As smart medical devices fill healthcare facilities, the role of the clinical engineer is evolving far beyond equipment repair. The average hospital now carries at least two such devices per bed, all storing, generating or transmitting electronic protected health information (ePHI).
But there are other machines busy collecting patient data in the facility, from CT scanners to MRI machines. Because these are unconventional machines beyond the IT department's expertise or capabilities, they may be treated with limited oversight and evaluation for HIPAA Privacy and Security Rule compliance. Additionally, these unconventional systems are typically running old operating systems and are not routinely patched or protected by traditional client-based security software (i.e., antivirus). These factors leave them extremely vulnerable to viruses, security breaches and other risks that can trigger non-compliance.
With HIPAA penalties and enforcement on the rise, it's important for everyone who comes in contact with these devices to understand how to safely maintain the patient data flowing in and through them. Given the “up close and personal” nature of a clinical engineer to medical equipment, let's examine common security threats to those devices and the clinical engineer's role.
You may be familiar with medical device security threats like malware, worms, removable storage, Trojans, bots and more. I'd like to highlight a few additional technical threats you might encounter:
- Remote controls. Sometimes original equipment manufacturers (OEMs) and independent service organizations (ISOs) put remote controls on medical devices for the purpose of easier servicing or repair. Unfortunately, these controls also enable the remote tampering of those devices and the data residing in them – and any other devices connected to the same network.
- Network issues. More than an inconvenience to some in the hospital, a slow network is a technical threat when you can't access patient data or process patient workflows.
- ePHI secure erase. When a device reaches the end of its useful life, what happens to its stored data? It's crucial that all data be erased before that equipment leaves your premises. You may also have worked with OEMs that loan out their “latest and greatest” devices to your hospital's physicians. Once the trial period has ended and they come to collect the device, be sure no data leaves with it. Clinical engineers and/or IT should be involved in any OEM loaner program to ensure patient data is properly protected and erased.
In addition to technical threats, clinical engineers face administrative threats, such as:
- Policies. Your hospital likely has many policies regarding privacy and security, and that's a good thing – if they're being used! Be aware that some hospitals take these policies too far, though, and that may conflict with a device's FDA validation or may even be too strict. Yes, you read that right: A stricter-than-necessary policy may put your organization at risk. Don't impose impossibly strict self-regulation when your privacy policies are adequate at a lower level. If a breach occurs, HIPAA officials may judge your organization based on your own policies if they're stricter than federal regulations require. If this is happening at your hospital, bring it to management and help them craft realistic policies that still protect your data.
- FDA validation. The Food and Drug Administration (FDA) requires validation on medical devices by the OEM, which decides how they will or will not modify the software running in those devices. The goal is to protect someone from modifying a medical device such that it might harm a patient or cause an adverse event. Be aware of these validations and how they may affect the devices under your care.
- Business Associate Agreements (BAAs). Let's say a contractor comes in to work on a piece of equipment and takes photos for trouble-shooting purposes. Unknowingly, the photos contain patient names. This could quickly become a data breach – and the reason why it's important for you to help your hospital put BAAs in place. This agreement should adequately require the contractor or sub-contractor to assume responsibility by attesting to their own state of HIPAA compliance.
So how are you supposed to handle your daily responsibilities and worry about data breaches? The good news is that you're not solely responsible, and factors that are completely out of your control won't weigh on your shoulders. Clinical engineers are part of a larger team that works together to prevent breaches.
Look for my next post on April 9. In that piece, I will cover some specific ways to guard against data breaches in your work with connected medical devices. You're likely doing some of them already. Until then, please feel free to contact me with any questions on this complex subject.
About the author
As chief security officer for eProtex, Derek Brost heads the development and implementation of solutions to medical device security and HIPAA compliance challenges, directing risk assessment and mitigation efforts for nearly 100 hospitals nationwide. A Certified Information Systems Security Professional (CISSP), Derek's 17-year background in IS/IT operations, architecture and information security includes various leadership roles in the healthcare arena. He can be reached at [email protected]. Learn more about eProtex at www.eprotex.com.