In an era of electronic health records (EHR), patient-generated data has become a buzz phrase in healthcare. This data—often collected via medical devices such as pacemakers, glucose monitors, blood pressure monitors, ventilators, and a whole host of others—is a treasure trove of information that helps physicians render more effective and timely clinical care. However, cybersecurity is paramount—particularly when the device links directly to a provider’s EHR.
This article provides a brief overview of cybersecurity guidance from the FDA as well as three tips that physician practices can use now to ensure compliance and protect ePHI.
FDA guidance puts cybersecurity in the spotlight
On January 15, 2016, the FDA issued draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks.
In an FDA press release, Suzanne Schwartz, MD, MBA, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, said “All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protected against, while others require vigilant monitoring and timely remediation.”
EHR/medical device integration becoming more common
Just how often are providers integrating medical devices with their EHRs?
Forty-seven percent of healthcare providers and payers said they’ve integrated consumer products (e.g., wearables) or operational technologies (e.g., automated pharmacy-dispensing systems) with their IT ecosystem, according to a September 2014 PwC report. The study doesn’t specify whether the IT ecosystem refers to EHRs specifically. But only 53% implemented security controls for these devices, the study found. In addition, only 34% have contacted device manufacturers to understand the equipment’s security capabilities and risks.
The trend toward device integration will likely continue, as it often yields significant cost savings in the long run. In early 2013, West Health Institute reported that hospitals can save more than $30 billion a year by connecting medical devices, such as vital sign monitors, smart pumps, and ventilators with their EHRs.
Cybersecurity and physician practices
Why is the FDA guidance particularly important for physician practices?
It’s important because it reminds providers that medical device cybersecurity is a shared responsibility between stakeholders. This includes facilities, patients, physicians, and manufacturers.
The FDA also highlights the gravity of cybersecurity threats to patients using medical devices: “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This, in turn, may have the potential to result in patient illness, injury or death.”
3 cybersecurity tips to consider
Although the FDA guidance isn’t directed specifically toward physician practices, there are a few tips that practices should keep in mind when integrating any type of medical device with the EHR.
1. Provide comprehensive patient education about the device.This includes:
- Log-in information (and how to keep that information private). User authentication is critical in terms of being able to confidently attribute the device-generated data to the patient.
- How the device works. This includes a thorough explanation of manual data input, if applicable, and troubleshooting.
- Software updates and cybersecurity considerations. This includes cybersecurity updates and patches.
Reiterate the fact that any Internet-connected device with an IP address has the potential to be hacked and compromised.
2. Ensure that your EHR vendor can link specific information to its source (i.e., the device).
This helps establish the integrity of the information, and it allows physicians to determine whether they want to make clinical decisions based on this information. For example, data automatically emanating from a pacemaker may be more reliable than data emanating from a device that requires patient manipulation to function properly (e.g., blood pressure cuff). If a physician sees a drop in blood pressure, he or she may first want to ensure that the patient knows how to operate the device correctly.
3. Communicate with your device manufacturer to glean more information about the device.
How the device accomplishes the following?
- Identifies assets, threats, and vulnerabilities
- Assesses the impact of threats and vulnerabilities on device functionality and end users
- Rates the likelihood of exploitation of threats and vulnerabilities
- Determines risk levels and mitigation strategies
As medical device usage and integration with EHRs continues to become more common, physician practices need to identify their own role in terms of compliance. Patient education is critical; however, it’s equally as important to open the lines of communication with your EHR vendor and device manufacturer.