Dipl.-Ing. Oliver P. Christ CEO Prosystem AG / Prosystem USA LLC
Network Standard Session: Up-date on IEC 80001-1
EWICS International Workshopon safety & security of
(wireless) medical sensor networksJanuary 21 2014
Beim Strohhause 1720097 Hamburg
phone +49 (0)40 66 87 88 119 fax +49 (0)40 66 87 88 199web www.prosystem-ag.com
PROSYSTEM AG
2
is an international consulting company providing comprehensive services for the medical device industry. The company has been established in 1999 by Prof. Dr. Jürgen Stettin and Oliver P. Christ. Our clients are manufacturers and developers of medical devices, suppliers, hospitals, drug & pharmacompanies, universities and Notified Bodies.
Being an active member of various standardization groups, PROSYSTEMcan provide its clients with detailed background information about the origin, implementation and future development of International Standards.Business activities include analysis, training, consulting services, and the realization of projects:
• more than 200 clients in 20 countries• > 12% growth rate per year• all Services by “One‐Stop Shopping”
Member / Sponsor
MEDICA
AAMI
GABA
IEC TC 62
ISO TC 210
Patient Safety Alliance
. . .
MedConf
Clinical Services Software
Name
Name
Name
…
Name
Name
Name
…
Name
Name
Name
…
Name
Name
Name
…
Name
Name
Name
…
Name
Name
Name
…
Healthcare
PROSYSTEM FORUM
Holding / Owner
PROSYSTEM USA LLC
PROSYSTEM do Brasil Ltda.
Medical device security in the past
• Security = data privacy• Intentional threats considered very unlikely• Security is an operating system problem• Security is a network IT problem• No one is making me do it
• All of this is changing …
5
Wireless device concerns
Wireless communication between devices• Point to point communication• Increasing rapidly – 160 million wireless sensors expected in health
sector by 2017 ( 22 million used at point of care or for patient monitoring)
• Currently proprietary protocols, but standards will be needed• Some concerns are
Corruption of data Denial of service Depletion of batteries
6
Networked device concerns
Devices incorporated into general purpose hospital networks• Use common internet protocols• Many capabilities of platforms not used• Some concerns are
Viruses Loss of availability (hospitals as source of botnets) Unauthorized access to data
7
Seeing reality in wireless devices
• Security is not just HIPPA• 2008 – implanted defibrillator hacked• 2011 – insulin pump hacked• 2011/2012 – more instances of devices hacked• 2012 EHR hacked for ransom• 2012 Networked device hacked providing access to other networked
devices
8
9
going back in history
for
12 years & 2 weeks …
that’s where the story has begun …
Therapy
Philips
xyGE
Agfa Kodak
ServerIBM
Administrationxx
Siemens
PhilipsGE
Siemens
AngioWho is
responsible?
NetworkArchiv
… typical Network-topology
Medical System
PEMS „A“ Networkdata-coupled
medical Informationenvia
Do we have a “Hazard” for a patient, if the communication between “networked PEMS” fails ?
Medical System
PEMS „B“
Yes !
The magic question has been …
20001990 2006
Date
Hazards
IEC 60 601-1 Ed. 2 Ed. 3Ed. 1
Evolution in safety standardization - What’s next?
input output
operator patient,user , others
UsabilityIEC 62366:2013 A1
Safety StandardsIEC 60601‐1:2012 A1
IT Risk‐ManagementIEC 80001‐1:2010
Medical Device(s)
EN ISO 14971:2012
Focus today
Software test specification
User needs validated System
SW‐Component testspecification
System test specification
System Validation plan
Unit verification plan
IEC62304:2006
Med. Software
Requirements today: IEC 62304:2006• Clear link to ISO 13485 & ISO 14971 • inforce documented Lifecycle Processes (2 „main“ and 5 „supporting“)• Structure Software in Software-Items• Requires Safety classes (A,B,C) based on Severity only for each Software item, with
…
• different design, testing & documentation efforts
Changes by CD1 dated Oct 31 2012
New Work on IEC 62304 has been started:
Legacy Software (New: Annex E) Segregation of software-items New classification rules for safety classes A, B, C
based on Severity and a Probability of Occurence NEW: IEC 82304-1 Health Software
IEC62366:2007Usability
Requirements today: IEC 62366:2007
specifies a PROCESS to analyze, specify, design, VERIFY and VALIDATEUSABILITY …
as it relates to SAFETY of a MEDICAL DEVICE
requires an INTENDED USE of a MEDICAL DEVICE
introduce concepts like CORRECT USE, USE ERROR anD ABNORMAL USE
USABILITY SPECIFICATION, usability testing & VALIDATION
Changes by CD1 dated Nov.23rd 2012 for IEC 63266-1 (2nd edition)
In the 2nd edition of IEC 62366 there will be 2 parts: (1) Normative, (2) Guidance
… IEC 62366-1 will contain new definition for ABNORMAL USE, USE ERROR others … IEC 62366-1 will have a completely revised USABILITY ENGINEERING PROCESS … IEC 62366-2 will provide guidance on the practical implementation/best practices
ISO 14971:2007Risk‐
Management
Requirements today: ISO 14971:2007
specifies a process to identify the HAZARDS / HAZARDOUS SITUATIONS
associated with a MEDICAL DEVICES
estimate, evaluate and control RISKS
monitor effectiveness of risk controls manage acceptability of OVERALL RESIDUAL RISK (ORR)
Changes by EU-Commission August 30th 2012 ; + New Guidance ISO 24971:2012
New publication of EN ISO 14971:2012 in Europe!
