By German (John) Baron, CBET, BSBME, CSP

It’s well known that healthcare entities have been enhancing their patient services to include successful telehealth services. (Nowhere does this ring truer than in the Veteran’s Affairs system.) Some of the telehealth-care services require the healthcare entity’s medical devices to be installed in the patient’s home for remote monitoring. As such, the healthcare management team is responsible for the setup and maintenance of the equipment.

However, there is a new business model—based on the software-as-a-service (SaaS) cloud model—that is being implemented in the healthcare sector, particularly the Veteran’s Affairs system, which may impact the future of the healthcare industry and, especially, healthcare technology management and biomedical engineering departments. Therefore, to devise a plan of action for their future telehealth and in-house healthcare services, HTM/CE teams must perform risk analysis and evaluate this new service model. After all, if risks are addressed and minimized, the new service model may yield cost-saving benefits for healthcare entities.

Moreover, a leading health technology company is starting this new model by partnering with healthcare organizations. The concept of this model is much like SaaS, where the healthcare entity does not have to purchase its own patient care monitoring systems. Instead, the provider supplies the systems, as well as all required ongoing system upgrades and maintenance, in addition to technical support, workflow process analysis for optimization potentials, continuing education, and asset and data management.

The vendor’s explanation? This model will enable providers to “future proof” their monitoring technologies while managing per-patient healthcare costs and boosting overall satisfaction. No doubt this new approach will bring changes to healthcare entities’ healthcare and business processes. In addition, biomedical engineering, information security, and privacy officers—along with other contracting officers and other professional services providers—will gain new responsibilities and have to make the appropriate changes brought on by this new business model.

Meanwhile, due to the need for healthcare organizations’ stringent security and privacy compliance requirements, strict stipulations will need to be addressed in the long-term strategic partnership agreements with the service providers. And healthcare entities will be committed to securing their technologies because they know that strong IT security of medical devices and their networks is directly associated with patient safety.

Regulation Considerations

The Federal Information Security Management/Modernization Act (FISMA) requires all federal agencies to assess and authorize their information systems in compliance with National Institute of Standards and Technology (NIST) healthcare guidelines. Additionally, all federal agencies’ cloud computing must comply with FedRAMP and Implementation of Trusted Internet Connections (TIC) mandates.

So, what’s FedRAMP? In a phrase, it’s a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP complies with FISMA processes and applies the NIST standards to cloud-based information technology.

Rounding out the regulations is the Office of Management and Budget Memo M-08-05, which mandates that all government agencies utilize TICs to reduce and consolidate connections to the federal government, including connections to the Internet. Such federal guidelines are necessary, however, since following them will only enhance the security of medical devices for healthcare organizations.

Further, because security compliance with FedRAMP/TIC will enhance the security of future cloud-connected medical devices, service providers must demonstrate that their cloud architecture has received FedRAMP certification and complies with federal security requirements. If the vendor’s service cloud is not compliant, however, then the healthcare organization may consider using their own secure, private cloud and tightening the service as per NIST and industry security guidances. Again, risk assessments must be done prior to considering these services so that each vulnerability can be addressed before implementing the service model.

As previously mentioned, this new medical device-as-a-service model may support the healthcare organizations’ patient and telehealth services by eliminating the need to purchase the associated medical technologies. Consequently, HTM, IT, and other healthcare teams must collaborate to ensure that all systems involved are locked down according to security requirements.

A good approach? Include the entities’ security teams, HTM, and privacy protection teams when assessing the systems and their maintenance plans before accepting the service. After all, according to the U.S. FDA, medical device cybersecurity is a shared responsibility among all stakeholders including healthcare facilities, patients, providers, and manufacturers of medical devices.

Failure to maintain cybersecurity can compromise device functionality, result in loss of sensitive data’s availability or integrity, and ultimately yield patient illness, injury or death. Thus, strong collaboration between all stakeholders involved in this new telehealth model will enhance patient safety and the Veterans Health Administration’s telehealth services.

German (John) Baron, CBET, BSBME, CSP, has more than 35 years of experience in the biomedical arena, including military medical specialties and clinical experience, and 15 years in the IT security arena. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].


  1. eICU Cost effectiveness