NCS3 - Informations- och styrsystem inom hälso- och sjukvård. En kartläggning av produkter och incidenter

The Swedish healthcare system is a critical infrastructure service that in a short timespan has undergone comprehensive technological modernization. The rationale behind this modernization is to decrease the administrative and operative burden and help to yield more precise analyses and treatments. It has however also enabled regular IT related issues such as software bugs to have a real effect on human life. This report presents a study of what information- and control systems that are used within healthcare and what incidents that have occurred due to computer related problems with these systems. The analysis is based on scientific literature, incident databases within Sweden and USA, interviews and a questionnaire. The results show that there are more than 20 000 different kinds of medical devices which are used and that everything from laser printers to infusion pumps are viewed as medical devices. The interviews however show that products that are closer to administration (e.g., patient journal systems, routers and network cables) are however viewed as IT, while products that are closer to patients (e.g., infusion pumps and pacemakers) are viewed as "true" operative medical devices. Analysis of the incident database REIDAR that registers Swedish medical device related incidents show that approximately 30% of all such incidents within Swedish healthcare are computer related, and that the number of computer related incidents increase at about the same pace as the number of non-computer related incidents decrease. Deaths are caused by 1.7% of all computer related incidents, primarily by lung ventilators, dialysis devices and defibrillators. Most incidents however involve infusion pumps. This incident database are viewed by the respondents as critical for sound national cooperation - what happens at one hospital is likely to eventually occur for others' - but the reporting frequency to it has since its creation been lower than expected. One means of increasing it would be to modernize the web application that exposes it, in particular regarding search and analysis functionality. The results also show that a better internal communication is required between IT and medical technicians/healthcare. This can be achieved by greater physical collaboration, education or merging the departments concerning IT and medical devices (which has been done at some locations in Sweden). Finally, relatively few significant IT security related incidents, such as computer worms, have been observed in Sweden. However, the IT security vulnerability is large and the risk for future IT attacks should be viewed with concern.