By Derek Brost
With today’s complex, connected medical devices, the role of the clinical/biomedical engineer goes much further than equipment repair. Connected devices, meaning any device that stores, generates, or transmits electronic protected health information (ePHI), are everywhere within a hospital—from CT scanners to MRI machines—and are extremely vulnerable to viruses, security breaches, and other issues that can result in noncompliance with the HIPAA Privacy Rule and the HIPAA Security Rule. Because HIPAA violations can cost a hospital more than $2 million in fines and other penalties, it is important for everyone who comes in contact with these devices to understand how to maintain data security. Because of the “up close and personal” nature of a clinical engineer to medical equipment, let us examine the current security threats to devices, the clinical engineer’s role, and how to mitigate security the right way so patient information remains secure.
Current Security Threats to Connected Medical Devices
You may be familiar with the myriad of security threats that can affect connected medical devices: malware, worms, removable storage, Trojans, bots, and more. I would like to highlight a few additional technical threats you might encounter:
Remote controls. Sometimes original equipment manufacturers (OEMs) and independent service organizations (ISOs) put remote controls on medical devices for the purpose of easier servicing or repair. Unfortunately, this opens up the device to a data breach as these controls can remotely access patient and technical data.
Network issues. More than an inconvenience to some in the hospital, a slow network is a technical threat when you cannot access patient data.
ePHI secure erase. When a device reaches the end of its useful life, what happens to its stored data? It is important that all data be erased prior to the equipment leaving the premises to prevent a breach. You may also have worked with OEMs that loan out their “latest and greatest” devices to your hospital’s physicians. Once the trial period has ended and they come to collect the device, be sure no data leaves with it. Clinical engineers should be involved in any OEM loaner program to ensure patient data is properly protected and erased.
In addition to technical threats, clinical/biomedical engineers face administrative threats, such as:
Policies. Your hospital likely has many policies regarding privacy and security, and that is a good thing—if they are being used! You should be aware that some hospitals take these policies too far, though, and that may conflict with a device’s FDA validation or may even be too strict. Yes, you read that right: A stricter-than-necessary policy may put your organization at risk. Do not impose impossibly strict self-regulation when your privacy policies are adequate at a lower level. If there is a privacy breach, HIPAA officials may judge your institution based on your own policies if they are stricter than federal regulations require. If this is happening at your hospital, bring it to management and help them craft realistic policies that still protect your data.
FDA validation. The FDA requires validation on medical devices by the OEM, which decides how it will or will not choose to modify its validated system for change management. The purpose of these validations is to protect someone from modifying a medical device in a way that it might harm a patient or cause an adverse event. Be aware of these validations and how they may affect the devices you are working with.
Business Associate Agreements (BAAs). For example, say a contractor comes in to work on a piece of equipment and takes photos for troubleshooting purposes. Unknowingly, the photos contain patient names. This could quickly become a data breach, and the reason why it is important for you to help your hospital put BAAs in place. This protects the hospital in the case of a breach, and ensures the contractor or subcontractor assumes the responsibility.
The Clinical Engineer’s Role
So how are you supposed to manage your daily equipment management responsibilities and worry about data breaches? The good news is that you are not solely responsible, and factors that are completely out of your control will not weigh on your shoulders. Clinical engineers are part of a larger team that works together to prevent breaches. That being said, here are some things to keep in mind as you consider your specific role:
Do no harm. This is the basis of the Hippocratic Oath, and though clinical engineers do not administer patient care in the way a physician does, it still applies. Consider how your tools have changed over the years. You have likely traded in your wrenches and screwdrivers for your laptop, software, and USB removable storage. It is important to make sure your tools are “clean,” to protect patient data. If you have installed Internet games on your laptop, disable them. If you have added anything to your “toolbox” that could potentially compromise patient data, eliminate it. Regularly scan your computer and USB storage to make sure it does not inadvertently contain patient data. If it does, delete it immediately.
Spot and handle breaches carefully. With the pressure of being judged upon equipment uptime, in your efforts to give the best possible service and repair equipment quickly you may overlook the evidence of a data breach. If, in a rush to get a piece of equipment back up and running, you accidentally destroy evidence of a data breach, that instance could potentially be used against your hospital in a courtroom. If you have any question about what you are dealing with, it is worth slowing down and telling your client that you need to check with others before proceeding.
IS/IT partnership. Even with the shared goal of delivering good service, occasional tension between clinical engineering and the hospital’s information systems/technology (IS/IT) department can develop. The two groups can often step on each other’s toes, so it becomes vital to establish a partnership with the IS/IT department so you can work together, with regard to privacy and security policies and procedures.
Learn and excel above IS/IT at clinical networking. IS/IT departments do networking very well, but they do it to all kinds of technology within a hospital—phones, streaming video, etc. As a clinical engineer, you have an opportunity to specialize in clinical networking. In other words, learn how to build a network for clinical devices and become an expert. Carve this niche for yourself. It may mean stepping on IS/IT’s toes (see above), but in time, IS/IT will come to see it is part of the partnership you are working to forge with them.
Help train owners and operators on appropriate use (AU). Unfortunately, computer etiquette that may seem like common sense to you is not universally accepted. For example, it is not OK for MRI machine operators to view YouTube videos on the MRI machine between patients. Just because a machine is Internet-connected does not mean it should be used for social networking or gaming.
Another part of your job as a clinical engineer is vulnerability management, or the process of understanding and dealing with known vulnerabilities within a network. It means not ignoring it, and formulating a vulnerability strategy with your team. How should you do that, exactly? Here are several items to consider when developing your strategy:
Know regulatory requirements. Be familiar with the HIPAA Privacy and Security Rules, FDA mandates, and others, and understand how these translate to patient data privacy at your hospital.
Be aware of versions, bundling, patch tables, and more. You are likely aware of the different versions of software running on different medical devices. What is problematic about software updates and various versions is that equipment manufacturers often stop supporting a certain version, which means it is now especially vulnerable to viruses, corruption, and more. Be aware: To get the support you need, the manufacturer may make you upgrade to the latest version, which can sometimes cost tens of thousands of dollars. Patch tables also fall into this category, as manufacturers support certain patches for certain versions, and none for others.
Visibility is key. It is important that you have full visibility of what is on your hospital’s network. Which machines are supposed to talk to other machines? Which are not? For devices connected to the Internet, which websites are they visiting (as we mentioned previously, it probably should not be ESPN.com!)? What connections are being made remotely? When? What assets are on the network? What software are they running? What is the baseline of activity and deviation?
In conclusion, I acknowledge this is a lot to digest. Much of this goes above and beyond what is likely written in your job description. However, as you grow in your chosen profession as a health care technology management professional, data security is an area that may be added to that job description. Start now and differentiate yourself among your peers. Be a leader. And when needed, reach out to an independent organization that can answer questions and counsel you in areas related to protecting your patients’ private data. 24×7 Service Solutions April 2013
As chief security officer for eProtex, Indianapolis, Derek Brost heads the development and implementation of solutions for medical device security and HIPAA compliance challenges, directing risk assessment and mitigation efforts for nearly 100 hospitals nationwide. A certified information systems security professional, his 17-year background in IS/IT operations, architecture, and information security includes various leadership roles in the health care arena. For more information, contact [email protected].