Making the change from manufacturing standalone devices to networked devices has presented challenges to medical device makers, Gee says. “It affects not just how they design their products, but their entire business delivery system, from regulatory issues to purchasing to manufacturing, installation, service and support, and even how they sell their products,” he emphasizes. He says he has seen a renewed commitment on the part of medical device manufacturers to better understand provider requirements for integrated systems, and to develop products that meet those requirements.
Gee notes that progress is being made on device interoperability, pointing to PACS and clinical laboratory systems as examples. “Those areas have industry standards, and they are almost plug-and-play-although not quite,” he says. That's not the case when it comes to point-of-care systems, which are highly variable. “It's a much more challenging environment from a workflow standpoint,” he says. Coordinating the activities of various departments, such as nursing, IT, and biomedical engineering, is a governance challenge for many hospitals today, he adds.
AS DEVICES ARE BECOMING INCREASINGLY NETWORK-ENABLED AND NETWORKED, WE ARE INCREASING THE RISKS AROUND SECURITY AND SAFETY.-DALE NORDENBERG, M.D.
Dale Nordenberg, M.D., is a founder of the Medical Device Innovation, Safety and Security Consortium, which he describes as a provider-driven group that is focused on mitigating security and safety risks associated with connected medical devices. As medical devices have become increasingly digitally enabled, computerized, and networked, there is a lack of clarity over whether these devices should be treated as medical devices, as computers-or as both, he says. Consequently, the group or person responsible for purchasing, implementing or operating the device, often has shared, or even unclear, lines of responsibility within the provider organization, he says.
IF YOU ARE CONNECTING MEDICAL DEVICES TO AN IT NETWORK, YOU ARE RESPONSIBLE FOR THE SAFETY, EFFICACY, AND SECURITY OF THAT ENVIRONMENT.-YADIN DAVID
In his view, most healthcare organizations have not matured to the point where they can seamlessly manage medical devices across the different departments such as biomedical engineering and IT, he says. “As devices are becoming increasingly network-enabled and networked, we are increasing the risks around security and safety,” he says.
Those issues are compounded by the fact that as regulated devices under the U.S. Food and Drug Administration (FDA), “there is a good deal of concern about modifying the hardware and software associated with a digitally enabled, network-enabled medical device,” he adds. In his view, this is especially a problem with multigenerational medical devices that are running on older operating systems. “An administrative computer is more likely to be patched in a timely manner than a regulated medical device, because there is anxiety over changing its function by updating its operating system,” he says. That area of concern is being addressed by manufacturers, providers, and regulators, he says.
SHARED RESPONSIBILITY SEEN
The question of who bears responsibility for modifying FDA-approved devices in a provider environment has been addressed in the last few months by industry standards and, on the regulatory side, by the FDA.
Rick Hampton, corporate manager for wireless communications at Partners HealthCare, uses the example of wireless cardiac telemetry systems to illustrate a point about shared responsibility. As a standalone system, the device manufacturer took full responsibility that every device it sold was safe and effective, as defined by the FDA. “They were required to verify that the system worked and validate that it worked as it was designed. They owned all of that responsibility,” he says. But when that same device is put on the hospital network, the scope of responsibility should expand to encompass everyone involved.
Last September saw the ratification of a new standard by the International Electrotechnical Commission, IEC 80001, “Application of Risk Management for IT Networks Incorporating Medical Devices,” which is focused on exactly that question. “It basically says that the person who put the system together to connect the medical device to the IT network is the responsible organization,” says Hampton, who worked on the standard. In his example, the provider must work as a team with the device vendor and the networking vendor to make sure that all of the components that comprise the system they are putting together are sufficient to support the medical device so it can continue to be safe and effective.
“The biggest driver in healthcare is informatics, and the fact that we are going to computerize everything,” Hampton says. “And the fundamental question is, if we automate everything, is it still safe and effective?” Hampton asks.
Yadin David is principal at Biomedical Engineering Consultants LLC and prior to that was director of the Biomedical Engineering Department at Texas Children's Hospital, both of which are in Houston; as well as a senior member of the Institute of Electrical and Electronics Engineers. He has co-authored a handbook on the new standard. He calls IEC 80001 a “major breakthrough in trying to clarify the question of who is responsible and why we need to look at the question of responsibility.” He says the standard is the first one to look at medical device risk management issues from a systems perspective.
