The HHS Office of the Inspector General (OIG) released its 2014 workplanthis month. The workplan includes two items of interest focused on portable devices that carry personal health information and networked medical devices in hospitals. The second item, networked medical device, is new for OIG as concerns about data breaches and protected health information (PHI) are on the rise.
OIG’s plans on these topics include:
– Security of portable devices containing personal health information
- Review security controls implemented by Medicare and Medicaid contractors and hospitals to prevent loss of PHI contained on portable devices
- Includes laptops, jump drives, backup tapes, and equipment being disposed
Rationale: “Recent breaches related to Federal computers, including one involving a CMS contractor, have heightened concerns about protecting sensitive information. We will assess and test contractors’ and hospitals’ policies and procedures for electronic health information protections, access, storage, and transport. OMB recommended that all Federal departments and agencies take action to protect sensitive information by following the National Institute of Standards and Technology’s Special Publications 800-53 and 800-53A. (OMB Memorandum M-06-16, issued June 23, 2006.) (OAS; W-00-13-41014; various reviews; expected issue date: FY 2014; work in progress)”
– Controls over networked medical devices as hospitals
- Determine if current security controls over networked medical devices sufficiently protect PHI and ensure beneficiary safety.
Rationale: “Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with EMRs and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications. To participate in the Medicare program, providers such as hospitals are required to secure medical records and patient information, including ePHI. (42 CFR § 482.24(b).) Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device. (OAS; W-00-14-42020; various reviews; expected issue date: FY 2014; new start)”
In each case, the task is focused on the impact to Medicare and Medicaid program beneficiaries, and not the entire patient population.
