The MedITNet Assessment Framework: Development and Validation of a Framework for Improving Risk Management of Medical IT Networks

Medical devices are increasingly designed for incorporation into a hospital’s IT network allowing devices to exchange critical information. However, connecting devices in this way can introduce risks potentially negating the benefits to patients. While the IEC 80001-1 standard has been developed to aid Healthcare Delivery Organisations (HDOs) in addressing these risks, HDOs often struggle to understand and implement the requirements. The MedITNet framework has been developed to allow HDOs to assess the capability of their risk management processes against the requirements of IEC 80001-1. MedITNet provides a flexible assessment framework enabling HDOs to gain a understanding of the requirements of the standard and to improve risk management processes by determining their current state and highlighting areas for improvement. This paper examines the challenges faced by HDOs in the risk management of medical IT networks and explains the components of the MedITNet framework and how the framework addresses these challenges. The use of Action Design Research (ADR) in the development and validation of MedITNet are also discussed focusing on a pilot implementation of the assessment method and expert review of the overall framework. The changes to the framework and its components as a result of the validation process are also discussed

Improving Safety in Medical Devices from Concept to Retirements

As with many domains the use of software within the healthcare industry is on the rise [1, 2] within the last 20 years

Development and Validation of the MedITNet Assessment Framework: Improving Risk Management of Medical IT Networks

The use of networked medical devices can provide a number of benefits such as improved patient safety, reduced costs of care and a reduction in adverse events. Traditionally, medical devices were placed onto a proprietary IT network provided by the manufacturer of the device. Today, medical devices are increasingly designed for incorporation into a hospital’s general IT network enabling devices to exchange critical information. However, this can introduce risks and negate the potential benefits to patients. While the IEC 80001-1 standard has been developed to aid Healthcare Delivery Organisations (HDOs) in addressing these risks, HDOs may struggle to understand and implement the requirements. The MedITNet framework has been developed to allow HDOs to assess the capability of their risk management processes against the requirements of IEC 80001-1. MedITNet provides a flexible assessment framework enabling HDOs to gain a greater understanding of the requirements of the standard and to improve risk management processes by determining their current state and highlighting areas for improvement. This paper examines the challenges faced by HDOs in the risk management of medical IT networks and briefly explains the components of the MedITNet framework and how the framework addresses these challenges. This paper also details how Action Design Research (ADR) was used in the development and validation of MedITNet

A proposed approach to the revision of IEC 80001-1 following annex SL

IEC 80001-1 was published in 2010 and is now undergoing revision. Feedback gathered on the adoption of the standard has revealed a number of barriers that have impacted its adoption. The standard provides requirements related to the roles, responsibilities and activities that need to be performed for the risk management of medical IT networks. One reported barrier is a lack of drivers to motivate Top Management to implement the standard. In addition, there is a lack of alignment between IT and biomedical engineering departments within hopitals. Finally, the IEC 80001-1 standard was considered to be too complicated and complex to implement. This paper presents the barriers identified in the feedback and presents an approach to the revision of the standard as a process based management system standard in accordance with ISO/IEC Directives Annex SL as a means to overcome these barriers

Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This multifaceted problem must be viewed from a systemic perspective if adequate protection is to be put in place and patient safety concerns addressed. This requires technical controls, governance, resilience measures, consolidated reporting, context expertise, regulation, and standards. It is evident that a coordinated, proactive approach to address this complex challenge is essential. In the interim, patient safety is under threat

Pathways, technology and the patient—connected health through the lifecycle

Connected Health solutions are ubiquitous in providing patient centered care and in responding to a new paradigm of care pathways where Health Information Technology is being introduced. This paper defines Connected Health, and, in particular, describes standards and regulations which are important to the implementation of safe, effective and secure Connected Health solutions. This paper provides: a holistic view of Connected Health; provides a standards and regulations based view of the lifecycle of the Health IT system; and identifies the relevant roles and responsibilities at the various stages of the lifecycle for both manufacturers of connected health solution and healthcare delivery organization solutions. We discuss how the implementation of standards and regulations, while implementing and using Health IT infrastructure, requires close collaboration and ongoing communication between Healthcare Delivery Organizations and Accountable Manufacturers throughout the lifecycle of the health IT system. Furthermore, bringing technology into the healthcare system requires a robust and comprehensive approach to Clinical Change Management to support the business and clinical changes that the implementation of such solutions requires. Ultimately, to implement safe, effective, and secure Connected Health solutions in the healthcare ecosystem, it requires that all those involved work together so that the main requirement—patient-centered care—is realized

Think twice before you click! : exploring the role of human factors in cybersecurity and privacy within healthcare organizations

