The passage of the American Recovery and Reinvestment Act of 2009 incents hospitals and other providers that implement and demonstrate meaningful use of healthcare IT. As a result, more and more hospitals are implementing electronic medical records and other solutions in their respective organizations. Part of this trend includes the movement toward incorporating medical devices into the hospital's network, which can pose more safety and security risks because of the increase in size and complexity of the overall system. In order to prevent any risks associated with maintaining a medical network, hospitals must implement sound and effective risk management programs. Karen Delvecchio, lead systems designer at GE Healthcare and member of the IEC committee responsible for developing medical IT-network risk management standards, shares four ways hospital's can make their health IT risk management programs more robust.
1. Establish a set of acceptability guidelines. Defining and analyzing risk is not a process that can be done on the fly. Rather, Ms. Delvecchio says hospitals should have an already established risk policy and procedure and a set of acceptability guidelines for risk. That is, there should already be a scale by which to measure risk within a hospital that has medical devices incorporated into the network. For example, if your hospital is assessing risk in a single area, such as the ICU or ER, it will want to systematically consider all the possible mishaps and adverse events that could take place in that area, including those that are network-related. The next step in the process would be to evaluate the risk level of the situations that those mishaps could trigger. As risk is a function of both likelihood and severity of harm, this evaluation requires input from several disciplines and departments.
"So if your hospital is doing that kind of analysis under a pre-determined policy and procedure and acceptability levels, you can determine the risk level of all identified potential situations," Ms. Delvecchio says. "At a high risk, the hospital can't go-live with the medical network. At a low risk, the hospital could safely proceed."
2. Involve your hospital's stakeholders. The key component to an effective risk management program is assessing where the risks are, when a medical network failure could happen, what the potential damages from those failures could be and so on. In order to properly analyze these various factors, hospitals need to bring other stakeholders, such as clinicians, the IT department and medical devices department, on board.
"Hospitals will need to maintain, within the organization itself, some collaboration among all the departments involved in the life cycle of the risk management process," Ms. Delvecchio says. "These departments are critical in helping the overall hospital assess the impact of network failures. Because risk management of medical IT networks involves analysis of technical detail, system design, potential failure modes and possible clinical impact, it is very important to have involvement from all departments that may have information on any of these aspects, including IT, biomedical engineering and the clinical users of the overall system."
3. Read through the IEC 80001-1:2010. The IEC 80001-1:2010 standard, which was published in October 2010, addresses the need for healthcare organizations to have a risk management process. The standard defines the roles, responsibilities and activities that are needed for safe and effective risk management of medical devices incorporated into hospital IT networks. To view the standard, hospitals and healthcare providers may click here. There are also several follow up technical reports in development that will aid the industry in application of the 80001 standard and are scheduled for publication late this year.
The standard defines the philosophies, processes and responsibilities for risk management. Ms. Delvecchio says hospitals should determine how to map these roles and responsibilities into their organization.
"The goal of the standard is to control risk in medical IT networks and to establish a common method and language for analyzing this risk," she says. "To achieve this, it details not only the roles and responsibilities but also the particular steps involved as well as how to apply risk management across the entire life cycle of the medical IT network."
4. Manage risk through a three-party collaboration. Ms. Delvecchio says in order to strengthen their risk management programs, they must proactively engage with two other parties, the medical device manufacturer and the non-medical device manufacturer, such as server manufacturers and manufacturers/installers of the network infrastructure. These three parties are all involved in creating the overall system, and all components are important in delivering patient care or achieving the mission of the organization. Ms. Delvecchio says establishing lines of communication and exchanging relevant information at project startup is required for thorough risk management.
"The healthcare organization should develop and maintain a risk management process that applies to the medical network all the way through the life cycle of the medical network," she says. "When a hospital incorporates medical devices into the hospital IT network, the ownership of the overall risk management process belongs to the healthcare organization because they have the most visibility into the overall system, including the context — patient acuity, clinical workflows and so on — in which the medical IT network will be used."
Learn more about GE Healthcare.
1. Establish a set of acceptability guidelines. Defining and analyzing risk is not a process that can be done on the fly. Rather, Ms. Delvecchio says hospitals should have an already established risk policy and procedure and a set of acceptability guidelines for risk. That is, there should already be a scale by which to measure risk within a hospital that has medical devices incorporated into the network. For example, if your hospital is assessing risk in a single area, such as the ICU or ER, it will want to systematically consider all the possible mishaps and adverse events that could take place in that area, including those that are network-related. The next step in the process would be to evaluate the risk level of the situations that those mishaps could trigger. As risk is a function of both likelihood and severity of harm, this evaluation requires input from several disciplines and departments.
"So if your hospital is doing that kind of analysis under a pre-determined policy and procedure and acceptability levels, you can determine the risk level of all identified potential situations," Ms. Delvecchio says. "At a high risk, the hospital can't go-live with the medical network. At a low risk, the hospital could safely proceed."
2. Involve your hospital's stakeholders. The key component to an effective risk management program is assessing where the risks are, when a medical network failure could happen, what the potential damages from those failures could be and so on. In order to properly analyze these various factors, hospitals need to bring other stakeholders, such as clinicians, the IT department and medical devices department, on board.
"Hospitals will need to maintain, within the organization itself, some collaboration among all the departments involved in the life cycle of the risk management process," Ms. Delvecchio says. "These departments are critical in helping the overall hospital assess the impact of network failures. Because risk management of medical IT networks involves analysis of technical detail, system design, potential failure modes and possible clinical impact, it is very important to have involvement from all departments that may have information on any of these aspects, including IT, biomedical engineering and the clinical users of the overall system."
3. Read through the IEC 80001-1:2010. The IEC 80001-1:2010 standard, which was published in October 2010, addresses the need for healthcare organizations to have a risk management process. The standard defines the roles, responsibilities and activities that are needed for safe and effective risk management of medical devices incorporated into hospital IT networks. To view the standard, hospitals and healthcare providers may click here. There are also several follow up technical reports in development that will aid the industry in application of the 80001 standard and are scheduled for publication late this year.
The standard defines the philosophies, processes and responsibilities for risk management. Ms. Delvecchio says hospitals should determine how to map these roles and responsibilities into their organization.
"The goal of the standard is to control risk in medical IT networks and to establish a common method and language for analyzing this risk," she says. "To achieve this, it details not only the roles and responsibilities but also the particular steps involved as well as how to apply risk management across the entire life cycle of the medical IT network."
4. Manage risk through a three-party collaboration. Ms. Delvecchio says in order to strengthen their risk management programs, they must proactively engage with two other parties, the medical device manufacturer and the non-medical device manufacturer, such as server manufacturers and manufacturers/installers of the network infrastructure. These three parties are all involved in creating the overall system, and all components are important in delivering patient care or achieving the mission of the organization. Ms. Delvecchio says establishing lines of communication and exchanging relevant information at project startup is required for thorough risk management.
"The healthcare organization should develop and maintain a risk management process that applies to the medical network all the way through the life cycle of the medical network," she says. "When a hospital incorporates medical devices into the hospital IT network, the ownership of the overall risk management process belongs to the healthcare organization because they have the most visibility into the overall system, including the context — patient acuity, clinical workflows and so on — in which the medical IT network will be used."
Learn more about GE Healthcare.