Introduction
More and more processes in modern healthcare are digitalised. Looking at current trends (eg, telemedicine, artificial intelligence, medical apps), this level of digitalisation will continue to increase in the coming years. Digitalisation also affects medical technology. Today’s medical devices are designed to exchange data with other medical devices and clinical information systems. Incorporating medical devices into hospital IT networks is therefore essential as it contributes to the effectiveness of clinical processes and safe patient care.1 2
However, digitalisation and the networking of medical devices can pose new risks that could jeopardise the effectiveness of clinical processes or patient safety.3 4 Technical failures, unauthorised actions, compromised information or functions, deliberate actions or organisational failures, among other things, are fundamental threats to be aware of when integrating medical devices into hospital IT networks. For this reason, hospitals need to establish specific IT risk management procedures for medical devices to deal with these potential IT threats.5–7
Numerous standards8 9 and scientific works10 exist for IT risk management. IEC 81001-5-111 defines security activities in the product life cycle for health software and health IT systems and is therefore primarily intended for developers. IEC 80001-1 and the associated technical reports represent the current state of the art for risk management to control hazards that may arise from incorporating medical devices into IT networks. The standard, which is mainly intended for operators of medical IT networks (eg, hospitals), was initially published in 201012 and updated with a second edition in 2021.13 IEC 80001-1 has also been adopted as a European standard and in various national standards (eg, DIN EN 80001-1:2011 for Germany).
However, implementing IEC 80001-1 s is not trivial.5 First, risk managers face the practical problem that IEC 80001-1 is often considered too complicated and too complex to implement.14–16 One reason for its complexity is that the standard does not describe any concrete implementation measures. Even the associated technical reports (eg, IEC/TR 80001-2-1:2012 or ISO/TR 80001-2-7:2015) and the 2021 edition of IEC 80001-113 do not solve this problem. Compared with the first version of IEC 80001-1 from 2010, the current version from 2021 formulates more concrete implementation recommendations. This is achieved primarily through the more detailed requirement descriptions in Annex A (IEC 80001-1 requirements mapping table) and B (Guidance for accompanying document Information). The complexity in the practical implementation is thereby reduced, but not completely eliminated. IEC/TR 80001-2-1 focuses on 10 steps to help in the application of risk management. Still, it does not provide a full outline or explanation of all requirements covered by IEC 80001-1 (eg, organisational aspects). IEC/TR 80001-2-7 provides guidance for hospitals to self-assess their conformance with IEC 80001-1, but it does not introduce any requirements in addition to those expressed in IEC 80001-1 (eg, priority of requirements, critical success factors). Another factor in German-speaking countries is that risk management is often based only on the translated national standards of IEC 80001-1. The national standards are still based on the first, superseded version of IEC 80001-1 (eg, DIN EN 80001-1:2011 in Germany), and most of the associated technical reports are not even available in German. Second, the standards do not define the importance and practicability of the different steps that help apply IEC 80001-1. In addition, the specific interpretation and implementation of the requirements described in general in IEC 80001-1 vary depending on the region in which the hospital is located and relevant regulatory requirements.16 Third, the standards do not describe specific methods to evaluate the achievement of the intended effects of IT risk management. The intended effects on information security, the effectiveness of processes and the safety of patients are generally assumed but not systematically reviewed. Therefore, the effectiveness of IEC 80001-1 with regard to contemporary cybersecurity is unknown.17 The lack of methods for evaluating and reviewing the correctness and efficacy is often observed in health and medical informatics and is described as a general problem.18
Some non-scientific guidelines19 and a few scientific papers16 have tried to address the aforementioned difficulties in the implementation of IEC 80001-1. In comparison to these approaches, we wanted to go into further detail in order to offer hospitals a kind of ‘cookbook’ for IEC 80001-1 implementation and evaluation.
Therefore, the present work aimed to develop and verify a catalogue of measures to help hospitals implement risk management in accordance with IEC 80001-1. The catalogue should also provide indicators that allow hospitals to evaluate the impact of the implemented measures. It should also describe implementation measures and indicators in as much detail as possible, explaining the importance of each measure and indicator as well as the resources (technical, organisational, financial) that should be expected for their implementation. Finally, the catalogue should consider the abovementioned challenges of implementing IEC 80001–1 in German-speaking countries.