IEC 80001 – An Introduction

There’s been increasing rumblings in the industry about the soon to be completed standard, IEC 80001. While it is starting to get some discussion, the vast majority of hospitals and vendors have yet to hear about it. This post is an effort to raise awareness and spark some discussion.

The Problem

In December of 2005, the FDA hosted a study session (more here, here and here) to discuss a new and growing threat to patient safety and possible solutions. The threat is the increasing availability of computer controlled medical devices operating in enterprise network environments. Medical devices systems of this kind include patient monitors and central stations, smart infusion pump systems, and devices connected to information systems that do surveillance and alarm notification (Cardiopulmonary, LiveData, Ascom and others).

There are two levels of threat. The first is when medical device systems are used in broader environments, like enterprise networks, which were not anticipated (at all, or at least not fully) by the manufacturer. Once the regulated medical device system is installed in the customer site, how the network environment is designed, managed and changed over time can impact the safety and effectiveness of the medical device.

A different threat emerges when regulated medical devices are combined to create systems of systems that were not anticipated (at all, or at least not fully) by the manufacturer. The actors in this scenario extend beyond the governmental regulatory agency and individual medical device manufacturers, to include third party IT infrastructure vendors, other regulated medical device vendors, and health care providers. When a provider buys a variety of medical device systems and deploys then on an enterprise IT infrastructure, how that infrastructure and medical device systems are configured and interact introduces new and unanticipated risks.

Specific hazards include:

  • Loss of data
  • Inappropriate data interchange
  • Corrupted data
  • Inappropriate timing of data
  • Unexpected receipt of data
  • Unauthorized access to data

The current regulatory model regulates medical device vendors up to, and not beyond, the sale of the device to a customer. As the above risks explain, arbitrarily limiting regulatory oversight in this way is increasingly inadequate.

The Solution

Rather than extending regulatory oversight willy nilly (no one, including the regulators, wanted that), the study group settled on a voluntary industry standard as the preferred framework to address these risks. An early draft from an IEC working group can be downloaded here. Within a year, the development of IEC 80001 was started under the aegis of ISO/TC 215 Working Group 7 (medical devices) and Working Group 4 (security).

The intent of this standard is the application of risk management to enterprise networks incorporating medical devices. The standard applies risk management throughout the life cycle enterprise networks incorporating medical devices. The standard defines a process and defines responsibilities for each of the actors. You can purchase a copy of the current draft of the standard here ($20 or free if you’re a member of AAMI).

What Does It All Mean?

Well first off, the standard is not yet final. The expected date for the complete standard is 2010. Major changes to the standard between now and when it is finalized are not expected, but could occur.

Since this is a “voluntary” standard, no one has to implement it, right? Those responsible for ensuring the safety and effectiveness of medical devices expect this standard to be adopted by any provider connecting a medical device to an enterprise network. This could be accomplished if certain accreditation bodies adopted the standard as a requirement. Payors like CMS could also require adopting the standard to qualify for reimbursement. The details here are a long way from resolved, but don’t think for a minute that some day soon we will all be dealing with IEC 80001.

The standard will greatly impact providers, and to a lesser extent, medical device vendors. Information technology infrastructure vendors will also be somewhat impacted.

In the coming weeks, I’ll be exploring in detail the potential impact this study will have for providers and vendors alike.

UPDATE: Now you can read the next installment, IEC 80001 to Impact Providers.

Share

3 comments

  1. Hi,

    I just wanted to know if this standard applies to digital video broadcasting networks as well or not?

    My concern is the application of this standard in Integrated Operating Room scenarios when we are routing Video signals in the room or to the outside.

    Thanks a lot

  2. Great question, the answer is maybe.

    If the video is part of the regulated medical device, and it is distributed over an IP network (rather than coax cable and video switchers) then the system would trigger the 80001 standard.

    Such a system could also qualify as an MDDS under the FDA’s recent proposed rule on medical device data systems.

  3. Excellent initiative, that IEC80001 ! But we all see the difference between the standards organizations and the vendor world. So, for example for wireless which is my business today, may I hope that the IEC 80001 guys work with the Wi-Fi Alliance, so that the end result would be an additional stamp of the Wi-Fi organization as WMG, for “Wi-Fi Medical Grade” ?
    We, in one of the topest Universitary Hospitals of France, succeeded in running Draeger monitoring devices on exactly the same WiFi architecture than for the data usage. They would appreciate to be backed by the vendors!

Trackbacks/Pingbacks

  1. Medical Device Networks Trouble Industry :: Medical Connectivity - [...] growing problems are a key factor in the creation of IEC 8001 - which will have a major impact …
  2. Connecting Computers to FDA Regulated Medical Devices | Bob on Medical Device Software - [...] safety and effectiveness of medical devices in complex networked environments is on the horizon. IEC 80001 (and here) is …
  3. Networked Medical Devices | Bob on Medical Device Software - [...] devices have been added to enterprise networks for years, yet IEC 80001 and the Medical Device Data Systems rule …
  4. Workshop on Wireless Tech in Healthcare :: Medical Connectivity - [...] systems can be more robust and reliable. The in-development voluntary end user standard IEC 80001 was mentioned, and the …
  5. Can We Fix Wireless in Health Care? :: Medical Connectivity - [...] the challenges of developing and maintaining safe and effective wireless medical devices. What with IEC80001 moving forward (due to …
  6. WSN Buzz » Can We Fix Wireless in Health Care? - [...] the challenges of developing and maintaining safe and effective wireless medical devices. What with IEC80001 moving forward (due to …
  7. GlobeStar Systems World Connex — Day Two :: Medical Connectivity - [...] During configuration Stephen configured a test environment into the system, for verification testing at installation, and with subsequent hardware …
  8. Medical Device Interoperability Workshop :: Medical Connectivity - [...] medical devices (see the blog posts here, here and here).  The outgrowth of this meeting was IEC 80001, which …
  9. Biomedical Equipment Information Systems - [...] new voluntary standard, IEC 80001, Risk Management of Medical Devices in Networks, is being developed to apply risk management …
  10. Wi-Fi Capacity and New Devices | Medical Connectivity - [...] and monitored. Besides being totally logical, this is consistent with IEC 80001 (discussed here) which addresses hospital network risk management. …

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>