By Scot Copeland

Photo of Scot Copeland

Scot Copeland

When I was a young biomed back in the last century, I enjoyed fighting the scourge of medical equipment problems with my cape flowing in the wind. One call and I would exit the Biomed Cave with flames emanating from my tool cart. I was happy with myself and life was good. I thought I could do this forever.

A Milestone in Maturity

I received a call one day from the ICU to the effect of “monitor doesn’t work—STAT.” When I entered the ICU room, the family members and the nurse at the bedside all looked at me with hope, as if I were the one to relieve their anxiety and fear about the patient. The patient was on an intra-aortic balloon pump and apparently had just been revived from a serious situation. The nurse told me that the hemo calcs on the physiological monitor were not correct, and she needed them so that she could evaluate the effectiveness of the balloon therapy.

It hit me like a ton of bricks: These people were afraid the patient was going to die…right now! Knowing next to nothing about balloon pumps, and seeing the gravity of the situation through their eyes, I realized that I would have no excuse if I couldn’t help.

As it turned out, the problem was an incorrect unit of measurement programmed into the monitor, causing erroneous hemodynamic results. Though I had solved the problem, I left the room not heroic, but inadequate. I immediately began to learn more about the balloon pump, what it was doing in that clinical situation, what the monitor’s role was in the therapy, and what I could do in the ICU room with the balloon pump, even though the service was contracted to the manufacturer. I searched out resources for support.

The bottom line for me now was that if I were called into a situation for clinical equipment matters, I needed to have an answer for problems with all the clinical equipment, not just the equipment I knew best or liked working on. I had not been called on for excuses or blame-shifting or buck-passing, but to solve a problem on which a life depended. This moment was my head-on collision with a milestone in maturity.

Taking Ownership of Data Security

Now that I’m older and embarrassed to wear the cape, I manage the Medical Equipment Management Plan for one of the hospitals in our group. I try to instill the principle of ownership I learned on that day to our techs and to those we partner with to provide these services. We aren’t just a repair shop. We are healthcare technology managers. Our mission is to manage the safety and effectiveness of clinical equipment used in front-line healthcare delivery.

A key element of that mission nowadays is medical device information security. Many of our first experiences with the issue took place long ago, and we avoided it for a time by making all our networks isolated or proprietary. But now, just about any medical device you encounter creates, stores, or transmits electronic protected health information, and that device will likely be integrated to other systems on the network if it isn’t already.

Now here we are. We are called and have this mission already laid out for us. No one is in a better position or better suited to handle medical device information security than HTM.

Many hospitals are now implementing a key standard for medical device security: ANSI/AAMI/IEC 80001-1:2010 Application of Risk Management for IT Networks Incorporating Medical Devices. So how are we to go about “owning” this implementation? All too often, we show our unwillingness to do so with comments like the following:

  • “Well, it looks like that risk manager is going to have to put down the needlestick charts and learn computer networking.”
  • “The IT department runs cool intruder detection agents on our network so I don’t have to worry about security. They have it covered.”
  • “The MDS2 says I can’t put anti-virus on it, so there’s nothing I can do, right?” (I’ve actually heard that one.)

Where to Start

Instead of backing away from the challenge, you should aim to take charge of the information security components of your hospital medical device systems. Own the entire issue, just as you would any other new technology or system that you implement in the patient-care environment. Gather the necessary tools, make partners, and learn about managing information security of your medical devices so that you are confident that you have done all you can reasonably do to provide safe, effective healthcare data and systems to the caregivers.

This is not so much a technology challenge as a management challenge. Here are a few things you can do to get started meeting this challenge, even if you don’t yet know how you are going to get there:

  • Begin gathering networking data on your networked medical devices (IP address, MAC address, TCP/UDP port numbers and protocols, network names and VLANs, etc). If you need help, you may contact a manufacturer or a helpful IT tech at your hospital. Most CMMS programs have networking modules and allow for management of this type of data.

We have developed a simple tool for information gathering for our CMMS that I will gladly share with you.

  • Gather information about operating system brands, versions, and patch levels. (Microsoft Windows 7 SP1, Sun Solaris 10, etc). Some devices have embedded OS versions that may not be apparent. A quick call to tech support can fix that.
  • Record and track information on medical device application versions and patch levels.
  • Approach your IT department and ask for their network security standards and policies.
  • Become involved in local and national groups that are addressing the same issues you are. Get educated.

As with anything else, getting started is the biggest obstacle. Once we overcome the things holding us back, we will likely take this issue where we take all our duties in our industry—to excellence.

Scot Copeland is a clinical systems specialist for Scripps/Mercy Hospital in Chula Vista, Calif. For more information, contact editorial director John Bethune at [email protected].