Tag: IEC-80001-1

New ISO/TR 80001-2-7 – IEC 80001-1 Compliance for HDO’s

ISO/TR 80001-2-7, “Application of risk management for IT-networks incorporating medical devices – Application guidance – Part 2-7: Guidance for Healthcare Delivery Organizations (HDOs) on how to self-assess their conformance with IEC 80001-1,” has just been released.  As part of the IEC 80001-2 series (also composed of some ISO 80001-2 documents), it helps you address the issue of risk within an IT network that includes medical devices.  It’s been written for organizations such as hospitals, managed care facilities, surgical centers, behavioral health care facilities, and the like.  It allows such facilities to self-assess to IEC 80001-1, “Application of risk management for IT-networks incorporating medical devices – Part 1: Roles, responsibilities and activities.”

Does ISO/TR 80001-2-7 have any additional requirements not included in IEC 80001-1?  No, it is used to facilitate the application of IEC 80001-1 where it has been determined to be applicable.  It contains a set of questions that you can use to assess the performance from a risk perspective of your medical IT network.  And you can tailor the approach to meet your specific needs.

For example, you can use the assessment method of Clause 4 to audit your system to determine IEC 80001-1 conformance.  Or if you already know you conform, you can still use the assessment method to judge capability issues and your risk management processes.  Further, the assessment method is flexible so that it can be modified to meet the concerns of individual HDO’s.

What’s to be gained by using an internal assessment approach?  You’ll be able to spot current risk management weakness and will have a basis for improvement.  Or you might consider using it as a first-pass assessment to which you can add more stringent requirements as you move forward.

What will you find in ISO/TR 80001-2-7?  There’s guidance for the HDO self-assessment for IEC 80001-1 of course.  You’ll also get a set of questions to help you set up your assessment process for your medical IT-network from a risk management point of view.  It also will help you define a PRM (Process Reference Model) as required by IEC 80001-1.  And you’ll be able to set up a PAM (Process Assessment Model) that meets the requirements of ISO/IEC 15504-2, “Information technology — Software process assessment — Part 2: A reference model for processes and process capability.”

What are the stages of this ISO/TR 80001-2-7 assessment method?  Here are the stages that are required:

  • 1 – Defining assessment scope
  • 2 – Stakeholder involvement
  • 3 – Information collection and evaluation
  • 4 – Generating a findings report
  • 5 – Presenting the findings report

There are also a couple of additional optional stages:

  • 6 – Improvement planning
  • 7 – Follow-up assessment

There is no doubt that the reduction of risk in a patient-care setting is essential to the minimization of costs and liability, and the improvement of patient outcomes and satisfaction that are critical in today’s changing healthcare environment.  So those of you responsible for quality in an HDO setting will want to review this timely technical report now.

Where can you get your authorized copy?  Try the Document Center webstore at www.document-center.com.  You can order ISO and IEC standards in both paper format or for pdf download.  And they are available as part of our multi-user subscription service, Standards Online.  Contact our staff by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com) for more information.

When you use Document Center Inc. you’ll not only get copies of the standards you need, you’ll get free update notification as well as access to other services that support your need for complete and correct compliance documentation.  Make us your Standards Experts!

New IEC/TR 80001-2-5 – Alarm Systems for Networked Medical Devices

There’s a new IEC/TR 80001-2-5, “Application of risk management for IT-networks incorporating medical devices – Part 2-5: Application guidance – Guidance on distributed alarm systems.” This new publication extends the series on safeguarding computer networks that include medical devices.  It can be purchased in paper format, for pdf download or as part of a multi-user online subscription service from Document Center Inc.

The IEC 80001-2 Series addresses the issue of risk management for networked medical devices in general and this new part specifically deals with the issue of alarms.  To set up your networked alarm system, you’ll need to know how to identify hazards and the causes for them.  Then you’ll need to identify, implement, and verify your risk controls.

How will you know that this new Technical Report applies to your situation?  The essential requirement for using the standard is that your alarm system involves at least one medical device and a communication path that uses an IT (Information Technology) network.

What’s covered by the IEC/TR 80001-2-5?  Of course, there’s the usual scope, referenced documents and definitions sections.  In this case, the clause for terms and definitions is especially lengthy, since having a common meaning to the various terms will assist you in understanding the balance of the document.

Next Clause 4 reviews the functions that this type of alarm system provides.  Clause 5 provides the basis of determining of the type of system you’ll be using.  And Clause 6 covers the issues that your risk management program for your alarm system needs to address.

There’s an additional four Annexes provided in this document.  The first, Annex A, shows you the relationship of this technical report to IEC 60601-1-8.  Annex B discusses the various types of sources that might generate the alarm state.  Annex C reviews what types of systems are appropriate for various conditions.  And Annex D covers the issue of scalability.  Lastly, an 18-item bibliography finishes off the publication along with a 2-page index of terms used.

FYI:  There are a total of 6 Parts to this series currently available.  Additionally, Part 7 and Part 8 are in preparation at this time.