The urgent need to protect sensitive patient data and preserve the integrity of healthcare services has propelled the exploration of cybersecurity and privacy within healthcare organizations [1]. Recognizing that advanced technology and robust security measures alone are insufficient [2], our research focuses on the often-overlooked human element that significantly influences the efficacy of these safeguards. Our motivation stems from the realization that individual behaviors, decision-making processes, and organizational culture can be both the weakest link and the most potent tool in achieving a secure environment. Understanding these human dimensions is paramount as even the most sophisticated protocols can be undone by a single lapse in judgment. This research explores the impact of human behavior on cybersecurity and privacy within healthcare organizations and presents a new methodological approach for measuring and raising awareness among healthcare employees. Understanding the human influence in cybersecurity and privacy is critical for mitigating risks and strengthening overall security posture. Moreover, the thesis aims to place emphasis on the human aspects focusing more on the often-overlooked factors that can shape the effectiveness of cybersecurity and privacy measures within healthcare organizations. We have highlighted factors such as employee awareness, knowledge, and behavior that play a pivotal role in preventing security incidents and data breaches [1]. By focusing on how social engineering attacks exploit human vulnerabilities, we underline the necessity to address these human influenced aspects. The existing literature highlights the crucial role that human factors and awareness training play in strengthening cyber resilience, especially within the healthcare sector [1]. Developing well-customized training programs, along with fostering a robust organizational culture, is vital for encouraging a secure and protected digital healthcare setting [3]. Building on the recognized significance of human influence in cybersecurity within healthcare organizations, a systematic literature review became indispensable. The existing body of research might not have fully captured all ways in which human factors, such as psychology, behavior, and organizational culture, intertwined with technological aspects. A systematic literature review served as a robust foundation to collate, analyze, and synthesize existing knowledge, and to identify gaps where further research was needed. In complement to our systematic literature review and investigation of human factors, our research introduced a new methodological approach through a concept study based on an exploratory survey [4]. Recognizing the need to uncover intricate human behavior and psychology in the context of cybersecurity, we designed this survey to probe the multifaceted dimensions of cybersecurity awareness. The exploratory nature of the survey allowed us to explore cognitive, emotional, and behavioral aspects, capturing information that is often overlooked in conventional analyses. By employing this tailored survey, we were able to collect insights that provided a more textured understanding of how individuals within healthcare organizations perceive and engage with cybersecurity measures

Challenges and Opportunities for Conducting Dynamic Risk Assessments in Medical IoT

Modern medical devices connected to public and private networks require additional layers of communication and management to effectively and securely treat remote patients. Wearable medical devices, for example, can detect position, movement, and vital signs; such data help improve the quality of care for patients, even when they are not close to a medical doctor or caregiver. In healthcare environments, these devices are called Medical Internet-of-Things (MIoT), which have security as a critical requirement. To protect users, traditional risk assessment (RA) methods can be periodically carried out to identify potential security risks. However, such methods are not suitable to manage sophisticated cyber-attacks happening in near real-time. That is the reason why dynamic RA (DRA) approaches are emerging to tackle the inherent risks to patients employing MIoT as wearable devices. This paper presents a systematic literature review of RA in MIoT that analyses the current trends and existing approaches in this field. From our review, we first observe the significant ways to mitigate the impact of unauthorised intrusions and protect end-users from the leakage of personal data and ensure uninterrupted device usage. Second, we identify the important research directions for DRA that must address the challenges posed by dynamic infrastructures and uncertain attack surfaces in order to better protect users and thwart cyber-attacks before they harm personal (e.g., patients’ home) and institutional (e.g., hospital or health clinic) networks

The Future of Medical Device Regulation and Standards: Dealing with Critical Challenges for Connected, Intelligent Medical Devices

The paper reviews the main trends in the existing standards and regulatory landscape applicable to connected, intelligent medical devices (CIMDs) and captures critical challenges and potential gaps in this area. Based on interviews and a roundtable with key experts and practitioners in the field, the White Paper identifies several critical challenges that should inform the future development of standards and guidelines applicable to CIMDs, with a specific focus on artificial intelligence, cybersecurity, and data governance issue

Model-based specification of safety compliance needs for critical systems : A holistic generic metamodel

Abstract Context: Many critical systems must comply with safety standards as a way of providing assurance that they do not pose undue risks to people, property, or the environment. Safety compliance is a very demanding activity, as the standards can consist of hundreds of pages and practitioners typically have to show the fulfilment of thousands of safety-related criteria. Furthermore, the text of the standards can be ambiguous, inconsistent, and hard to understand, making it difficult to determine how to effectively structure and manage safety compliance information. These issues become even more challenging when a system is intended to be reused in another application domain with different applicable standards. Objective: This paper aims to resolve these issues by providing a metamodel for the specification of safety compliance needs for critical systems. Method: The metamodel is holistic and generic, and abstracts common concepts for demonstrating safety compliance from different standards and application domains. Its application results in the specification of “reference assurance frameworks” for safety-critical systems, which correspond to a model of the safety criteria of a given standard. For validating the metamodel with safety standards, parts of several standards have been modelled by both academic and industry personnel, and other standards have been analysed. We further augment this with feedback from practitioners, including feedback during a workshop. Results: The results from the validation show that the metamodel can be used to specify safety compliance needs for aerospace, automotive, avionics, defence, healthcare, machinery, maritime, oil and gas, process industry, railway, and robotics. Practitioners consider that the metamodel can meet their needs and find benefits in its use. Conclusion: The metamodel supports the specification of safety compliance needs for most critical computer-based and software-intensive systems. The resulting models can provide an effective means of structuring and managing safety compliance information