A need exists for healthcare technology management (HTM) services to embrace a new risk management paradigm, in order to identify, analyze, and control risks related to the growing and increasingly complex array of healthcare technology making its way into healthcare delivery organizations (HDOs).
These risks generally involve potential compromises to patient/staff safety, operations, and/or finances that can occur when a medical device or system does not operate or is not operated “as intended.” For example, a perfectly functioning device/system could be associated with a hazard if it used by untrained operators.
In the parlance of risk management, a medical device/system that does not operate (or is not operated) as intended is considered a hazard.1,2 Exposing people (e.g., patients, staff ) or assets (e.g., physical, financial) to a medical device/system that does not operate or is not operated as intended is considered a hazardous situation.1,2 Actual harm1 occurs when people are injured, patient care is compromised, or assets are lost or damaged as a result of exposure to a hazardous situation. Risk1,2 is defined as a combination of the probability of occurrence of harm and the severity of that harm. In turn, risk management1,2 is defined as the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risks.
To effectively manage a spectrum of healthcare technology risks, HTM professionals need to establish a risk management paradigm that is both relatively simple and demonstrably effective. Complexity discourages implementation; therefore, the paradigm should be simple. It also should be demonstrably effective because any paradigm or tool that fails to yield actionable and beneficial results is an unnecessary diversion and a waste of resources.
After risks have been identified and prioritized using an established paradigm, priority first should be given to managing the highest risks, as well as the most easily controlled risks (i.e., the “low-hanging fruit”).
Developing the Paradigm
Prioritizing efforts requires a means of ranking or scoring risks. Because risk generally is defined as a combination of (or function of ) the severity of harm and the probability of harm (i.e., risk = function [severity, probability]), evaluating relative severity and relative probability can help establish relative risks and facilitate prioritizing the management of those risks.
A scale (Figure 1) showing increasing probability on the y-axis and increasing severity on the x-axis is useful in comparing various risks. This scale illustrates how an increase in either the severity or probability of harm increases risk. Therefore, the position of risk 2 in Figure 1 represents a higher risk than risk 1 because, although their probability levels are comparable, the severity of risk 2 is measurably higher than risk 1. Risk 3 is the highest risk of the three because it is associated with both a higher probability and a higher severity than either risk 1 or 2.
Actually determining the relative risks associated with various medical technologies requires a progressive scale for indicating the degree of severity and the degree of probability associated with technology-associated harm. Although no universally used scales exist for severity or probability, a fairly common four-level scale (i.e., resulting in a 4 × 4 matrix) has been chose for the purpose of the current work. Although the illustrated model uses a 4 × 4 matrix with these criteria for severity and probability, other applications and industries (e.g., aviation, energy) may use 3 × 4, 5 × 5, or another matrix with variation of these criteria based on application to the given situation.
Figure 2 juxtaposes the risks and scale shown in Figure 1 with a 4 × 4 matrix using the defined levels for severity and probability (from Tables 1 and 2). The defined levels of severity and probability are useful for placing risks within a risk matrix, thereby illustrating their relative risk levels.
A Brief History of Medical Equipment Risk Algorithms
In 1989, Fennigkoh and Smith3 published an algorithm for scoring medical equipment based on its function, physical risk, and maintenance requirements. The resulting score was intended to serve as a guide for hospitals that were looking for a rationale and method of selecting the most appropriate equipment for inclusion in the medical equipment management program. Subsequent variations of this algorithm often included a scoring element for equipment service history (in addition to the original function, risk, and maintenance requirement elements). This algorithm and its derivatives have since widely (but inaccurately) become characterized as a “risk-based” approach to maintaining a medical equipment inventory.
The initial appearance of the algorithm in a publication by The Joint Commission resulted in its quick and widespread adoption. In fact, this 25-yearold algorithm, or some variation thereof, remains in use today. Unfortunately, for the vast majority of hospitals, the recent change in regulations from the Centers for Medicare & Medicaid Services removes any flexibility they once had in selecting medical equipment for inclusion in their inventories, thereby eliminating the original rationale for the algorithm of Fennigkoh and Smith. As a result, the risk elements of the algorithm are no longer able to meet the risk management needs of an effective current-day medical equipment management program.
Although risk = function (severity, probability) is not a pure mathematical relationship, the level number given to severity and probability can be used to establish a risk level number by multiplying the severity level number by the probability level number. Figure 3 shows the result of incorporating this view of risk level number and definitions into the risk matrix..
