Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton June 27, 2010 IEC-80001-1 The application of risk management to IT-networks.

Published byEdward Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton June 27, 2010 IEC-80001-1 The application of risk management to IT-networks."— Presentation transcript:

1 Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton June 27, 2010 IEC-80001-1 The application of risk management to IT-networks incorporating medical devices Specific Applications to Networked Medical Device Act 2: Execute the Project Plan Epilog: Sustain!

2 Cooper V1.2AAMI, Tampa FL June 27, 2010 2 Starting with IEC80001 Prolog

3 Cooper V1.2AAMI, Tampa FL June 27, 2010 3 Is 80001 ever going to become a reality? IEC80001-1 publication is expected in Nov, 2010. Essential Technical Report guidance will be available in Q2, 2011:  Security, wireless, step-by-step & HDO guidance documents Now is the time to get started with 80001 pilot projects!

4 Cooper V1.2AAMI, Tampa FL June 27, 2010 4 IEC 80001

5 Cooper V1.2AAMI, Tampa FL June 27, 2010 5 80001 Roles & Responsibilities Stakeholder partnerships: Healthcare Provider / Responsible Organization Medical Device Manufacturers I.T. Technology Vendors 3 rd Party Integrators Risk Management Experts … … shared vision & mission!

6 Cooper V1.2AAMI, Tampa FL June 27, 2010 6 RO – Top Management Policies for… Risk Management Process Risk Acceptability Critieria Organizational Mission & Balancing between three KEY PROPERTIES

7 Cooper V1.2AAMI, Tampa FL June 27, 2010 7 80001 Roles & Responsibilities Medical-IT Network Risk Manager … Overall RM Process Reporting to Top Management Managing Communications – Internal & External Design, Maintenance & Performance of RM Process Individual – not a Team!

8 Cooper V1.2AAMI, Tampa FL June 27, 2010 8 (graphic from IEC 80001-1 CDV) Supporting Documentation RO Policies & Procedures Medical-IT Network Risk Management File Responsibility Agreements Accompanying Documents / Manufacturer Residual Risk Disclosure 80001-1 defines key documentation:

9 Cooper V1.2AAMI, Tampa FL June 27, 2010 9 Scene 1 Getting the go ahead to try Players: COO, CIO, head of Biomedical (BME) Scene 2 Starting to build the proposal Players: BME, IT Security Manager (IT-SM) Scene 3 Proposing to the C’s COO, CIO, BME, IT-SM Scene 4 Now what do we do? BME, IT-SM Starting with IEC80001 ACT 1: From Problem to Plan

10 Cooper V1.2AAMI, Tampa FL June 27, 2010 10 1.Assemble Risk Management Policy team Keep it very simple and WHAT must be done. Write simple step guidance in parallel. 2.Use experience from Risk Management Policy to draft Responsibility Agreement. 3.Talk to your vendors (IT and Medical Device)  What risk information can/will they provide?  What risk discussions can they support?  What do they think of Responsibility agreement? Scene 1 Getting the go ahead to try Players: COO, CIO, head of Biomedical (BME) Scene 2 Starting to build the proposal Players: BME, IT Security Manager (IT-SM) Scene 3 Proposing to the C’s COO, CIO, BME, IT-SM Scene 4 Now what do we do? BME, IT-SM How to get started with 80001 project?

11 Cooper V1.2AAMI, Tampa FL June 27, 2010 How to get started with 80001 project? 4.Decide on the system under analysis (start simple)  Choose a network or segment for 80001 risk management  Define clinical workflow 5.Select a multidisciplinary team with a clear leader:  Medical IT Network Risk Manager (clear leader)  Network specialist  Biomedical engineer  Clinical representative  (Liaison for hospital risk management team) 11 Scene 1 Getting the go ahead to try Players: COO, CIO, head of Biomedical (BME) Scene 2 Starting to build the proposal Players: BME, IT Security Manager (IT-SM) Scene 3 Proposing to the C’s COO, CIO, BME, IT-SM Scene 4 Now what do we do? BME, IT-SM

12 Cooper V1.2AAMI, Tampa FL June 27, 2010 12 6.Follow the basic RISK MANAGEMENT template provided with IEC80001 Technical Report  Keep it simple, practical, and doable. (Beware: It is very easy to go too deep too early – enthusiastic teams often write “movie scripts”. )  Identification of Hazards  Analyze risk  Evaluate risk  Control risk  Residual risk sign-off (go-live decision) Scene 1 Getting the go ahead to try Players: COO, CIO, head of Biomedical (BME) Scene 2 Starting to build the proposal Players: BME, IT Security Manager (IT-SM) Scene 3 Proposing to the C’s COO, CIO, BME, IT-SM Scene 4 Now what do we do? BME, IT-SM How to get started with 80001 project?

