IT risk management for medical devices in hospital IT networks: a catalogue of measures and indicators

OBJECTIVES: Connecting medical devices to hospital IT networks can create threats that must be covered by IT risk management. In practice, implementing such risk management is not trivial because the IEC 80001-1, as the existing state-of-the-art, do not describe sufficiently concrete implementation measures or evaluation indicators. The aim of the present work was to develop and evaluate a catalogue of measures and indicators to help hospitals implement and evaluate risk management in accordance with IEC 80001-1. METHODS: We conducted a Delphi study with 22 experts. In the first round, we performed interviews to identify implementation measures and evaluation indicators using qualitative content analysis. In the second round, a quantitative experts’ survey confirmed the results of the first survey round and identified relationships between the measures and indicators. Based on these results, we then developed a catalogue containing the identified measures and indicators. Finally, we performed a case study to verify the practicability of this catalogue. RESULTS: We developed and verified a catalogue of 49 measures and 18 indicators to help hospitals implement and evaluate risk management following IEC 80001-1. The case study confirmed the practicability of the catalogue. DISCUSSION: Compared with IEC 80001-1, our catalogue goes into further detail to offer hospitals a stepwise implementation and evaluation approach. However, the catalogue must be tested in further case studies and evaluated in terms of generalisation. CONCLUSIONS: The catalogue will enable hospitals to overcome recent difficulties in implementing and evaluating IT risk management for medical devices according to IEC 80001-1.