In addition, establishing a classification for risk levels enables us to describe risks in a manner that facilitates prioritizing and escalating our response in controlling risks. As with severity and probability levels, no standard risk levels exist and it remains for industries and organizations to select the most appropriate number of levels and definitions. For purposes of illustration, Table 3 uses a three-level risk classification scheme.
Applying the Risk Matrix to Medical Devices/Systems
When first evaluating medical technology risks (particularly for large numbers of devices), assessing risks at the device category level usually is most advantageous. The severity and probability of harm that can be caused when a medical device does not operate (or is not operated) as intended varies according to the type of device (e.g., pacemaker versus ophthalmoscope) and can vary among models of similar categories or even among the same device model used in different environments. As time and experience permit, taking a more granular view of risk beyond the device category level will prove useful. However, assessing risk while taking into account all devices (regardless of manufacturer, model, or environment) in a particular category is a practical starting point.
Using the criteria in Table 1, a team that, at minimum, includes clinicians and HTM professionals (and may include administration and finance) should first assess the severity of harm that can be caused by a device that fails to operate (or be operated) as intended for each medical device category used within the organization. When focusing on patient care and safety (i.e., clinical) issues, clinicians' input generally should be weighed most heavily in this assessment because they are most aware of the implications for patients when a medical device fails to operate or is not operated as intended.
Using the criteria in Table 2, HTM professionals (who typically are responsible for maintaining medical device histories) should assess the probability of a device failing to operate or not being operated as intended for each medical device category using available incident (e.g., service) histories. HTM professionals should focus on the incident/service histories that represent “major” device issues (i.e., where devices were nonoperational or had a safety deficit) and should filter out minor issues (e.g., cosmetic issues or where the device remains operational and otherwise remains safe).
A modified Ishikawa (or fishbone) diagram can be a helpful visual tool in the risk assessment process. The diagram can be useful for illustrating the relationship between possible hazards (and their underlying root causes) and the possible hazardous situations and harm that can result as a consequence of exposing patients, staff, or assets to those hazards.
After creating a diagram of possible hazards and hazardous situations and harm, a probability score can be assigned to the listed hazards and root causes and a severity score can be assigned to the possible hazardous situations and harm. The Ishikawa diagram shown in Figure 4 illustrates examples of possible hazards or “root causes” of a medical device failing to operate or not being operated as intended. Each of these root causes can be assigned a probability level. Figure 4 also illustrates examples of hazardous situations, each of which can be assigned a severity level. Associating a probability level with each root cause is important, not only because of how probability helps determine the overall risk but also because different root causes require different approaches to control and mitigation (e.g., maintenance, education, updated procedures, physical safeguards). The root causes representing the highest probabilities require the most appropriate mitigation and control.
If an organization's incident/service histories do not provide sufficient detail to identify the probability of individual root causes (e.g., P1, P2, P3, P4, Px), then the probability of all possible root causes (P1,2,3,4, ... x) should be used and broad mitigation or controls applied. An organization's incident/service histories generally are preferable as a data source for determining probabilities. However, in the absence of sufficient organization data, data from other credible sources can be used (e.g., AAMI, ECRI Institute, independent service organizations, other comparable healthcare provider systems).
Going forward, organizations that do not already track the most common root causes in their incident/service histories should begin doing so in order to optimize the efficiency of risk analysis and control. Examples of common root cause categories include:
P3: spontaneous failure (i.e., component failure that reasonably could not have been anticipated or prevented by maintenance)
P5: mishandling, misuse
P11: unqualified operator
P12: inadequate/inappropriate instructions/procedures/process
P4: maintenance-related failures (i.e., “wear and tear”)
P2: sabotage, vandalism, malware, hacking
P1: theft (including theft of electronic protected health information)
The probability associated with these potential root causes can be mapped in a risk matrix (Figure 5). In this example, the worst case consequences (i.e., the maximum severity S1,2,3,4, ... x) are considered to be critical, while the probability of various root causes (P3, P5, P11, P12, P4, P2, P1) range from probable to improbable.
Organizations that do not already track the most common root causes in their incident/service histories should begin doing so in order to optimize the efficiency of risk analysis and control.
When first defining and categorizing root causes against which probability levels will be assigned, consider using root cause categories that suggest corresponding controls or mitigation that are actionable (i.e., root causes that can be associated with identifiable counter-measures). A list of appropriate controls and mitigation, along with common root causes, is provided in Table 4.
