Inspector General releases workplan for mobile and medical devices

Feb. 7, 2014

The HHS Office of the Inspector General (OIG) released its 2014 workplanthis month. The workplan includes two items of interest focused on portable devices that carry personal health information and networked medical devices in hospitals. The second item, networked medical device, is new for OIG as concerns about data breaches and protected health information (PHI) are on the rise.

OIG’s plans on these topics include:

– Security of portable devices containing personal health information

  • Review security controls implemented by Medicare and Medicaid contractors and hospitals to prevent loss of PHI contained on portable devices
    • Includes laptops, jump drives, backup tapes, and equipment being disposed

Rationale: “Recent breaches related to Federal computers, including one involving a CMS contractor, have heightened concerns about protecting sensitive information. We will assess and test contractors’ and hospitals’ policies and procedures for electronic health information protections, access, storage, and transport. OMB recommended that all Federal departments and agencies take action to protect sensitive information by following the National Institute of Standards and Technology’s Special Publications 800-53 and 800-53A. (OMB Memorandum M-06-16, issued June 23, 2006.) (OAS; W-00-13-41014; various reviews; expected issue date: FY 2014; work in progress)”

–  Controls over networked medical devices as hospitals

  • Determine if current security controls over networked medical devices sufficiently protect PHI and ensure beneficiary safety.

Rationale: “Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with EMRs and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications. To participate in the Medicare program, providers such as hospitals are required to secure medical records and patient information, including ePHI. (42 CFR § 482.24(b).) Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device. (OAS; W-00-14-42020; various reviews; expected issue date: FY 2014; new start)”

In each case, the task is focused on the impact to Medicare and Medicaid program beneficiaries, and not the entire patient population.

Sponsored Recommendations

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...

Case Study: Intermountain Healthcare - AI-powered physician engagement to drive quality care

Health System profile Intermountain Healthcare is a Utah-based, nonprofit health system composed of 24 hospitals, 225 clinics, a medical group with 3,000 employed physicians and...

10 Reasons to Run Epic on Pure

Gain efficiency & add productivity to your Epic data center. Download now to learn more!