13 Cooper V1.2AAMI, Tampa FL June 27, 2010 13 Scene 1 How to make a Responsibility Agreement Players: Risk Manager, BME head, IT Vendor, Medical Device Vendor Scene 2 Risk managing Players: Risk Manager, BME Starting with IEC80001 ACT 2: Execute the Project Plan

14 Cooper V1.2AAMI, Tampa FL June 27, 2010 14 Responsibility Agreement Name of responsible persons Scope of activities List of devices and IT equipment List of documents to be supplied Technical information supplied for risk analysis Definition of roles and responsibilities in event management Not a static document!

15 Cooper V1.2AAMI, Tampa FL June 27, 2010 15 Scene 1 How to make a Responsibility Agreement Players: Risk Manager, BME head, IT Vendor, Medical Device Vendor Scene 2 Risk managing Players: Risk Manager, BME Starting with IEC80001 ACT 2: Execute the Project Plan

16 Cooper V1.2AAMI, Tampa FL June 27, 2010  Identify Hazards  Loss of data  Incorrect data  Incorrect timing of data  Degraded function of devices  Unauthorized access to private data  Etc…  Identify Causes Overloaded link Network configuration error Wireless dropout Network hardware failure IP Addressing conflict Security too aggressive Faulty cabling User/procedural error Etc…  Identify Risk Control Measures Network design, best practices Pre-go-live testing Redundancy IT procedures, Clinical procedures Etc… Risk Management Process

17 Cooper V1.2AAMI, Tampa FL June 27, 2010 1.Analyze Risk  Based on Probability and Severity 2.Evaluate Risk  Based on Pre-defined risk acceptability criteria  Easily acceptable, Certainly unacceptable, or further evaluation needed 3.Control Risk 4.Determine GO / STOP  Systematic and Documented  Cross-functional team using same process and language Risk Management Process

18 Cooper V1.2AAMI, Tampa FL June 27, 2010 ImprobableVery unlikely that use will result in any Unintended Consequence RemoteNot likely to result in any Unintended Consequence OccasionalSomewhat likely to result in any Unintended Consequence ProbableVery likely to result in any Unintended Consequence FrequentUnintended Consequences occur frequently or occur every time Probability Scales Scale Safety Risk of Harm EffectivenessSecurity Catastrophic Severe injury, deathPlanned operation is no longer possible May cause system extended outage or to be permanently closed, causing operations to resume in a Hot Site environment. May result in complete compromise of information or services. High permanent impairment of body function or permanent damage of a body structure Planned operation is disrupted or delayed May cause considerable system outage, and/or loss of connected customers or business confidence. May result in compromise or large amount of information or services. Medium Temporary and minor injury, medical intervention required Inconveniencing to disrupted effect on operation Will result in some tangible consequence, albeit negligible and perhaps only noted by a few individuals or agencies. May cause embarrassment. Will require some expenditure of resources to repair. Low Temporary discomfort, reversible without medical intervention Very limited or inconveniencing effect on operation Will have some minor effect on the system. It will require minimal effort to repair or reconfigure the system. Negligible Minor and short term discomfort No or very limited impact on operation Will have no impact if threat is realized and exploits vulnerability. Severity Scales

19 Cooper V1.2AAMI, Tampa FL June 27, 2010 19 Unintended Consequence for Security; Effectiveness and Data and System Security Increasing Probability ImprobableRemoteOccasionalProbableFrequent Increasing Severity Catastrophic High Medium Low Negligible LowRisk is acceptable. Risk has little effect on goals, no additional control measures required. Moderate Risk acceptability needs further consideration. Risk has some effect to goals but can be accepted when balanced with benefit. RO must pre-define policies in Risk Management Plan for risks in this level. Policies can include special team reviews (IT, clinical) or review boards, rationales, top management signoff, showing risk has been reduced as low as practicable, etc... HighRisk to goals is unacceptable, risk must be reduced before Medical IT network can be used, either by reducing likelihood or by reducing severity.