The risk mitigation worksheet (Figure 6) is a useful tool for HTM professionals who manage medical device/system risks. The worksheet typically would include descriptions of major devices/systems along with “identifying” information such as manufacturer, model, age, quantity (for “group” equipment like infusion pumps), and location. For each device/system under consideration, the worksheet also would list the following:
Potential root causes of harm
Type of vulnerability under consideration (e.g., clinical, financial, operational)
Severity level or score as determined by a knowledgeable group of stakeholders
Current probability level or score determined by an analysis of incident/service histories for root cause
Overall risk = function (severity, probability)
A mitigation plan generally would be added to the worksheet for root causes with a risk level deemed to be unacceptable (generally any designation other than a low risk). Specifically the mitigation plan would include the following:
Description of mitigation plan elements (e.g., scheduled maintenance, training, backup systems, security measures)
Designation of party/parties responsible for various elements of the mitigation plan (e.g., owner/operator, HTM services, clinical education, information technology)
Target date(s) for completion of various elements of the mitigation plan
Probability level or score for root cause leading to a hazardous situation after control/mitigation
Overall risk, where risk = function (severity, probability after mitigation)
Appropriate signoff (by organization leadership or department manager if remaining risk generally exceeds acceptable level after mitigation)
The overall HTM risk management process should be iterative (Figure 7). The process and its results should be regularly audited to determine whether the desired results are being adequately achieved. As the HTM risk management team gains experience and evaluates audit results, their practices can be refined and the most critical risks can be identified, prioritized, and controlled effectively.
Addressing New Requirements
The risk management process described here can help considerably in meeting the new requirements of the Centers for Medicare & Medicaid Services (CMS), The Joint Commission (TJC), and DNV GL.
Healthcare providers now are required to identify all equipment in their inventory whose failure could result in loss of life or serious injury to a patient or staff member (classified as “critical” by CMS and DNV GL and “high risk” by TJC). In the risk management process described here, any device category whose severity (consequence of failure) has been identified as either critical or catastrophic would be included in the critical/high-risk category of CMS, TJC, and DNV GL.
Healthcare providers are allowed to consider an alternate equipment maintenance (AEM) program (i.e., not required to strictly adhere to manufacturer recommendations regarding maintenance procedures and frequencies) for certain medical devices if the provider can produce device incident/service histories demonstrating that there is no increase in risk to patient or staff safety when deviating from manufacturer recommendations.
If risk of maintenance-related failure (= severity of failure × probability of maintenance-related failure) is low, a medical device (except for lasers, imaging, and radiologic devices that CMS has elected to exclude from consideration) can be placed in the AEM program and kept in the program as long as the risk to patients or staff does not increase.
Figure 8 shows a partial list of medical device categories that have been given severity designation by a review team and have had their probability levels calculated based on their corrective maintenance histories (i.e., annual “harm” rates or mean time between harm). Equipment categories that have been given a severity level of either catastrophic or critical have been flagged as critical/high risk in Figure 8. Equipment categories that are not flagged as “AEM ineligible” (as per CMS) and that have a calculated risk level of “low” (severity × probability) are flagged as “AEM included” in the figure.
Incident/service histories that are flagged to indicate which medical device failures are due to insufficient or improper maintenance (activities or frequencies) are critical to an effective maintenance management process. Only by collecting and analyzing incident/service histories with this information can organizations hope to focus their limited resources on real patient safety issues while still meeting the new requirements of CMS, TJC, and DNV GL.
Using severity, probability, and risk scores and criteria given in the examples above, Table 5 illustrates how a medical equipment inventory with a fairly representative mix of more than 100,000 items breaks down according to risk score and risk level.
The rapidly growing influx of increasingly complex and sophisticated healthcare technologies poses many challenges for healthcare delivery organizations and their HTM services. Among those challenges are the growing numbers of vulnerabilities associated with these new medical devices and systems as well as a new series of requirements from CMS, TJC, and DNV GL that affect how organizations maintain those devices/systems.
A workable and effective HTM risk management program is the best way to address these vulnerabilities and the new compliance requirements. HTM professionals, clinicians, risk management experts, and other key stakeholders should be working together to ensure that a risk management process exists for identifying, analyzing, and controlling risks associated with technology vulnerabilities. To that end, the concepts and methods illustrated here can serve as a template for an effective healthcare technology risk management process that can evolve according to the needs of individual organizations and the industry as a whole.
HTM professionals, clinicians, risk management experts, and other key stakeholders should be working together to ensure that a risk management process exists for identifying, analyzing, and controlling risks associated with technology vulnerabilities.
About the Author
Stephen L. Grimes, FACCE, FHIMSS, FAIMBE, is chief technology officer in the Clinical Engineering & Healthcare Technology Management Division at ABM Healthcare Support Services in Holliston, MA. E-mail: email@example.com