Beruflich Dokumente
Kultur Dokumente
Interoperability
Maturity
All Stakeholders
Health
Technology Management
Framework of Policies, Processes,
Tooling and Guidance
Safe
Effective
Freedom from
Clinical & Business
unacceptable risk of
Functions /
harm / unintended
Essential Performance
consequences
Secure
Confidentiality,
Integrity
Availability &
Accountability
Medical IT
network risk
management
Interoperability
Infrastructure
Connectivity
Early Adoption
HIPAA = privacy and security
Clinical System Specialists Role
Security Patch Management
Infosec PMs
Medical Device networking properties in CMMS
Involvement with I.T. Change Management
Ad Hoc risk reviews
Infusion pump implementation
risk from WEP encryption
Secure disposal of devices capable of storing ePHI
Technical
Medical Device/System security not addressed before installation
Server Back-up Restore
Security Patches/Updates
Configuration/Hardening
Access control/Privileges
Physical Security
IP Addresses not documented
MDS2 not received
Not all Medical Devices/Systems tracked in CMMS
Organizational
C.I.A. related roles not documented in job descriptions
Business Associate Agreements not centralized
Those responsible for security were silod from other functions
Interoperability
Maturity
All Stakeholders
Health
Technology Management
Framework of Policies, Processes,
Tooling and Guidance
Safe
Effective
Freedom from
Clinical & Business
unacceptable risk of
Functions /
harm / unintended
Essential Performance
consequences
Secure
Confidentiality,
Integrity
Availability &
Accountability
Medical IT
network risk
management
Interoperability
Infrastructure
Connectivity
Implementation of
ISO/IEC 80001
Introductory training
Readiness assessment
Interviews and questions for
key stakeholders
Information services
Audit and Compliance
Clinical Risk
Management
Biomedical Engineering
15 action items
Build on practices
already in place
Medical
Device
Manufacturer
Providers of
Other IT
Technology
DO
Responsibility Agreements
Organisational Risk
Management
CHECK
ACT
Key Organizational
Improvements
Medical I.T. Network Risk Manager Role
Developed Job Description based on Safety Officer, Risk and
Project Managers
Modified several existing policies regarding:
I.T. Risk Management Program
I.T. Project Approval and Management
I.T. Change Management
Information Security Program
Information Technology Vendor Selection and Management
More Organizational
Improvements
Involvement with I.T. Committees and functions:
ITRM
ISC
Policy and Standards Committee
I.T. Due Diligence (Capital Projects)
I.T. Change Management
Developed tools for operationalizing risk management processes
People - advocates for Medical IT Network risk management
Checklists
Templates
Risk Management Plans
Risk register
Clinical users
Clinical Risk Mangers
Biomedical Engineering
IT
Lessons Learned
Telemetry Monitoring System failures due to
Cybersecurity Vulnerability scanning
Over 200 patients on 5 systems unmonitored for 30
minutes, some over 3 hours
Loss clinical monitoring and diagnostic data
Near Miss Potentially reportable event
Potential STEMI and TRAUMA Bypass/Community
Healthcare Implications
Disruption of patient throughput
Clinical Staff turn to back-up procedures
Patients not receiving routine care activities
Next Steps
Hire Medical IT Network Risk Manager
Risk Assessment on firewall installation for
medical device with published
administrative passwords
Development of responsibility agreement
in consultation with key vendors
Thank you
Scot Copeland
Copeland.scot@scrippshealth.org