Regulatory Questions and Guidance Documents


17. Where does a medical device vendor’s responsibility end and my responsibility begin for managing the wireless infrastructure, network, and wireless devices?

ANSI/AAMI/IEC 80001-1:2010, Application of risk management for IT Networks incorporating medical devices—Part 1: Roles, responsibilities and activities, provides a definition of roles for the hospital and MDM.

A wireless network infrastructure vendor is responsible for ensuring that any 802.11 wireless hardware they manufacture meets IEEE standards and FCC (or other regulatory body) requirements. They are also responsible for providing a reference architecture, configuration guides, deployment guides, and ongoing hardware and software maintenance, depending on the level of support the HDO contracts for. This includes software security patches and alignment with new standards. They are also responsible for providing a healthcare organization with a product roadmap on a routine basis.

The MDM is responsible for ensuring that the device meets all relevant IEC, FDA, FCC, and AAMI regulations and guidelines. As part of this, the MDM should also ensure the radios comply with applicable standards such as 802.11/Wi-Fi and Bluetooth. The device manufacturer must clearly communicate any network requirements for the device to function in an optimal manner. In addition, the MDM is responsible for ongoing security patching of the device and the underlying operating system, and explaining to the HDO the migration plan when updates for software created by and/or purchased by the MDM are no longer provided. MDMs may reasonably require that only a subset (sometimes referred to as “mainstream releases”) of wireless controller releases will be tested and supported, as the burden of testing every minor release is unrealistic.

The HDO should understand the vendors’ support plans for when the software the MDM purchases is updated and/or no longer supported, and preferably negotiates with IT and MDM support agreements prior to purchase and includes these in a contract. See the interview with Dr. Kevin Fu, XP Device Support Ends: Now What?24

18. What is IEC 80001-1?

The inclusion of medical devices directly on the IT network introduces a level of risk that needs to be qualified, quantified, and managed. ANSI/AAMI/IEC 80001-1 is an international consensus standard that outlines how to identify, assess, and manage risks associated with medical devices. It focuses on HDOs that connect medical devices to their facility’s IT network. AAMI has published a free document, Health IT Risk Management: A Practical Tool to Help Hospitals and Medical Devices Stay Secure in a Complex World25, that explains the 80001 standard.

19. What is risk management in the context of wireless networks and how do you perform it? What are the essential elements of it?

Risk management in the context of wireless is much the same as risk management in connecting a medical device to any network, wired or wireless, and is described in the 80001 standard. This involves retaining the three key properties of the networked medical device—patient safety, device efficacy, and system security. The essential elements include network change management, identification of life cycle support issues, and system monitoring. Consider also reading Application of IEC 80001 in Avoiding Pitfalls of Wireless LAN System Design.26

20. How expensive is it to comply with 80001?

80001-1 defines the roles and responsibilities of the entities and personnel needed for the HDO to establish a risk management program. The associated technical reports provide detailed examples for implementation. While it is not possible to give definitive values for the costs of compliance with 80001, most of the elements required by 80001 already are known by HDOs, even if they aren’t already being used. 80001 does not need to be implemented overnight, but can rather be implemented in crawl, walk, and run phases. The crawl phase could be creating a detailed inventory of all networked medical devices and a risk assessment framework, while the walk could entail establishing the medical IT–network risk manager role and mitigating the highest-risk issues. The run phase can translate to full alignment with 80001 and a mature risk assessment framework.

AAMI has published a free document, Health IT Risk Management: A Practical Tool to Help Hospitals and Medical Devices Stay Secure in a Complex World25, that explains the business case for adopting ANSI/AAMI/IEC 80001-1.

21. What do the FDA’s guidance documents on cybersecurity, mobile devices, and use of wireless technologies mean for my organization?

The guidance documents published by the FDA can be used by HDOs to understand the variables that MDMs must consider when designing their products. This, in turn, allows the HDO to examine what must be done to ensure that the medical device operates safely and reliably in the intended environment. They also inform the HDO when altering the medical device or network equipment might cause the HDO itself to become an MDM regulated by the FDA. The HDO should be familiar with these documents to understand whether any activities within the HDO are FDA regulated and to allow the HDO to ask specific questions of the MDM. For example, “What attack surfaces were analyzed and what mitigations are in place?”