We use cookies to understand how this site is used and to improve the site to make use easier. We also share details with Google for analytic purposes. For more information, and to understand the limited use we have for your data, see our privacy page.

If you do not want us to handle your data in this way you can eitherstop using this site or set your browser to request that we do not track you. Continued use of this site without setting do not track explicitly provides your authority to make limited use your data.


accompanying document
see accompanying information
accompanying documentation
see accompanying information
accompanying information

information accompanying or marked on a health IT product or accessory for the user or those accountable for the installation, use, processing, maintenance, decommissioning and disposal of the medical device or accessory, particularly regarding safe use


role responsible for the ongoing operation of the implemented health IT system and ensuring it is safeguarded and maintained on an ongoing basis


physical or digital entity that has value to an individual, an organization or a government

assurance case

reasoned, auditable artefact created that supports the contention that its top-level claim (or set of claims), is satisfied, including systematic argumentation and its underlying evidence and explicit assumptions that support the claim(s)


change management

process for recording, coordination, approval and monitoring of all changes

change-release management

process that ensures that all changes to the health IT infrastructure (and its components) are assessed, approved, implemented and reviewed in a controlled manner and that changes are delivered, distributed, and tracked, leading to release of the change in a controlled manner with appropriate input and output with configuration management

see subject of care
clinical change management

strategic and systematic approach that supports people and their organizations in the successful transition and adoption of electronic health solutions, with a focus on outcomes including solution adoption by users and the realization of benefits

cloud computing

paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand

cloud service

one or more capabilities offered via cloud computing invoked using a defined interface


collection of system resources that (a) forms a physical or logical part of the system, (b) has specified functions and interfaces, and (c) is treated (e.g., by policies or specifications) as existing independently of other parts of the system.


person or organization that could or does receive a product or a service that is intended for or required by this person or organization

see security



role responsible for execution of the design and development phase (from concept to release and maintenance) of a health software or health IT system



ability to produce the intended result


occurrence or change of a particular set of circumstances


defined way to breach the security of information systems through vulnerability


extent to which an organization and/or stakeholder is subject to an event



injury or damage to the health of people, or damage to property or the environment


potential source of harm

hazardous situation

circumstance in which people, property or the environment is/are exposed to one or more hazards

see healthcare delivery organization
health information technology

documented and intended application of information technology that is intended to be applied for the collection, storage, processing, retrieval, and communication of information relevant to health, patient care, and well-being

health IT
see health information technology
health IT infrastructure

combined set of IT assets available to the individual or organization for developing, configuring, integrating, maintaining, and using IT services and supporting health, patient care and other organizational objectives

health IT system

combination of interacting health IT elements that is configured and implemented to support and enable an individual or organization’s specific health objectives

health software

software intended to be used specifically for managing, maintaining, or improving health of individual persons, or the delivery of care, or which has been developed for the purpose of being incorporated into a medical device

health software product

healthcare delivery organization

facility or enterprise such as a clinic or hospital that provides healthcare services



life cycle phase at the end of which the hardware, software and procedures of the system considered become operational


role responsible for the clinical installation, workflow optimization, and training of health software and health IT systems in the clinical setting


role responsible for the incorporation of components into the health IT infrastructure used by the healthcare delivery organization, including technical installation, configuration, and data migration

intended purpose
see intended use
intended use

use for which a product, process or service is intended according to the specifications, instructions and information provided by the manufacturer


ability of two or more systems or components to exchange information and to use the information that has been exchanged


a system or systems composed of communicating nodes and transmission links to provide physically linked or wireless transmission between two or more specified communication nodes


key properties

three risk management characteristics of safety, effectiveness, and security


life cycle

series of all phases in the life of a product or system, from the initial conception to final decommissioning and disposal



organization with responsibility for design or manufacture of a product

medical device

instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination, for human beings, for one of more of the specific medical purpose(s) of

— diagnosis, prevention, monitoring, treatment or alleviation of disease,

— diagnosis, monitoring, treatment, alleviation of or compensation for an injury,

— investigation, replacement, modification, or support of the anatomy or of a physiological process, — supporting or sustaining life,

— control of conception,

— cleaning, disinfection, or sterilization of medical devices,

— providing information by means of in vitro examination of specimens derived from the human body,

and which does not achieve its primary intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means



person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives


see subject of care
personal health information

information about an identifiable person that relates to the physical or mental health of the individual


freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual


set of interrelated or interacting activities that use inputs to deliver an intended result


output of an organization that can be produced without any transaction taking place between the organization and the customer



degree to which all the properties and characteristics of a product, process, or service satisfy the requirements which ensue from the purpose for which that product, process, or service is to be used


reasonably foreseeable misuse

use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behaviour

residual risk

risk remaining after risk control measures have been implemented

responsibility agreement

document that fully defines the responsibilities of all relevant stakeholders


combination of the probability of occurrence of harm and the severity of that harm

risk analysis

systematic use of available information to identify hazards and to estimate the risk

risk assessment

overall process comprising a risk analysis and a risk evaluation

risk control

process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels

risk estimation

process used to assign values to the probability of occurrence of harm and the severity of that harm

risk evaluation

process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk

risk management

systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk

risk management file

set of records and other documents that are produced by risk management

risk tolerance

organization's or stakeholder's readiness to bear the risk after risk control in order to achieve its objectives


function or position

root cause

set of conditions or actions that occur at the beginning of a sequence of events that result in the initiation of a failure mode



freedom from unacceptable risk


state where information and systems are protected from unauthorized activities, such as access, use, disclosure, disruption, modification, or destruction to a degree that the related risks to confidentiality, integrity, and availability are maintained at an acceptable level throughout the lifecycle

security capability

broad category of technical, administrative or organizational controls to manage risks to confidentiality, integrity, availability and accountability of data and systems

service user
see subject of care

measure of the possible consequences of a hazard

sociotechnical ecosystem

complex ‘ecosystem’ or ‘sociotechnical system’ environment where the software is tightly integrated with other systems, technologies, infrastructure, and domains (people, organizations and external environments) and where it is configured to support local clinical and business processes

subject of care

person who seeks to receive, is receiving, or has received healthcare

subject of healthcare
see subject of care

combination of interacting elements organized to achieve one or more stated purposes

system owner

senior executive accountable for ensuring the health IT system being acquired and implemented will meet their organization’s healthcare delivery services needs for its intended use



potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm

top management

Group of people who direct and control an organization and have overall accountability in an organization.



characteristic of the user interface that facilitates use and thereby establishes effectiveness, efficiency and user satisfaction in the intended use environment


person using the system for a health-related purpose



confirmation, through the provision of objective evidence, that specified requirements have been fulfilled


flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy



kind of deficiency.