… change of Risk acceptance criteria … new requirements for Risk/Benefit Analysis as well as “labelling” … international Guidance document ISO 24971 show link to Safety Standards
Requirements today: IEC 80001-1:2010
Compliant Medical IT Network Risk Management enforced by Hospital Top-Management Balancing „Key Properties“:
Safety Effectiveness Data- & System-Security
Future Steps Last Meeting JWG7 May 3-4, 2013, Atlanta, USA (hosted by Kaiser-Permanente)
Agenda: New Technical Reports IEC 80001-2-x
Distributed Alarm Systems (IEC 80001-2-5) Responsibility Agreement (IEC 80001-2-6)
• Definition for each Medical IT-Network (separately)
• Key Properties for Risk-Management are:
Safety for Patient, User/Operator und Third Parties
Effectiveness for intended workflows supported by the IT-Network
ability to produce the intended result for the PATIENT and the RESPONSIBLE ORGANIZATION
Data- & System Security reasonable protection from degradation of confidentiality,
integrity and availability (of information assets)
Risk-Management Plan – Key Properties
• Originally separate Medical Devices get connected via an (unsafe & unsecure) IT-Network of the Responsible Organization
• Out of this „general“ IT-Network emerge a new
„Medical IT-Network“The Issues are• Heavily regulated „safe Medical Devices“ get connected with
„off-the-shelf IT-Hardware“ • There is no clear Responsibilities established (MT vs. IT)• Disturbances/Overload at an IT-Network could compromise
the safety of Medical Devices• IT-Networks are supposed to „run“ 24/7
The „Medical IT-Network“ (protection goal of IEC 80001-1)
Important roles and responsibilities in IEC 80001-1
24
Top Management
Risk‐Manager
Medical Devices ManufacturerOthers
reportsassigns
provide Information
Responsible Organization
Risk-Management
25
• Central Process of IEC 80001-1 for: Identification of Hazards Evaluation of corresponding Risks Control of these Risks
always in conjunction with the „Intended Use“ of a network
• The Process „Risk-Management“ shall be applied Before putting a Medical IT-Network into service When modifying an existing Medical IT- Network
and/or its components
• Information-flow and Dataflow in the Network
Med. IT-Network – Documentation – Information-flow (simplified)
28
Hospital Network
PACS ‐ System
Medical IT‐Network
SwitchRouterUltraSound
Clinical‐Workstation
DICOM ‐ Image
Patientdata
Risk Analysis & Evaluation - Defined Terms
29
PACS ‐ System
UltraSound Equipment
Clinical‐Workstation
Cause
Hazard
Hazardous Situation
Amniocentesis
„Blackbo
x“
30
The structure of the IEC 80001-1 seriesIEC 80001‐1Part 1: Roles,
Responsibilities andActivities
IEC 80001‐XReferences to otherIT Standards / Spec
IEC 80001‐2‐YTechnicalReports
ISO/IEC 20000‐1:2005IEC 62304:2006IEEE 11073‐ffHL7, DICOM
Y = 1: Step‐by Step RMY = 2: Security (Checklist)Y = 3: WirelessY = 4: HDO GuidanceY = 5: Distributed Alarm SystemY = 6: Responsibility AgreementY = 7: HDO Self‐AssessmentY = ?: Guidance on Security
21.01.2014 [email protected] 31
21.01.2014 [email protected] 32
3.8 DISTRIBUTED ALARM SYSTEM (DAS)ALARM SYSTEM that involves more than one MEDICAL DEVICE intended for guaranteed delivery of ALARM CONDITIONS
3.9 DISTRIBUTED ALARM SYSTEM WITH CONFIRMATION (DASC)DISTRIBUTED ALARM SYSTEM that includes the capability to receive an OPERATOR response
3.10 DISTRIBUTED INFORMATION SYSTEM ABOUT ALARM CONDITIONS (DIS)System that involves more than one MEDICAL DEVICE that is intended to provide information about ALARM CONDITIONS but does not guarantee delivery of that information
Note: A DIS is not intended to notify OPERATORS of the existence of an ALARM CONDITION
Different types of Alarm Systems according IEC 80001-2-5
Type of „Alarm System“ and balance of Key Properties
35
Type of „Alarm System“ Safety Security Effective‐ness*)
Distributed Information System [3.10]about Alarm Conditions (DIS) not intended to notify OPERATORS
N N Y
Distributed Alarm System (DAS) [3.8] acc. IEC 60601‐1‐8for guaranteed delivery of Alarm Conditions
