Healthcare Providers’ Readiness to Address Medical Device Cybersecurity within the Irish Healthcare System

Medical devices that can diagnose and treat critically ill patients have become sophisticated and complex. Device manufacturers have been developing these systems to meet market requirements as technology evolves. Combining medical devices and ICT into a distributed medical device IT system can be a solution to incorporating continuous monitoring from the patient bedside to interoperability with a clinical information system. These technology innovations aim to manage patient data and configure medical devices into networked systems that can provide functionality and safety. The implementation of a medical device network solution allows a healthcare provider to take advantage of managing the flow of information to improve clinical work practices and implement a system that can be interoperable with other clinical information systems. International Electrotechnical Commission (IEC) 80001-1 was developed to assist healthcare providers in identifying and managing the risks associated with medical devices sharing the same IT network with other systems and software. This standard defines roles, responsibilities, and activities in relation to the management of risk with medical devices on an IT network. This study aims to determine if the standard International Electrotechnical Commission (IEC) 80001-1 is being implemented and determine familiarity with regulations and appropriate standards and guidance for an effective medical device security risk-management program with Irish healthcare providers. A literature review highlighted the restrictions healthcare providers face in adopting and implementing IEC 80001-1 and the security threats and risks present when integrating medical devices and IT networks. The study research was conducted with clinical engineering members of the Biomedical and Clinical Engineering Association of Ireland (BEAI). This survey targeted BEAI members due to their wealth of experience, knowledge, and skill level in supporting complex medical device systems. An online anonymous survey was created to determine knowledge, awareness, and familiarity with IEC 80001-1 and other medical device security risk-management guidelines. The study research results revealed low knowledge, awareness, and familiarity among research participants with IEC 80001-1 and guidelines on medical device security risk management. These results were consistent with the literature review that a key to the success of standard adoption is collaboration between stakeholders and a multidisciplinary approach to compliance


INTRODUCTION
Physiological monitoring technology has advanced in the last few years, enabling these devices to be incorporated into healthcare providers' networks.This system can provide real-time centralized management of patient monitors, with patients' vital signs being supervised by clinicians, allowing them to recognize and immediately react to clinical conditions through alarm notifications. 1 This clinical information system can be integrated with other hospital information systems, including a laboratory information system (LIS), patient administration system (PAS), and radiology information system (RIS).The greater automation of a provider's information system can be associated with reductions in patient mortality, complications and costs. 2 The International Electrotechnical Commission (IEC) developed and released a standard to address risks associated with medical devices that share the same IT network with other peripheral devices and software applications.The standard IEC 80001-1, "Application of risk management for IT networks incorporating medical devices -Part:1 Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software", defines roles, responsibilities, and activities that are necessary for risk management, before during and after connecting medical devices to IT infrastructure. 3The objective of this standard is to prevent adverse incidents and patient harm in three areas -Safety, Effectiveness, and Security, and requires that a comprehensive risk management program be implemented.

Study Aims
This research study aimed to determine knowledge and awareness of the following within Irish healthcare: • IEC 80001-1 standard -Application of risk management for IT networks • incorporating medical devices, defining roles, responsibilities, and activities.
• The restrictions prohibit the adoption of IEC 80001-1 standard and a medical device security risk-management program.
• National Institute of Standards and Technology (NIST) guidelines to secure network-connected medical devices.
• Association for the Advancement of Medical Instrumentation (AAMI) guidance for effectively implementing a medical device security risk-management program.
• A medical device security risk management program.
• Responsibility for implementing and managing a risk management program relating to medical devices incorporated into medical IT networks.
• The National Early Warning Score (NEWS) and the criteria included to calculate the score.
• A digital initiative called Vital Signs Automation (VSA) to capture physiological parameters and automatically calculates the NEWS.

Literature Review
Medical devices have developed over time to become sophisticated and complex systems that can be incorporated into medical IT networks.This digital transformation can provide benefits to a healthcare provider but can also have the potential to be open to cybersecurity threats that can compromise patient safety. 4In the European Union, medical devices are strictly regulated by safety protocols; however, when a medical device is integrated into an IT network, it becomes a medical IT network. 5The standard IEC 80001-1 was developed in 2010 to identify and address inherent risks and to assist with managing these risks.It received several iterations to reduce understanding complexity and enable healthcare providers to engage with implementation.The most recent release is IEC 80001-1:2021, which includes significant technical changes to the application of risk management.