20 Cooper V1.2AAMI, Tampa FL June 27, 2010 20 Starting with IEC80001 Epilog

21 Cooper V1.2AAMI, Tampa FL June 27, 2010 21 (graphic from IEC 80001-1 CDV) Supporting Documentation RO Policies & Procedures Medical-IT Network Risk Management File Responsibility Agreements Accompanying Documents / Manufacturer Residual Risk Disclosure 80001-1 defines key documentation:

22 Cooper V1.2AAMI, Tampa FL June 27, 2010 22 Medical IT Risk Management File Contains full history of the project and sustaining work Project and network description Responsibility Agreement Risk management documentation Configuration documentation …anything else that captures the Risk Management activity Controlled document repository

23 Cooper V1.2AAMI, Tampa FL June 27, 2010 23 Event Management Capture and document negative events Evaluate events and propose changes (via change release management) Track all corrective and preventive actions leading to closure Report significant findings to Risk Manager

24 Cooper V1.2AAMI, Tampa FL June 27, 2010 24 “Permits” – risk manage the mundane Optional – arise when system risk management is mostly complete.  What can you risk assess and allow to change?  Routine changes. Clearly defined constraints and conditions. Specifies how to document into the risk management file. Examples - adding or removing users, equipment etc. up to a certain level.

25 Cooper V1.2AAMI, Tampa FL June 27, 2010 Closing thoughts Get started now with pilot projects … but keep it simple. Risk Managing the entire IT-network will take years – look for short term gains with progress toward long- term success. Always keep the healthcare mission in mind. An unplugged machine can be very safe & secure but not help your patients! Be ready for challenging conversations with team members, vendors, IT component suppliers etc. Keep it cool – we all want to do the right thing. Balance, balance, balance … 25

26 Cooper V1.2AAMI, Tampa FL June 27, 2010 What will you get? Improved risk management with documentation (due diligence) Improved safety, effectiveness and security Better communication, better staff relations (CE/IT convergence) Risk awareness / transparency of risk / ownership of risk 26

Download ppt "Nick Mankovich, Sherman Eagles, Todd Cooper, Karen Delvecchio, Rick Hampton June 27, 2010 IEC-80001-1 The application of risk management to IT-networks."

Similar presentations

Building a Cradle-to-Grave Approach with Your Design Documentation and Data Denise D. Dion, EduQuest, Inc. and Gina To, Breathe Technologies, Inc.

Building a Cradle-to-Grave Approach with Your Design Documentation and Data Denise D. Dion, EduQuest, Inc. and Gina To, Breathe Technologies, Inc.
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Operational Risk Management (ORM)

Operational Risk Management (ORM)
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Roadmap for Sourcing Decision Review Board (DRB)

Roadmap for Sourcing Decision Review Board (DRB)
PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
The Arab Academy for Banking & Finance Science Faculty of Information System & Technology Department Of Management Information Systems The Disaster Recovery.

The Arab Academy for Banking & Finance Science Faculty of Information System & Technology Department Of Management Information Systems The Disaster Recovery.
ITIL: Service Transition

ITIL: Service Transition
Recall The Team Skills 1. Analyzing the Problem 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 5. Refining the System.

Recall The Team Skills 1. Analyzing the Problem 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 5. Refining the System.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Health Informatics Series

Health Informatics Series
Session 33 Guest Speaker: Gini Van Siclen. Risk Management for Project Managers Gini Van Siclen.

Session 33 Guest Speaker: Gini Van Siclen. Risk Management for Project Managers Gini Van Siclen.
Risk Management. RISK RISK = the probability and severity of loss linked to hazards. RISK = the probability and severity of loss linked to hazards. The.

Risk Management. RISK RISK = the probability and severity of loss linked to hazards. RISK = the probability and severity of loss linked to hazards. The.
Lucas Phillips Anurag Nanajipuram FAILURE MODE AND EFFECT ANALYSIS.

Lucas Phillips Anurag Nanajipuram FAILURE MODE AND EFFECT ANALYSIS.
Project Risk Management Risk Mitigation. Risk Management  The prime objective of risk management is to minimize the impact and probability of the occurrence.

Project Risk Management Risk Mitigation. Risk Management  The prime objective of risk management is to minimize the impact and probability of the occurrence.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Sultanate of Oman Oman Drinking Water Safety Plan.

Sultanate of Oman Oman Drinking Water Safety Plan.
© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.
Project Execution.

Project Execution.

Similar presentations

Ads by Google