEC 62304:2006
IEEE 11073-ff
HL7, DICOM
Y = 1: Step-by Step RM
Y = 2: Security
Y = 3: Wireless
Y = 4: HDO Guidance
oliver.christ@prosystem-ag.com
20
Up-date on IEC 80001-1 activities
On July 19, 2012 three new Technical Reports has been published:
IEC 80001-2-1 TR Ed.1.0 - Application of risk management for IT-networks
incorporating medical devices - Part 2-1: Step by step risk management of
medical IT-networks - Practical applications and examples
IEC 80001-2-2 TR Ed.1.0 - Application of risk management for IT-networks
incorporating medical devices - Part 2-2: Guidance for the disclosure and
communication of medical device security needs, risks and controls
IEC 80001-2-3 TR Ed.1.0 - Application of risk management for IT-networks
incorporating medical devices - Part 2-3: Guidance for wireless networks
info@prosystem-ag.com
21
Related documents
AMA-61850-FiT4HANA
AMA-61850-FiT4HANA
Device Networking Access
Device Networking Access
UCAIug Booth Slides RTDS
UCAIug Booth Slides RTDS
Resource Assessment Standards & Best Practices
Resource Assessment Standards & Best Practices
Relationship tips 30JUNE12 - Withcott Church of Christ
Relationship tips 30JUNE12 - Withcott Church of Christ
Christian Action Calls for a Plan
Christian Action Calls for a Plan
PAP 7_Agenda_Grid Interop 2010
PAP 7_Agenda_Grid Interop 2010
智慧電網國立中正大學電力品質實驗室
智慧電網國立中正大學電力品質實驗室
Tax Application Export/Import Guide ProSystem fx
Tax Application Export/Import Guide ProSystem fx
Download
advertisement