Search Strategy
A literature review was undertaken to inform the subject matter and develop a substance review for this thesis.The search criteria are outlined in Table 1.

Physiological Monitor
The World Health Organisation (WHO) defines a medical device as, "any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination for a medical purpose," 6 for prevention and screening, diagnose illness, monitor treatments, assist disabled people and to intervene and treat illness, both acute and chronic.
The European Medicines Agency (EMA) defines medical devices as "products or equipment intended for a medical purpose.In the European Union (EU) they must undergo a conformity assessment to demonstrate they meet legal requirements to ensure they are safe and perform as intended." 7wo new EU laws were enacted in April 2017 relating to medical device regulations (MDR) 2017/745 and in vitro diagnostic medical devices (IVDR) to replace the previous medical device directives.These new regulations aim to address the weaknesses of the previous directives and provide a secure, consistent regulatory framework across all medical devices in the EU market.Clearly defined requirements and specific obligations on stakeholders throughout the supply chain are the main points that stand out with the new regulations. 8atient physiological data from a bedside monitor can be routed to a central station monitor for display, printing, and alarm monitoring.The importance of this workstation cannot be underestimated in allowing clinicians to respond to adverse patient events, reviewing alarm history, and analyzing trend data for research. 9he increasing complexity of medical devices, mainly physiological monitors, comes with the ability to monitor multiple vital sign parameters simultaneously with each parameter having the ability to have individual alarms and complex software that can include sub-screens for the clinician to navigate to other devices 10 and systems that include a RIS and LIS.
Clinicians can perform tasks and manage admitting, transferring, and discharging patients, changing alarm limits, storing and retrieving parameter values and trends, and monitoring remote patients. 11These systems are interoperable with modern electronic health records, enabling patient data to be transferred and populated in real-time.

IEC 80001-1 Standard
The standard IEC 80001-1:2021, "Application of risk management for IT networks incorporating medical devices -Part:1 Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software", defines roles, responsibilities, and activities that are necessary for risk management, before during and after connecting medical devices to IT infrastructure. 3The standard applies to responsible organizations, medical device manufacturers, and information technology providers.First published in 2010, with the latest revision released in 2021, the standard was considered too complex and complicated to implement and was revised as a process-based approach to overcome reported barriers, such as a lack of alignment between IT and clinical engineering departments within hospitals and a lack of motivation from management to implement the standard. 12ISO/IEC/TR 80001, under the general title Application of Risk Management for IT Networks Incorporating Medical Devices are outlined in Table 2.
The role of clinical engineering (CE) / Health Technology Management (HTM) departments will have to evolve to meet the needs of healthcare technology risks and needs, in line with objectives and policies.Alwi et al, found that one of the key elements for successfully implementing this standard was the collaboration between CE / HTM and IT departments. 13

Criteria English Language
Databases UCD library OneSearch, PubMed, Science Direct, Google, and Google Scholar.
The risk management process has three main phases (Table 3).
With the implementation of this standard's risk management framework, there is a reliance on IT best practices and increasing CE / HTM and IT department convergence.This collaboration is key to ensuring the safe management of medical device IT networks to benefit staff and patients. 13ISO published a technical report in 2015, ISO/TR 80001-2-7:2015, guidance for healthcare providers to self-assess conformance to the standard.This includes a Process Reference Model (PRM) and Process Assessment Model (PAM) with assessment questions to assist with identifying strengths and weaknesses of the risk management process. 14In 2016, a technical report, IEC TR 8001-2-8:2016, was developed to guide healthcare providers and medical device manufacturers in identifying security controls and addressing each security capability for the risk management process. 15

Standards and Risk Management
The NIST developed a cybersecurity framework (CSF) to enable organizations to protect themselves and continue business operations during an attack.The CSF allows organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices. 16As seen in Table 4, CSF is organized into five core functions.
The NIST CSF guides healthcare organizations in managing assets, defining their vulnerabilities, and assisting with fending off a growing number of malicious attacks as new digital transformation projects are incorporated. 17n 2016, the AAMI published Technical Information Report 57 (TIR57) to provide guidance and assist medical device engineers in integrating cybersecurity risk management into the development of the device so potential threats can be identified and mitigated before placing on the market.TIR focuses on cyber risks and provides steps for identifying and evaluating threats and vulnerabilities, as well as security risk controls and monitoring the ease of use of these controls.The FDA have recognized and approved this standard, reflecting on the requirement for the protection of medical devices as we move toward the transition to digital healthcare.Guidance for Healthcare Delivery Organisations (HDOs) on how to self-assess their conformance with IEC 80001-1.