Y (N) (Y)
Distributed Alarm System [3.9]with Confirmation (DASC)
Y Y Y
*) e.g. workflow optimizationIEC 80001‐1 compliant
• Provides legal framework for collaboration• Is needed, when Medical Devices from more than one supplier
are intended to be incorporated into one (medical) IT network• Recommand also to be used for internal departments at a
Responsible Organization (e.g. BioMeds, IT, others)• It is suitable as a Service Level Agreement (SLA)
Content• Identification of all parties to be involved• Specification of Medical IT-Network and project goals. • Description of roles, responsibilities and activities • Definition of all Information to be provided / exchanged
Responsibility Agreement
Application of risk management for IT-networks incorporating medical devices –
Part 2-6: Guidance for Responsibility Agreements
37
This Technical Report provides guidance on implementing RESPONSIBILITY AGREEMENTS, which are described in IEC 80001‐1 as used to establish the roles and responsibilities among the stakeholders engaged in the incorporation of a MEDICAL DEVICE into an IT‐NETWORK in order to support compliance to IEC 80001‐1. Stakeholders may include RESPONSIBLE ORGANIZATIONS, IT suppliers, MEDICAL DEVICE MANUFACTURERS and others. The goal of a RESPONSIBILITY AGREEMENT is that these roles and responsibilities should cover the complete lifecycle of the resulting MEDICAL IT‐NETWORK.
The Start: „Responsibility Agreement“ among various parties
38
BioMed (MT)IT Department (IT)
Einkauf und Vertrags‐management
IT‐Provider
Hospital
21.01.2014 [email protected] 41
21.01.2014 [email protected] 42
• „Talk to each other!“ (internally , externally, RO with Suppliers)
• „Balanced Key Properties“ (Risk-Policies of the RO for) Safety (for Patient, User/Operator and Third Parties) Effectiveness (for workflows supported by the IT-Network) Data & System Security (confidentiality, integrity and availability)
• Implementation of a RM-Process for „Medical IT-Networks“(+ Change-, Configuration-, Monitoring and Event-Management)
• Integration*) of “MD“ in „IT-Network“ only with Risk Controls(after „RM-Process“ or by a „Change Permit“)
*) or withdrawal
• „Conscious Decisions!“ (for Residual Risks of Med. IT-Networks)
What are the objectives of IEC 80001-1?
Which benefits provide IEC 80001-1?
• Insures the Ability to communicate between the “Responsible Organization” and its Suppliers (MDM, IT-Provider, others)
• Introduce the concept of „Medical IT-Network“ and requires a distinguished separation to other IT Networks.
• Clarifies Requirements for Safety of „Medical IT-Networks“(safety, effectiveness, security) and protect against liability issues.
• Requires 5 Processes to ensure that „Medical IT-Networks“can be operated safe & effective
• Provides Ability for decision making for complex issues by utilizing systematically a Risk-Management approach
How will IEC 80001-1 impact the Healthcare Sector? (from a Hospital viewpoint)
45
• Phase I: Gesprächsfähigkeit herstellen („IEC 80001-Readiness“)Gain Knowledge about IEC 80001-1 requirements; establish required technical documents; open up for dialog with various suppliers.
• Phase II: Service-Partnerschaft einrichten („IEC 80001-Willingness“)Continuous Collaboration with various Suppliers (MDM, IT-Provider); cooperation is based on „Responsibility Agreement(s)“ e.g. Service-Level Agreements; Implementation of suitable Processes; monthly accurate Security-Patches; testing and release of security-Patches in a timely manner; Collaboration with competitive ROs and Suppliers
• Phase III: RM-Partnerschaft aufbauen („IEC 80001-fulfilling best“)Hospitals (RO) benefit from external Integration-Services from MD-Manufacturer / IT-Provider, e.g. by utilizing external „Medical IT-Network Risk-Manager“ servicesfor Moderation and Integration activities. They establish and maintain detailed IEC 80001-1 Checklists and operate with valid Security-Documentation; Change-Release-Management will become a routine process on a daily basis.