Application of risk management for IT-networks incorporating medical devices – Part 2-4: Application guidance – General implementation guidance for healthcare delivery organizations (Edition 1.0)
Purpose This technical report helps a RESPONSIBLE ORGANIZATION through the key decisions and steps required to establish a RISK MANAGEMENT framework@ before the organization embarks on a detailed RISK ASSESSMENT of an individual instance of a MEDICAL IT-NETWORK. The steps are supported by a series of decision points to steer the RESPONSIBLE ORGANIZATION through the PROCESS of understanding the MEDICAL IT-NETWORK context and identifying any organizational changes required to execute the responsibilities of TOP MANAGEMENT as defined in Figure 1 of IEC 80001-1:2010. HEALTHCARE DELIVERY ORGANIZATION This technical report is addressed to all HEALTHCARE DELIVERY ORGANIZATIONS. A HEALTHCARE DELIVERY ORGANIZATION includes hospitals@ doctors' offices@ community care homes and clinics. In the provision of a MEDICAL IT-NETWORK containing a MEDICAL DEVICE within a HEALTHCARE DELIVERY ORGANIZATION there can be a number of RESPONSIBLE ORGANIZATIONS. For the purpose of this document the focus is the HEALTHCARE DELIVERY ORGANIZATION and its obligations with respect to IEC 80001-1. It is important for the HEALTHCARE DELIVERY ORGANIZATION to identify the RESPONSIBLE ORGANIZATION(S) responsible for any aspect of the network which is subject to IEC 80001-1. This allows a clear assignment of the roles and responsibilities of that standard. Field of application This technical report details the steps to be undertaken by the RESPONSIBLE ORGANIZATION in implementing the requirements of 3.1 to 3.3 and 4.1 to 4.6 of IEC 80001-1:2010. NOTE It is assumed that the RESPONSIBLE ORGANIZATION will consider IEC/TR 80001-2-1 [1] for detailed advice in satisfying 4.4 of IEC 80001-1:2010. Prerequisites The International Standard IEC 80001-1:2010 is prerequisite to this technical report. The guidance in this technical report is intended to help a RESPONSIBLE ORGANIZATION establish a RISK MANAGEMENT framework to satisfy the underlying requirements of IEC 80001-1@ ensuring: - RISK MANAGEMENT policy and PROCESSES are in place; -probability@ severity@ and RISK acceptability scales are specified; and - MEDICAL IT-NETWORKS are well defined.