There's been increasing rumblings in the industry about the soon to be completed standard, IEC 80001. While it is starting to get some discussion, the vast majority of hospitals and vendors have yet to hear about it. This post is an effort to raise awareness and spark some discussion.

The Problem

In December of 2005, the FDA hosted a study session (more here, here and here) to discuss a new and growing threat to patient safety and possible solutions. The threat is the increasing availability of computer controlled medical devices operating in enterprise network environments. Medical devices systems of this kind include patient monitors and central stations, smart infusion pump systems, and devices connected to information systems that do surveillance and alarm notification (Cardiopulmonary, LiveData, Ascom and others).

There are two levels of threat. The first is when medical device systems are used in broader environments, like enterprise networks, which were not anticipated (at all, or at least not fully) by the manufacturer. Once the regulated medical device system is installed in the customer site, how the network environment is designed, managed and changed over time can impact the safety and effectiveness of the medical device.

A different threat emerges when regulated medical devices are combined to create systems of systems that were not anticipated (at all, or at least not fully) by the manufacturer. The actors in this scenario extend beyond the governmental regulatory agency and individual medical device manufacturers, to include third party IT infrastructure vendors, other regulated medical device vendors, and health care providers. When a provider buys a variety of medical device systems and deploys then on an enterprise IT infrastructure, how that infrastructure and medical device systems are configured and interact introduces new and unanticipated risks.

Specific hazards include:

  • Loss of data
  • Inappropriate data interchange
  • Corrupted data
  • Inappropriate timing of data
  • Unexpected receipt of data
  • Unauthorized access to data

The current regulatory model regulates medical device vendors up to, and not beyond, the sale of the device to a customer. As the above risks explain, arbitrarily limiting regulatory oversight in this way is increasingly inadequate.

The Solution

Rather than extending regulatory oversight willy nilly (no one, including the regulators, wanted that), the study group settled on a voluntary industry standard as the preferred framework to address these risks. An early draft from an IEC working group can be downloaded here. Within a year, the development of IEC 80001 was started under the aegis of ISO/TC 215 Working Group 7 (medical devices) and Working Group 4 (security).

The intent of this standard is the application of risk management to enterprise networks incorporating medical devices. The standard applies risk management throughout the life cycle enterprise networks incorporating medical devices. The standard defines a process and defines responsibilities for each of the actors. You can purchase a copy of the current draft of the standard here ($20 or free if you're a member of AAMI).

What Does It All Mean?

Well first off, the standard is not yet final. The expected date for the complete standard is 2010. Major changes to the standard between now and when it is finalized are not expected, but could occur.

Since this is a "voluntary" standard, no one has to implement it, right? Those responsible for ensuring the safety and effectiveness of medical devices expect this standard to be adopted by any provider connecting a medical device to an enterprise network. This could be accomplished if certain accreditation bodies adopted the standard as a requirement. Payors like CMS could also require adopting the standard to qualify for reimbursement. The details here are a long way from resolved, but don't think for a minute that some day soon we will all be dealing with IEC 80001.

The standard will greatly impact providers, and to a lesser extent, medical device vendors. Information technology infrastructure vendors will also be somewhat impacted.

In the coming weeks, I'll be exploring in detail the potential impact this study will have for providers and vendors alike.

UPDATE: Now you can read the next installment, IEC 80001 to Impact Providers.