Table 2
The 49 measures to implement risk management, including the priority and complexity of each measure
| Subgroup | Measure | Priority | Complexity |
| Organisation | External laws and regulations must be taken into account* |  |  |
| The users must learn the network functions of the medical device* |  |  | |
| Information technology (IT) standards and frameworks [Control Objectives for Information and Related Technologies (COBIT), Information Technology Infrastructure Library (ITIL), etc] must be integrated* |  |  | |
| A professionally qualified risk manager must be appointed* |  |  | |
| Roles and tasks of the risk manager must be clearly defined* |  |  | |
| Roles and tasks of the manufacturers must be clarified* |  |  | |
| Roles and tasks of users must be defined* |  |  | |
| Responsible leadership must be appointed* |  |  | |
| Possible stakeholders must be identified and informed* |  |  | |
| Scopes must be defined* |  |  | |
| Risk management processes must be developed and implemented* |  |  | |
| Risk management activities must be evaluated regularly and improved if necessary |  |  | |
| Interface between medical technology and IT department must be ensured* |  |  | |
| A coordinated procurement process for medical devices must be established* |  |  | |
| Reporting to the responsible management must be implemented* |  |  | |
| A risk management file must be created* |  |  | |
| All networked medical devices/systems must be recorded and documented* |  |  | |
| A complete network description and documentation must be kept* |  |  | |
| Document guidance must be introduced* |  |  | |
| Risk identification | Ask manufacturers about possible cyber risks of their medical device* |  |  |
| Ask users what impact a medical device failure has* |  |  | |
| Ask the IT department about general IT threats |  |  | |
| Identify the purpose of the connection to the IT network and derive risk situations* |  |  | |
| Identify critical clinical areas and automatically assume critical networking there* |  |  | |
| Identify data flows completely and derive possible errors and effects |  |  | |
| Create or adapt hazard catalogue* |  |  | |
| Risk analysis | Define risk matrix* |  |  |
| Define probabilities of occurrence* |  |  | |
| Define implications for data and information security* |  |  | |
| Define impact for process effectiveness* |  |  | |
| Define implications for patient safety* |  |  | |
| Assess risks for each potential hazard* |  |  | |
| Document risk analyses and evaluations* |  |  | |
| Risk minimisation | The medical IT network must be constantly monitored* |  |  |
| Basic general IT security (eg, ISO 2700x) must be ensured* |  |  | |
| Incident and event management must be developed and implemented |  |  | |
| Implement network segmentations based on risk analysis |  |  | |
| Interface and communication standards (eg, HL7, DICOM) must always be applied* |  |  | |
| The technical infrastructure must be continuously kept at state of the art* |  |  | |
| Manual data processing procedures should be identified as possible workarounds* |  |  | |
| Risk-minimising measures must be regularly reviewed and documented |  |  | |
| Catalogue for risk-minimising measures must be created and implemented |  |  | |
| Residual risks | Residual risks must be systematically assessed and justified |  |  |
| Residual risks must be documented in an understandable manner |  |  | |
| Residual risks must always be accepted by top management* |  |  | |
| Change management | Systematic change and configuration processes must be developed |  |  |
| All changes and configurations must be approved by IT risk management* |  |  | |
| Frequent changes should be defined as standard processes (routine) |  |  | |
| Significant changes or new installations should be organised as a project* |  |  |
*Measures implemented in the case study.