information accompanying or marked on a health IT product or accessory for the user or those accountable for the installation, use, processing, maintenance, decommissioning and disposal of the medical device or accessory, particularly regarding safe use

role responsible for the ongoing operation of the implemented health IT system and ensuring it is safeguarded and maintained on an ongoing basis

physical or digital entity that has value to an individual, an organization or a government

reasoned, auditable artefact created that supports the contention that its top-level claim (or set of claims), is satisfied, including systematic argumentation and its underlying evidence and explicit assumptions that support the claim(s)

process for recording, coordination, approval and monitoring of all changes

process that ensures that all changes to the health IT infrastructure (and its components) are assessed, approved, implemented and reviewed in a controlled manner and that changes are delivered, distributed, and tracked, leading to release of the change in a controlled manner with appropriate input and output with configuration management

strategic and systematic approach that supports people and their organizations in the successful transition and adoption of electronic health solutions, with a focus on outcomes including solution adoption by users and the realization of benefits

paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand

one or more capabilities offered via cloud computing invoked using a defined interface

collection of system resources that (a) forms a physical or logical part of the system, (b) has specified functions and interfaces, and (c) is treated (e.g., by policies or specifications) as existing independently of other parts of the system.

person or organization that could or does receive a product or a service that is intended for or required by this person or organization

role responsible for execution of the design and development phase (from concept to release and maintenance) of a health software or health IT system

ability to produce the intended result

occurrence or change of a particular set of circumstances

defined way to breach the security of information systems through vulnerability

extent to which an organization and/or stakeholder is subject to an event

injury or damage to the health of people, or damage to property or the environment

potential source of harm

circumstance in which people, property or the environment is/are exposed to one or more hazards

documented and intended application of information technology that is intended to be applied for the collection, storage, processing, retrieval, and communication of information relevant to health, patient care, and well-being

combined set of IT assets available to the individual or organization for developing, configuring, integrating, maintaining, and using IT services and supporting health, patient care and other organizational objectives

combination of interacting health IT elements that is configured and implemented to support and enable an individual or organization’s specific health objectives

software intended to be used specifically for managing, maintaining, or improving health of individual persons, or the delivery of care, or which has been developed for the purpose of being incorporated into a medical device

facility or enterprise such as a clinic or hospital that provides healthcare services

life cycle phase at the end of which the hardware, software and procedures of the system considered become operational

role responsible for the clinical installation, workflow optimization, and training of health software and health IT systems in the clinical setting

role responsible for the incorporation of components into the health IT infrastructure used by the healthcare delivery organization, including technical installation, configuration, and data migration

use for which a product, process or service is intended according to the specifications, instructions and information provided by the manufacturer

ability of two or more systems or components to exchange information and to use the information that has been exchanged

a system or systems composed of communicating nodes and transmission links to provide physically linked or wireless transmission between two or more specified communication nodes

three risk management characteristics of safety, effectiveness, and security

series of all phases in the life of a product or system, from the initial conception to final decommissioning and disposal

organization with responsibility for design or manufacture of a product

instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination, for human beings, for one of more of the specific medical purpose(s) of

— diagnosis, prevention, monitoring, treatment or alleviation of disease,

— diagnosis, monitoring, treatment, alleviation of or compensation for an injury,

— investigation, replacement, modification, or support of the anatomy or of a physiological process, — supporting or sustaining life,

— control of conception,

— cleaning, disinfection, or sterilization of medical devices,

— providing information by means of in vitro examination of specimens derived from the human body,

and which does not achieve its primary intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means

person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives

information about an identifiable person that relates to the physical or mental health of the individual

freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual

set of interrelated or interacting activities that use inputs to deliver an intended result

output of an organization that can be produced without any transaction taking place between the organization and the customer

degree to which all the properties and characteristics of a product, process, or service satisfy the requirements which ensue from the purpose for which that product, process, or service is to be used

use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behaviour

risk remaining after risk control measures have been implemented

document that fully defines the responsibilities of all relevant stakeholders

combination of the probability of occurrence of harm and the severity of that harm

systematic use of available information to identify hazards and to estimate the risk

overall process comprising a risk analysis and a risk evaluation

process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels

process used to assign values to the probability of occurrence of harm and the severity of that harm

process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk

systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk

set of records and other documents that are produced by risk management

organization's or stakeholder's readiness to bear the risk after risk control in order to achieve its objectives

function or position

set of conditions or actions that occur at the beginning of a sequence of events that result in the initiation of a failure mode

freedom from unacceptable risk

state where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the lifecycle

broad category of technical, administrative or organizational controls to manage risks to confidentiality, integrity, availability and accountability of data and systems

measure of the possible consequences of a hazard

complex ‘ecosystem’ or ‘sociotechnical system’ environment where the software is tightly integrated with other systems, technologies, infrastructure, and domains (people, organizations and external environments) and where it is configured to support local clinical and business processes

person who seeks to receive, is receiving, or has received healthcare

combination of interacting elements organized to achieve one or more stated purposes

senior executive accountable for ensuring the health IT system being acquired and implemented will meet their organization’s healthcare delivery services needs for its intended use

potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm

Group of people who direct and control an organization and have overall accountability in an organization.

characteristic of the user interface that facilitates use and thereby establishes effectiveness, efficiency and user satisfaction in the intended use environment

person using the system for a health-related purpose

confirmation, through the provision of objective evidence, that specified requirements have been fulfilled

flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy

kind of deficiency.