Recognizing that medical devices are incorporated into IT-networks to achieve desirable benefits (for example, interoperability), this international standard defines the roles, responsibilities and activities that are necessary for risk management of IT-networks incorporating medical devices to address safety, effectiveness and data and system security (the key properties). This international standard does not specify acceptable risk levels.
BS EN 80001-1 is the standard that applies after a medical device has been acquired by a responsible organization and is a candidate for incorporation into an IT-network. BS EN 80001-1 does not cover pre-market risk management. It applies throughout the life cycle of IT-networks incorporating medical devices.
This standard applies where there is no single medical device manufacturer assuming responsibility for addressing the key properties of the IT-network incorporating a medical device. It applies to responsible organizations, medical device manufacturers and providers of other information technology for the purpose of risk management of an IT-network incorporating medical devices as specified by the responsible organization.
BS EN 80001-1 does not apply to personal use applications where the patient, operator and responsible organization are one and the same person. It does not address regulatory or legal requirements.
An increasing number of medical devices are designed to exchange information electronically with other equipment in the user environment, including other medical devices. Such information is frequently exchanged through an information technology network (IT-network) that also transfers data of a more general nature.
At the same time, IT-networks are becoming increasingly vital to the clinical environment and are now required to carry increasingly diverse traffic, ranging from life-critical patient data requiring immediate delivery and response, to general corporate operations data and to email containing potential malicious content (e.g. viruses).
For many jurisdictions, design and production of medical devices is subject to regulation, and to standards recognized by the regulators. Traditionally, regulators direct their attention to medical device manufacturers, by requiring design features and by requiring a documented process for design and manufacturing. Medical devices cannot be placed on the market in these jurisdictions without evidence that those requirements have been met.
The use of the medical devices by clinical staff is also subject to regulation. Members of clinical staff have to be appropriately trained and qualified, and are increasingly subject to defined processes designed to protect patients from unacceptable risk.
In contrast, the incorporation of medical devices into IT-networks in the clinical environment is a less regulated area. IEC 60601-1:2005 requires medical device manufacturers to include some information in accompanying documents if the medical device is intended to be connected to an IT-network. Standards are also in place covering common information technology activities including planning, design and maintenance of IT-networks, for instance ISO 20000-1:2005.
However, until the publication of this standard, no standard addressed how medical devices can be connected to IT-networks, including general purpose IT-networks, to achieve interoperability without compromising the organization and delivery of health care in terms of safety, effectiveness, and data and system security.
BS EN 80001-1 is addressed to responsible organizations, to manufacturers of medical devices, and to providers of other information technology.
EN 80001-1:2011
IEC 80001-1:2010