Friends Biologists, hello.
Today, you should everyone have a copy of the Standard ISO 15189 on your cluttered desk and possibly even on your nightstand. If you have arrived until page 32 (2007), you noticed that Appendix B for the Laboratory Information System (LIS) has become more informative and not normative . Some traders have moved away and I am pleased to reproduce below the open letter that one of them sends to this story Human Health Division COFRAC. Feedback is very expected.
Happy reading.
GoM
(who fights with his supplier SIL)
"Dear
I took knowledge via the site COFRAC, the draft manual for accreditation of medical laboratories. I would like to respond through this open letter on the scope of the requirement 4.2.4.r on Information Systems Laboratories in this document.
Within this paper, the Annex B of the ISO15189 standard is in effect presented
as "informative" and containing recommendations "that the LBM can choose apply. This position, at odds with the ambitions of the original standard, which has the contrary Appendix B as "normative," I feel sad for several reasons which I will detail below after a brief remission in context.
Auditor experienced computer, my first contact with the ISO15189 standard goes back to last fall when an audit of security that I had the pleasure of driving on the laboratory information system of a large hospital South-west France. On this occasion, I saw the close integration (and that will only grow in years to come) between the profession of medical biology and informatics. I also noted with some satisfaction that the problems of internal control information contained in the annex B constituted a first step to ensure the safety of biological and medical information under four criteria:
* Availability: This is through the recommendations relating to the environment (Annex B2) recovery and data storage (B6), maintenance of the system (B8), to ensure that medical and biological information about the patient available at any time, including the critical moments of life to improve quality of care.
* Integrity: It is through the recommendations relating to system security (Annex B4), to ensure patient safety by ensuring that information about the biological and medical are not likely to be altered accidentally or fraudulently.
* Confidentiality: This is, again via the recommendations relating to system security (Annex B4), ensure that the transmission of information relating to biological and medical respect patient's right to privacy and dignity.
* Traceability: it is through the recommendations on data entry and records (Appendix B5), to ensure the safety of patients can formally establish the responsibilities each user in the creation / modification / removal of biological and medical information.
Through this risk analysis summary, we see therefore that the risks associated with information system Health non-controlled and non-secure in some cases can endanger a patient's life: the case of on-irradiated Epinal has unfortunately shown us the evidence.
One object that is heavy in Annex B (4 of 40 pages devoted to computer cons a-half in the GBEA), its implementation , added to the QMS, is cumbersome and expensive, and that controls will be implemented in addition difficult to evaluate by non-specialists in audit.
Certainly, some of these arguments is in order: some recommendations are thus probably overly detailed (see Appendix B5: data entry and records). Other provisions, which are yet the most basic sense, do not appear when more surprisingly absent (eg no recommendation on the equipment antiviral workstations to protect the laboratory of malicious attacks).
However, can we at this time where cybercrime explodes worldwide, spread with the back handle a set of best practices under the sole pretext that they are too complex to implement, especially in small structures? The dumbing down is it an acceptable strategy when public health is directly at stake?
Despite their faults and shortcomings, we would all agree that the recommendations in Annex B challenge us on matters of substance or strategic managers laboratory: how ensure the continuity of my business disaster? How to prevent risk of fraud? How to avoid errors of diagnosis? ...
For all these reasons, Annex B shall return in the manual COFRAC the normative status originally conferred on him the ISO15189. Let us, therefore, the stakes of the reform of the French medical biology in setting ambitious targets for 2016: to do this, let us today on each of the recommendations contained in the annex and do an analysis comprehensive risk based on the outline given above, in order to only extract from the document that the true substance. This work, conducted as part
an ad hoc committee, involving members of different colleges, will:
* better understand the risks associated to non-compliance,
* to assess their risk for each level of acceptability
* for each risk to determine the best strategy in the context of laboratory accreditation (Recommendation normative or informative).
The interest of the patient, "single purpose" required by the report Ballereau, is the price!
Remi BOURDOT
Consultant
graduate of the Institut d'Etudes Politiques de Paris
Certified Information Systems Auditor (CISA) by ISACA
Certified Information Systems Security Professional (CISSP) by (ISC) ²
Member of the French Association of Computer Listeners ( FAFIA)
Contact: remi@remibourdot.net "
0 comments:
Post a Comment