Now you’ll need to get a copy.  Go to Document Center’s webstore at www.document-center.com and order your authorized copy now.  Or contact our staff by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com).  We’ll be able to help you with this and any other standards-related requirements you may have.  Make us your Standards Experts!

ISO/TR 80001-2-6 – Risk Management for Medical Device IT Networks

There’s a lot of interest these days in providing security for the data components of medical devices, especially those linked into a network.  Back in 2010, the IEC 80001-1 provided you with guidance on how to set up the various roles and responsibilities inherent in such networks.  Now the new ISO/TR 80001-2-6 helps you implement the agreements that define them.  Titled “Application of risk management for IT-networks incorporating medical devices – Part 2-6: Application guidance – Guidance for responsibility agreements,” this new Technical Report supports compliance that may be required in your situation.

Why would such a document be of use to you?  For the patient, medical devices represent a partnership between the medical device manufacturer and the clinical setting in which the device is used.  Thus it is essential for all parties involved in providing care that includes networked devices to have a clear understanding of the dependency of the device on the network.  This includes medical staff at any given facility.  Some examples of issues that could affect device performance include upgrades to a given network.  Or perhaps it might be the addition of a new piece of equipment to a network that might affect software versions.  So it is essential to have change control procedures to minimize that risk.  And that means a clear understanding of who’s responsible for what!

Since the report is in support of IEC 80001-1, it is formatted based on that earlier publication.  Your sections include the usual scope, referenced documents and definitions clauses.  Then the ISO 80001-2-6 dives into the key aspects of responsibility agreements, including the reasons to have them, participants and types of agreements you might find useful.  Section 5 expands the requirements of subclause 4.3.4 of the IEC standard, giving you additional detailed information on a line-by-line basis.  And the 2 Annexes cover the development of an RACI (Responsible, Accountable, Consulted, Informed) chart and a chart with the various types of documentation you’d expect to be provided by medical device manufacturers and IT suppliers.

Using a standard like the ISO/TR 80001-2-6 can save you time and trouble in developing your plan, and give you the support you need for compliance to the IEC 80001-1 if required.  You’ll need a copy and you’ll want to purchase it from an authorized dealer.  You can rely on Document Center Inc. to supply you with copies in paper format, for pdf download or for multi-user access as part of our Standards Online subscription service.  Order at our webstore (www.document-center.com) or contact our staff by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com).  Remember, we’re your Standards Experts!

New IEC/TR 80001-2 series provides guidance for the Application of risk management for IT-networks incorporating medical devices

IEC has just released 3 new Technical Reports on the application of risk management for IT-networks incorporating medical devices and they’re available now from Document Center Inc. in both paper and pdf format.  The three documents support IEC-80001-1, “Application of risk management for IT-networks incorporating medical devices – Part 1: Roles, responsibilities and activities.”

IEC/TR 80001-2-1:2012, Application of risk management for IT-networks incorporating medical devices – Part 2-1: Step by step risk management of medical IT-networks – Practical applications and examples

This document is a step-by-step guide to help in the application of risk management when creating or changing a medical IT-network. It provides easy to apply steps, examples, and information helping in the identification and control of risks. All relevant requirements in IEC 80001-1:2010 are addressed and links to other clauses and subclauses of IEC 80001-1 are addressed where appropriate (e.g. handover to release management and monitoring). This technical report focuses on practical risk management. It is not intended to provide a full outline or explanation of all requirements that are satisfactorily covered by IEC 80001-1.

This step-by-step guidance follows a 10-step process that follows subclause 4.4 of IEC 80001-1:2010, which specifically addresses risk analysis, risk evaluation and risk control. These activities are embedded within the full life cycle risk management process. They can never be the first step, as risk management follows the general process model which sets planning before any action.

IEC/TR 80001-2-2:2012, Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls

Part 2-1 creates a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks and for the security dialog that surrounds the IEC 80001-1 risk management of IT-network connection. This security report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls.

Intended use and local factors determine which exact capabilities will be useful in the dialog about risk. The capability descriptions in this report are intended to supply health delivery organizations (HDOs), medical device manufacturers (MDMs), and IT vendors with a basis for discussing risk and their respective roles and responsibilities toward its management. This discussion among the risk partners serves as the basis for one or more responsibility agreements as specified in IEC 80001-1.

IEC/TR 80001-2-3:2012, Application of risk management for IT-networks incorporating medical devices – Part 2-3: Guidance for wireless networks

This report supports the Healthcare Delivery Organizations (HDO) in the risk management of medical IT-networks that incorporate one or more wireless links. The report, as part of IEC 80001, considers the use of wirelessly networked medical devices on a medical IT-network and offers practical techniques to address the unique risk management requirements of operating wirelessly enabled medical devices in a safe, secure and effective manner. The targeted audience for this technical report is the HDO IT department, biomedical and clinical engineering departments, risk managers, and the people responsible for design and operation of the wireless IT network.

All IEC standards and other documents are available from Document Center Inc. at our webstore, www.document-center.com.  Or contact us by phone (650-591-7600), fax (650-591-7617) or email (info@document-center.com).  You can purchase any standard you need as well as get further information on any standards-related questions you may have.