The U.S. Department of Health & Human Services, or HHS, has uploaded some security and IT risk assessment guidance and pledges to release more; but that guidance speaks only in general terms about
Health care leaders looking for a clearer roadmap for risk management can turn to the International Electrotechnical Commission's IEC 80001-1 standard, which outlines in detail the health IT risk assessment process for implementing software, devices and new infrastructure.
The standard covers which entities should conduct risk assessments, whom they should involve and which skill sets they should possess. It also includes ways entities can uncover and classify not only potential security issues that could lead to a health care data breach, but also problems that could affect patient safety and overall network performance.
IEC 80001-1also recommends how to document the whole process -- a critical step in the light of HIPAA enforcement rules that require covered entities to "conduct or review a security risk analysis and implement security updates as necessary." The Food and Drug Administration also could weigh in soon on health IT safety issues; it has the option to mandate that hospitals conduct medical device safety risk assessments. Some experts say the entire hospital network could be defined by regulation as a "medical device."
Those regulations loom large over hospital network administrators, but market forces are pushing networks open further. Sharing patient data through health information exchange and personal health records, creating wireless services for clinicians and patients to use, and plugging in smartphone and wireless monitoring devices are all growing trends. Furthermore, they all increase risk.
Shared hospital wireless networks a big risk culprit
Hospital networks used to be closed off, with one network to each device. In some facilities, they still are. But that is changing.
"For lots of good reasons, there's a move toward shared networks and using the actual hospital enterprise infrastructure for hosting medical devices," said Karen Delvecchio, lead systems designer for GE Healthcare and an engineer who helps manage device and systems compatibility on health care networks.
Those "good reasons" include more efficient clinical workflows, the greatest possible interactivity among medical tools and, with fewer networks running in a hospital environment, reduced IT complexity. "Basically, it moved this way [in order to get] the right care to the right patient at the right time," Delvecchio said. "But with all that complexity comes more risk."
Delvecchio sat on the IEC technical committee that drafted the IT risk assessment standard and published it last November after three years of debate and revision. The committee now is creating supplemental technical reports, including a step-by-step tutorial for conducting health IT risk assessments. She and fellow committee member Rick Hampton, wireless communications manager for Boston-based Partners Healthcare System Inc., spoke to SearchHealthIT.com, giving advice to health care IT professionals seeking an effective risk assessment process.
There's a multitude of other individuals you must consult. Risk management can't be done by yourself.
Rick Hampton, wireless communications manager, Partners Healthcare System Inc.
Health IT risk assessments should cover all kinds of networks, including wired and wireless. This means Bluetooth, Wi-Fi, cellular and other networks, said Hampton, who oversees the wireless networks for Massachusetts General Hospital, Brigham and Women's Hospital and Dana-Farber/Partners CancerCare.
A hospital's wireless network poses the greatest security and safety risks, Hampton and Delvecchio acknowledge. Fellow IEC technical committee member Todd Cooper went so far as to say it was "messy" wireless convergence among health IT vendors that forced the creation of the standard in the first place, even though its scope eventually covered much more than those networks. It then falls to health care providers to run their own health IT risk assessments, because every network is different.
"Some of the IT vendors come in, and they don't really understand the role they play in ensuring these systems are compatible with one another," Hampton said. IT vendors come from a culture that's different from that of hospitals' clinical engineers, who are charged with ensuring the continued safe operation of medical devices. Therefore, they view risk differently.
"The culture of safety that exists in the clinical engineering world says, 'We need to prove that these things are safe and effective and secure before we put them together and find out otherwise,'" Hampton said.
Formalizing the risk assessment process
Conducting a health IT risk assessment doesn't have to be a complicated process at the start, GE Healthcare's Delvecchio said. She and Hampton offered several recommendations to health care providers:
- Bone up on risk management itself. That can be as simple as starting with an Internet search and reading about the process. (Risk management, by the way, is a structured method in which risk is analyzed, evaluated and controlled.)
- Read the IEC standard. After all, it represents the consensus of an international panel of experts, who harmonized it with other IT standards that came before it. When the follow-up reports come out later this year, read them for still more instructional advice.
- Define your risk assessment process. Set up a way to categorize levels of severity and likelihood of risks.
- Get help. Assemble a group of experts within your facility. The group might include clinicians who can speak to the severity of risks to patient safety, biomedical staff who know medical devices, and risk managers who understand the sometimes complex process of modeling and mitigating risks. And you, who knows the IT infrastructure of the facility like the back of your hand.
- Start small. Limit the scope of your first pilot project, whether it's one wing, one department, "one IT closet, or even one switch," Delvecchio said.
- Don't panic. The process can be overwhelming at first, Hampton said. IT leaders will suffer the most culture shock coming to grips with their responsibility for patient safety. Latch on to clinical engineers and biomedical staff, who are accustomed to thinking in these terms.
- Understand your mission. Risk management is not easy to learn, but understand it is the right thing to do. This sense of mission can be a strong motivator to keep learning.
"When folks first look at [risk management], it looks extremely onerous, it looks like it can never be done, and it looks like it's going to stop all IT innovation dead in its tracks and it will cost millions," Hampton said. "It can be done. It's not as bad as people think."
Health IT risk assessment: In theory, always
Risks are the likelihood of things that could go wrong, combined with their severity. They are hard to define, or even imagine. Assessing risk is a theoretical exercise, because such assessments are designed to prevent adverse events before they happen. How do you know when you've done a good assessment that mitigates the right risks, or a complete one that covers the most realistic possibilities and doesn't waste time with far-fetched scenarios?
It's impossible to know for sure, Hampton said. Veteran risk managers develop an instinct to the point where they are comfortable knowing they've covered the bases. They also involve other stakeholders in the hospital environment to help them puzzle out the IT risk assessment.
"There's a multitude of other individuals you must consult," Hampton said. "Risk management can't be done by yourself. Never believe that you, by yourself, have done a good job. You have a team of people looking at a variety of things. When the group decides as a collective that they've done everything they can, chances are you've done everything you can."
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in January 2011