There's been increasing rumblings in the industry about the soon to be completed standard, IEC 80001. While it is starting to get some discussion, the vast majority of hospitals and vendors have yet to hear about it. This post is an effort to raise awareness and spark some discussion.
The Problem
In December of 2005, the FDA hosted a study session (more here, here and here) to discuss a new and growing threat to patient safety and possible solutions. The threat is the increasing availability of computer controlled medical devices operating in enterprise network environments. Medical devices systems of this kind include patient monitors and central stations, smart infusion pump systems, and devices connected to information systems that do surveillance and alarm notification (Cardiopulmonary, LiveData, Ascom and others).
There are two levels of threat. The first is when medical device systems are used in broader environments, like enterprise networks, which were not anticipated (at all, or at least not fully) by the manufacturer. Once the regulated medical device system is installed in the customer site, how the network environment is designed, managed and changed over time can impact the safety and effectiveness of the medical device.
A different threat emerges when regulated medical devices are combined to create systems of systems that were not anticipated (at all, or at least not fully) by the manufacturer. The actors in this scenario extend beyond the governmental regulatory agency and individual medical device manufacturers, to include third party IT infrastructure vendors, other regulated medical device vendors, and health care providers. When a provider buys a variety of medical device systems and deploys then on an enterprise IT infrastructure, how that infrastructure and medical device systems are configured and interact introduces new and unanticipated risks.
Specific hazards include:
- Loss of data
- Inappropriate data interchange
- Corrupted data
- Inappropriate timing of data
- Unexpected receipt of data
- Unauthorized access to data
The current regulatory model regulates medical device vendors up to, and not beyond, the sale of the device to a customer. As the above risks explain, arbitrarily limiting regulatory oversight in this way is increasingly inadequate.
The Solution
Rather than extending regulatory oversight willy nilly (no one, including the regulators, wanted that), the study group settled on a voluntary industry standard as the preferred framework to address these risks. An early draft from an IEC working group can be downloaded here. Within a year, the development of IEC 80001 was started under the aegis of ISO/TC 215 Working Group 7 (medical devices) and Working Group 4 (security).
The intent of this standard is the application of risk management to enterprise networks incorporating medical devices. The standard applies risk management throughout the life cycle enterprise networks incorporating medical devices. The standard defines a process and defines responsibilities for each of the actors. You can purchase a copy of the current draft of the standard here ($20 or free if you're a member of AAMI).
What Does It All Mean?
Well first off, the standard is not yet final. The expected date for the complete standard is 2010. Major changes to the standard between now and when it is finalized are not expected, but could occur.
Since this is a "voluntary" standard, no one has to implement it, right? Those responsible for ensuring the safety and effectiveness of medical devices expect this standard to be adopted by any provider connecting a medical device to an enterprise network. This could be accomplished if certain accreditation bodies adopted the standard as a requirement. Payors like CMS could also require adopting the standard to qualify for reimbursement. The details here are a long way from resolved, but don't think for a minute that some day soon we will all be dealing with IEC 80001.
The standard will greatly impact providers, and to a lesser extent, medical device vendors. Information technology infrastructure vendors will also be somewhat impacted.
In the coming weeks, I'll be exploring in detail the potential impact this study will have for providers and vendors alike.
UPDATE: Now you can read the next installment, IEC 80001 to Impact Providers.
Hi,
I just wanted to know if this standard applies to digital video broadcasting networks as well or not?
My concern is the application of this standard in Integrated Operating Room scenarios when we are routing Video signals in the room or to the outside.
Thanks a lot
Great question, the answer is maybe.
If the video is part of the regulated medical device, and it is distributed over an IP network (rather than coax cable and video switchers) then the system would trigger the 80001 standard.
Such a system could also qualify as an MDDS under the FDA’s recent proposed rule on medical device data systems.
Excellent initiative, that IEC80001 ! But we all see the difference between the standards organizations and the vendor world. So, for example for wireless which is my business today, may I hope that the IEC 80001 guys work with the Wi-Fi Alliance, so that the end result would be an additional stamp of the Wi-Fi organization as WMG, for “Wi-Fi Medical Grade” ?
We, in one of the topest Universitary Hospitals of France, succeeded in running Draeger monitoring devices on exactly the same WiFi architecture than for the data usage. They would appreciate to be backed by the vendors!