Table 3
The 18 indicators to evaluate risk management, including the priority and complexity of each indicator
| Subgroup | Indicator | Priority | Complexity |
| Performance of connected medical devices | No of residual risks identified |  |  |
| No of risk control measures* |  |  | |
| No of probable risks identified |  |  | |
| No of potential risks identified |  |  | |
| Effectiveness of connected medical devices | No of incidents in which data was lost |  |  |
| No of incidents in which the required information technology (IT) service was not available |  |  | |
| No of emergency operations caused by the connection to the IT network* |  |  | |
| No of incidents in which patient data were not available |  |  | |
| No of errors in patient data caused by the connection to the IT network |  |  | |
| Technical infrastructure | Average age of medical devices which are connected to IT network |  |  |
| No of malfunctions of medical devices which are connected to IT network |  |  | |
| No of failures of the medical IT network* |  |  | |
| No of deliberate acts | No of data thefts and data protection incidents* |  |  |
| No of blackmail attempts |  |  | |
| No of hacker attacks |  |  | |
| No of unauthorised or undetected connections |  |  | |
| No of malware activities (Trojans, worms, viruses, etc) |  |  | |
| No of unauthorised data changes and accesses |  |  |
*Indicators evaluated in the case study.