Healthcare Providers’ Readiness to Address Medical Device Cybersecurity within the Irish Healthcare System
Main Article Content
Keywords
Vital Signs, Physiological Monitor, Medical Device, NEWS, Vital Signs Automation, Medical IT Network, Patient Safety, Cybersecurity Risks, IEC 80001:1 Standard, NIST, AAMI TIR57, NIS Directive, ENISA
Abstract
Medical devices that can diagnose and treat critically ill patients have become sophisticated and complex. Device manufacturers have been developing these systems to meet market requirements as technology evolves. Combining medical devices and ICT into a distributed medical device IT system can be a solution to incorporating continuous monitoring from the patient bedside to interoperability with a clinical information system. These technology innovations aim to manage patient data and configure medical devices into networked systems that can provide functionality and safety. The implementation of a medical device network solution allows a healthcare provider to take advantage of managing the flow of information to improve clinical work practices and implement a system that can be interoperable with other clinical information systems.
International Electrotechnical Commission (IEC) 80001-1 was developed to assist healthcare providers in identifying and managing the risks associated with medical devices sharing the same IT network with other systems and software. This standard defines roles, responsibilities, and activities in relation to the management of risk with medical devices on an IT network.
This study aims to determine if the standard International Electrotechnical Commission (IEC) 80001-1 is being implemented and determine familiarity with regulations and appropriate standards and guidance for an effective medical device security risk-management program with Irish healthcare providers.
A literature review highlighted the restrictions healthcare providers face in adopting and implementing IEC 80001-1 and the security threats and risks present when integrating medical devices and IT networks. The study research was conducted with clinical engineering members of the Biomedical and Clinical Engineering Association of Ireland (BEAI). This survey targeted BEAI members due to their wealth of experience, knowledge, and skill level in supporting complex medical device systems. An online anonymous survey was created to determine knowledge, awareness, and familiarity with IEC 80001-1 and other medical device security risk-management guidelines.
The study research results revealed low knowledge, awareness, and familiarity among research participants with IEC 80001-1 and guidelines on medical device security risk management. These results were consistent with the literature review that a key to the success of standard adoption is collaboration between stakeholders and a multidisciplinary approach to compliance.
Downloads
References
Amarasingham R, et al. (2009) 'Clinical Information Technologies and Inpatient Outcomes: A Multiple Hospital Study', Arch Intern Med 2009;169(2):108–114.
Subhan A. ISO/IEC 80001. Risk Management of Medical Devices on a Network. J Clin Engineer 2016;41(3).
Sherman C, Schiano S, Balaouras S, et al.. Best Practices: Medical Device Security. Forrester’s Official Website; 2021. Available at: https://reprints2.forrester.com/#/assets/2/1730/RES132003/report.
Janssen M and Schrenker R. Guidelines From 80001: Maintaining a Medical IT Network. Biomed Instrumental Tech 2022;45(4):295–9.
WHO. Medical Devices. World Health Organisation’s Official Website; 2022. Available at: https://www.who.int/health-topics/medical-devices#tab=tab_1.
EMA. Medical Devices. European Medicines Agency’s Official Website; 2022. Available at: https://www.ema.europa.eu/en/human-regulatory/overview/medical-devices.
DOH. Medical Device Regulations (EU) 2017/745 and In Vitro Diagnostic Medical Devices Regulations (EU) 2017/746. Department of Health’s Official Website; 2021. Available at: https://www.gov.ie/en/publication/da0cd-medical-device-regulations-eu-2017745-and-in-vitro-diagnostic-medical-devices-regulations-eu-2017746/.
Miodownik S. 88 - Intensive Care', in Dyro, J.F. (ed.) Clinical Engineering Handbook. Burlington: Academic Press 2004;373-376.
Phillips J, Sowan A, Ruppel H, and Magness R. Educational program for physiologic monitor use and alarm systems safety. Clin Nurse Spec 2020;34(2):50–62.
Subramanian S. 98 - Physiologic Monitoring and Clinical Information Systems', in Dyro, J.F. (ed.) Clinical Engineering Handbook. Burlington: Academic Press; 2004:456-463.
MacMahon ST, Cooper T. and McCaffery F. Revising IEC 80001-1: Risk management of health information technology systems', Computer Standards & Interfaces 2018;60:67–72.
Alwi R, Prowse P. and Gaamangwe T. Proactive Role of Clinical Engineering in the Adoption of ISO/IEC 80001-1 within Healthcare Delivery Organization. 2020: IEEE, 5623-5626.
ISO IEC/TR 80001-2-7:2015, Application of risk management for IT-networks incorporating medical devices — Part 2-7: Application guidance — Guidance for Healthcare Delivery Organisations (HDOs) on how to self-assess their conformance with IEC 8001-1. ISO’s Official Website; 2015. Available at: https://www.iso.org/obp/ui/fr/#iso:std:63509:en.
ISO. IEC/TR 80001-2-8:2016, Application of risk management for IT-networks incorporating medical devices — Part 2-8: Application guidance — Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2. ISO’s Official Website; 2016. Available at: https://www.iso.org/standard/64635.html.
Calder A. NIST Cybersecurity Framework: A Pocket Guide. Ely, UNITED KINGDOM: IT Governance Ltd; 2018.
Symantec. Adopting the NIST Cybersecurity Framework in Healthcare. Broadcom Corporation’s Official Website; 2018. Available at: https://docs.broadcom.com/doc/adoping-the-nist-cybersecurity-framework-in-healthcare-en.
Yuan S, Fernando A. and Klonoff DC. 'Standards for Medical Device Cybersecurity in 2018. J Diabet Sci Technol 2018;12(4):743–746.
ENISA. NIS Directive. European Network and Information Security Agency’s Official Website; 2022. Available at: https://www.enisa.europa.eu/topics/nis-directive.
AAMI.org. What You Need to Know About the New MDS2. Association for the Advancement of Medical Instrumentation Official Website; 2020; Available at: https://array.aami.org/content/news/you-need-know-new-mds2
CertificationEurope.com. ISO 27001. Certification Europe's Official Website; 2024. Available at: https://www.certificationeurope.com/iso-certification/iso-27001/
EU. MDCG 2019-16 Guidance on Cybersecurity for medical devices. European Commission's Official Website; 2020. Available at: https://health.ec.europa.eu/medical-devices-sector/new-regulations/guidance-mdcg-endorsed-documents-and-other-guidance_en
Argaw ST, et al. Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Informat Dec Mak 2020;20(1):146.