Hospitals around the world face potentially costly and devastating risks to their patients and financial bottom line because of the vulnerabilities introduced when medical devices are connected to information technology (IT) networks.
Those risks, however, could be significantly mitigated through the application of thoughtful and comprehensive risk management practices, according to a new resource from AAMI?called Health IT Risk Management?that lays out the business case for the use of a series of standards known as 80001.
Whether it’s a software patch that takes down an entire fleet of life-critical infusion pumps or a network upgrade that winds up crashing a patient monitoring system, the threats posed by the highly technical and interconnected nature of modern healthcare are real and consequential.
“Imagine having a plan in place that would help your staff know what to do under such alarming circumstances and help prevent such disruptions from happening in the first place,” reads Health IT Risk Management. “Fortunately, a standard was developed by a distinguished committee of medical device manufacturers, IT experts, and others with a keen understanding of medical devices and IT systems—and how they must work together.”
The 80001 series of standards provides IT and healthcare technology management (HTM) professionals working in hospitals with detailed guidance on how to safely incorporate medical devices into IT networks, as well as a solid framework to manage the ever-changing risks associated with these networks.
“Whenever we present the standard to healthcare organizations, they say, ‘Yes, this is exactly what we need, this is exactly what we’ve been looking for,” says Todd Cooper, executive director at Breakthrough Solutions Foundry and co-chair of the committee that developed the standard.
Network troubles are serious matters in modern healthcare. According to the Poneman Institute, the average cost of a data breach in the healthcare industry is a sobering $2.2 million. Another study by Emerson Network Power estimates that unplanned data center downtime costs close to $9,000 per minute for healthcare organizations.
The 80001 series of standards defines the roles, responsibilities, and activities of health delivery organizations in managing health IT risks. Several of the key benefits of the 80001 series, according to Health IT Risk Management, include:
- Providing a framework for analyzing and controlling health IT risks related to safety, effectiveness, and data and system security
- Helping mitigate constant cybersecurity threats with proactive control measures
- Ensuring “ownership” for every component of systems and networks
- Promoting shared responsibility and partnerships for the safety of health IT among healthcare systems and vendors
- Complementing quality system implementation and improvements
- Reducing reactive labors and disaster-mode situations
- Helping reduce costs associated with downtime and inefficiencies
Although many healthcare delivery organizations already have risk management systems in place, most likely don’t have a systemic approach for managing health IT risks effectively.
“You don’t realize how bad it is until we do an actual gap analysis—and everybody’s jaw is on the ground when they see the gaps. It’s mind-blowing. Once you see it, you have to do something,” says Scott Nudelman, general manager of biomedical services at GE Healthcare, in the Health IT Risk Management report.