Part 2-8
Application guidance on standards for establishing the security capabilities identified in IEC 80001-2-2.

Phase 1
Risk assessment to identify application hazards and assess risk for each.

Phase 2
Risk evaluation and control to mitigate identified risk and re-evaluate and develop a report.

Phase 3
Post project and operation to continuously monitor and reassess risk.

1.
Identify physical assets and information to establish a risk management strategy that is tailored to an organisations business function.

2.
Protect the assets and data from malicious attacks or unintentional compromise.

3.
Detect and monitor the environment for security incidents and events.

4.
Respond to attempted or successful attacks.

5.
Recover from the attack and adjust security policies in retrospect.
In 2016, the EU enacted cybersecurity legislation in the form of the Network and Information Systems (NIS) Directive 2016/1148 to enhance cybersecurity across member states.As shown in Table 5, NIS has three parts.
The European Network and Information Security Agency (ENISA) is responsible for cybersecurity and implementing the NIS directive to assist member states in identifying good practices, supporting the EU-wide cybersecurity incident reporting process, guidance with common approaches and procedures, and assisting member states in addressing common cybersecurity issues. 19NISA has developed good practice guidelines to manage cybersecurity threats with medical devices.
The National Electrical Manufacturers Association (NEMA) developed a voluntary standard in 2008, the Manufacturer Disclosure Statement for Medical Device Security (MDS2), to assist appropriate and responsible persons in assessing security risks in managing medical device security issues.This form allows medical device manufacturers to answer a series of questions covering relevant security capabilities about a medical device and is shared with a healthcare provider. 20EC 27001:2022 was developed for Information Security Management Systems (ISMS) and provided a systematic and comprehensive approach to managing and protecting sensitive information.The standard outlines several requirements that organizations must meet that including developing security policies, performing risk assessments, defining information security roles, managing and maintaining an inventory of assets, training staff to be security aware, developing a business continuity plan, ensuring compliance with GDPR, developing an incident response plan, monitoring the performance of ISMS and restricting access to information to authorized personnel only. 21e EU Medical Device Coordination Group developed guidance on cybersecurity for medical devices in 2019 to guide manufacturers on fulfilling all Annex I MDR 745/2017 requirements and IVDR 746/2017 about cybersecurity.Manufacturers must develop products that consider riskmanagement information security principles and set out minimum requirements concerning IT security measures, including protection against unauthorized access. 22rgaw et al. found that building and improving the cyber resilience of a healthcare provider is vital and a shared responsibility.Clinicians and administration staff should be provided with training and practice digital hygiene, while decision-makers should enforce policies that include cybersecurity when making purchasing decisions.Information security teams in hospitals should upkeep security tools to safeguard the provider and patients. 23

Method
The purpose of this project is to conduct research and determine if the standard IEC 80001-1 "Application of risk management for IT networks incorporating medical devices" is being implemented and determine familiarity with regulations as well as appropriate standards and guidance for an effective medical device security riskmanagement program with Irish healthcare providers.The online questionnaire was hosted by Qualtrics, which could generate a report based on individual feedback on each question posed.

Question 1, Position
Participants were asked to provide an outline of this current position within clinical engineering, whether working within a hospital setting or working for private enterprise.

Phase 1
Risk assessment to identify application hazards and assess risk for each.

Phase 2
Risk evaluation and control to mitigate identified risk and re-evaluate and develop a report.

Phase 3
Post project and operation to continuously monitor and reassess risk.

Response Count Percentage
Working within a healthcare provider 31 79 Working for a private company 8 21 Total 39 100

Question 2, Experience
Participants were asked if they had any prior experience integrating medical devices with medical IT networks.

Question 3, Support
This question asked participants whether they support medical devices integrated with medical IT networks.

Question 4, Clinical Engineers
Clinical engineers' skills, abilities, and knowledge have expanded to support medical systems that have become more complex with hardware and software technology.

Question 5, Responsibility
Who maintains and supports your organization's medical device systems and IT networks?

Question 6, Standards
The importance of standards cannot be underestimated, particularly as they relate to healthcare and patient safety.

