Second Webinar 16.00 12 May 2022 IFMBE Clinical Engineering Division Collaborators Priyanka Upendra fundamentals for Global Clinical Engineers, including Hospital-Based Professionals
Priyanka discussed connected medical devices on the Internet of Things (IoT). The stakeholders were clinicians, medical device manufacturers, healthcare tech management and clinical engineers, cybersecurity risk managers, the supply chain, IT and technology and the environment of Risk management.
Parties had different skills:
IT and cybersecurity specialists had robust knowledge of IT and cybersecurity, of the consultation and were process orientated. They had minimal clinical knowledge, minimal medical device knowledge and diffused skills in teams that were managing different bits of the IT.
Healthcare tech managers (HTMs) and clinical engineers (CEs) had subject matter experience, understood industry standards, established the vendor chain, had good knowledge of the clinical care pathway and had established workflows.
There were historic gaps and challenges for Health Tech Managers (HTMs) and Clinical Engineers (CEs). lack of well-defineed intake and assessment process, lack of device specific security assessment and findings, redundant assessments, slow purchasing process or vendors bypassing standard supply chains, lack of blended expertise (HTM/CE, cybersecurity, IT, Risk management).
Unique challenges
- Lack of medical device cybersecurity standards
- Complex systems
- Outdated and/or unsupported devices
- Largely unable to scan for risks with standard security tools
- Service keys limit HTM/CE to perform security updates
- Unable to load security agents
- Research and testing for security controls is time consuming (6 to 12 months)
- Vendor validation is required prior to HTM/CE action
- Risk mitigation is mostly manual and resource intensive.
Cybersecurity risk management :
- Identify risk areas
- Analyze the risk areas
- Control the risk areas
- Mitigate risks
- Document risks
Then produce a risk management plan, do the risk assessment, do risk control, evaluate all risks together against medical benefits, review before product release for use and then monitor post market activities.
There is a Medical Device Coordination Group document (Europe) which is helpful https://www.bing.com/search?q=medical+device+coordination+group+document...
NIST https://www.bing.com/search?q=NIST+NCCoE+securing+telehealth+remote+pati...
The NCCoE has released a second draft of SP 1800-30, "Securing Telehealth Remote Patient Monitoring Ecosystem." The public comment period is open through June 7, 2021.
ISO 80001ISO - IEC 80001-1:2021 [ https://www.iso.org/standard/72026.html ] - Application of risk management for IT-networks incorporating medical devices - Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software Application of risk management for IT-networks incorporating medical devices - Part 1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software
And AAMI AAMI Main Page | AAMI The Association for the Advancement of Medical Instrumentation® (AAMI) is a nonprofit organization founded in 1967. Can be useful. [ https://www.aami.org/ ]
HIFA profile: Richard Fitton is a retired family doctor - GP. Professional interests: Health literacy, patient partnership of trust and implementation of healthcare with professionals, family and public involvement in the prevention of modern lifestyle diseases, patients using access to professional records to overcome confidentiality barriers to care, patients as part of the policing of the use of their patient data
Email address: richardpeterfitton7 AT gmail.com
