Inspector General releases workplan for mobile and medical devices

Feb. 7, 2014

The HHS Office of the Inspector General (OIG) released its 2014 workplanthis month. The workplan includes two items of interest focused on portable devices that carry personal health information and networked medical devices in hospitals. The second item, networked medical device, is new for OIG as concerns about data breaches and protected health information (PHI) are on the rise.

OIG’s plans on these topics include:

– Security of portable devices containing personal health information

  • Review security controls implemented by Medicare and Medicaid contractors and hospitals to prevent loss of PHI contained on portable devices
    • Includes laptops, jump drives, backup tapes, and equipment being disposed

Rationale: “Recent breaches related to Federal computers, including one involving a CMS contractor, have heightened concerns about protecting sensitive information. We will assess and test contractors’ and hospitals’ policies and procedures for electronic health information protections, access, storage, and transport. OMB recommended that all Federal departments and agencies take action to protect sensitive information by following the National Institute of Standards and Technology’s Special Publications 800-53 and 800-53A. (OMB Memorandum M-06-16, issued June 23, 2006.) (OAS; W-00-13-41014; various reviews; expected issue date: FY 2014; work in progress)”

–  Controls over networked medical devices as hospitals

  • Determine if current security controls over networked medical devices sufficiently protect PHI and ensure beneficiary safety.

Rationale: “Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with EMRs and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications. To participate in the Medicare program, providers such as hospitals are required to secure medical records and patient information, including ePHI. (42 CFR § 482.24(b).) Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device. (OAS; W-00-14-42020; various reviews; expected issue date: FY 2014; new start)”

In each case, the task is focused on the impact to Medicare and Medicaid program beneficiaries, and not the entire patient population.

Sponsored Recommendations

Healthcare Rankings Report

Adapting in Healthcare: Key Insights and Strategies from Leading Systems As healthcare marketers navigate changes in a volatile industry, they know one thing is certain: we've...

Healthcare Reputation Industry Trends

Navigating the Tipping Point: Strategies for Reputation Management in a Volatile Healthcare Environment As healthcare marketers navigate changes in a volatile industry, they can...

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...

From Chaos to Clarity: How AI Is Making Sense of Clinical Documentation

From Chaos to Clarity dives deep into how AI Is making sense of disorganized patient data and turning it into evidence-based diagnosis suggestions that physicians can trust, leading...