Question 7, IEC 80001-1
Participants were asked to indicate knowledge and awareness of IEC 80001-1 standard -"Application of risk management for IT networks incorporating medical devices, defining roles, responsibilities and activities."

Question 8, NIST Guidelines
Participants were asked to indicate familiarity with NIST guidelines to secure network-connected medical devices.

Response Count Percentage
Not at all aware 7 19

Question 9, AAMI Guidelines
Participants were asked to indicate their level of knowledge and awareness of The AAMI guidance for implementing an effective medical device security riskmanagement program.

Question 10, Security
Participants were asked whether a medical device security risk-management program concerning a medical IT network was implemented within your organization.

Question 11, Implementation
Participants were asked if IEC 80001-1 standard -"Application of risk management for IT networks incorporating medical devices" was implemented within your organization.

Question 12, Responsibility
Participants were asked who is responsible for implementing and managing a risk management program for medical devices incorporated into medical IT networks.

Question 13, Restrictions
Participants were asked what they feel are the restrictions prohibiting the adoption of IEC 80001-1 standard and a medical device security risk-management program.Three responses were categorized from research as the main barriers and restrictions to adopting this standard.

Question 14, NEWS
Participants were asked to indicate their level of knowledge and awareness of the NEWS and the criteria included to calculate the score.

Question 15, Digital NEWS & VSA
Participants were asked to indicate knowledge and awareness of a digital initiative called VSA to capture physiological parameters such as oxygen saturation, blood pressure, pulse rate, heart rate and temperature by automatically calculating the NEWS used to track whether a patient's condition is deteriorating.

CONCLUSION Strengths
A benefit of the survey would be generating a greater awareness among the participants that standards are available for cybersecurity risk management of medical devices and a national initiative, digital NEWS -VSA, being implemented across acute hospital settings-confirmation of the barriers to adopting IEC 80001-1 correlated with the study results.

Implications of the Research Study
Highlighted by the research findings were the barriers to implementing this standard, with participants surveyed agreeing that the lack of management support to provide resources and a lack of alignment of the clinical engineering and IT departments were the main restrictions to adoption.The literature review highlighted the inherent cybersecurity threats when integrating a medical device into a medical IT network.Healthcare providers and appropriate stakeholders must adopt and implement a cybersecurity risk management program, mainly IEC 80001-1, and ensure compliance to minimize an adverse event or incident.

Recommendations and Future Research
The research study results highlight the lack of knowledge, awareness, and adoption of standard IEC 80001-1 "Application of risk management for IT networks incorporating medical devices" and a low level of familiarity with regulations as well as appropriate standards and guidance for an effective medical device security riskmanagement program with Irish healthcare providers.The following recommendations are required at the local Total healthcare provider, regional hospital group, and national level for adoption and implementation to be successful: • Education with the appropriate internal and external stakeholders on the importance of standards and their adoption, focusing on IEC 80001-1.The development of a training resource and identifying with the Health Service Executive (HSE) and healthcare providers management to provide resources in the development of expertise and coordinate the availability of personnel to provide education.
• Enable adoption and implementation of IEC 80001-1 more easily by removing the historical barriers to adoption.HSE management provides guidance and governance to healthcare providers, enabling a simple pathway to compliance.Increased and close collaboration between all stakeholders is essential for standard adoption and implementation success.

Conclusion
Medical devices integrated into healthcare providers' IT networks have become more prevalent over the last few years, specifically physiological monitoring.This integration and converging of medical systems with traditional IT networks have transformed the IT architecture and introduced additional risks that may have a bearing on the safety and security of this medical IT network.This was highlighted recently in the HSE with WannaCry ransomware attack in May 2017, and the major ransomware cyberattack suffered in May 2021, causing all the IT systems nationwide to be shut down.
IEC 80001-1 standard was developed to assist healthcare providers in applying risk management and system security to minimize patient safety and infrastructure threats by defining roles, responsibilities, and activities.The NIST provides guidelines to secure network-connected medical devices.The AAMI guides healthcare providers in implementing an effective medical device security riskmanagement program.This study research highlights the barriers to adoption of IEC 80001-1.It makes recommendations to ensure compliance with the implementation of this standard, particularly with the increasing number of digital transformation projects being realized across acute hospital settings in Ireland. 18

TABLE 2 .
Electronic Search Criteria