3 Cybersecurity Tips for Integrating Medical Devices with your EHR

Posted by: Suzanne Prasad

Streamline Your Small Practice With Customized Solutions

EHR Software, Practice Management, Telemedicine, Patient Engagement, Credentialing, Medical Billing Services, Denial Management, Coding Compliance and Audit


In an era of electronic health records (EHR), patient-generated data has become a buzz phrase in healthcare. This data—often collected via medical devices such as pacemakers, glucose monitors, blood pressure Cybersecurity_and_EHR.jpgmonitors, ventilators, and a whole host of others—is a treasure trove of information that helps physicians render more effective and timely clinical care. However, cybersecurity is paramount—particularly when the device links directly to a provider’s EHR.

This article provides a brief overview of cybersecurity guidance from the FDA as well as three tips that physician practices can use now to ensure compliance and protect ePHI.

FDA guidance puts cybersecurity in the spotlight

On January 15, 2016, the FDA issued draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks.

In an FDA press release, Suzanne Schwartz, MD, MBA, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, said “All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities—some we can proactively protected against, while others require vigilant monitoring and timely remediation.”

EHR/medical device integration becoming more common

Just how often are providers integrating medical devices with their EHRs?

Forty-seven percent of healthcare providers and payers said they’ve integrated consumer products (e.g., wearables) or operational technologies (e.g., automated pharmacy-dispensing systems) with their IT ecosystem, according to a September 2014 PwC report. The study doesn’t specify whether the IT ecosystem refers to EHRs specifically. But only 53% implemented security controls for these devices, the study found. In addition, only 34% have contacted device manufacturers to understand the equipment’s security capabilities and risks.

The trend toward device integration will likely continue, as it often yields significant cost savings in the long run. In early 2013, West Health Institute reported that hospitals can save more than $30 billion a year by connecting medical devices, such as vital sign monitors, smart pumps, and ventilators with their EHRs.

Cybersecurity and physician practices

Why is the FDA guidance particularly important for physician practices?

It’s important because it reminds providers that medical device cybersecurity is a shared responsibility between stakeholders. This includes facilities, patients, physicians, and manufacturers.

The FDA also highlights the gravity of cybersecurity threats to patients using medical devices: “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This, in turn, may have the potential to result in patient illness, injury or death.”

3 cybersecurity tips to consider

Although the FDA guidance isn’t directed specifically toward physician practices, there are a few tips that practices should keep in mind when integrating any type of medical device with the EHR.

1. Provide comprehensive patient education about the device.

This includes:
  • Log-in information (and how to keep that information private). User authentication is critical in terms of being able to confidently attribute the device-generated data to the patient.
  • How the device works. This includes a thorough explanation of manual data input, if applicable, and troubleshooting.
  • Software updates and cybersecurity considerations. This includes cybersecurity updates and patches.

Reiterate the fact that any Internet-connected device with an IP address has the potential to be hacked and compromised.

2. Ensure that your EHR vendor can link specific information to its source (i.e., the device).

This helps establish the integrity of the information, and it allows physicians to determine whether they want to make clinical decisions based on this information. For example, data automatically emanating from a pacemaker may be more reliable than data emanating from a device that requires patient manipulation to function properly (e.g., blood pressure cuff). If a physician sees a drop in blood pressure, he or she may first want to ensure that the patient knows how to operate the device correctly.

3. Communicate with your device manufacturer to glean more information about the device.

How the device accomplishes the following?

  • Identifies assets, threats, and vulnerabilities
  • Assesses the impact of threats and vulnerabilities on device functionality and end users
  • Rates the likelihood of exploitation of threats and vulnerabilities
  • Determines risk levels and mitigation strategies

Looking Ahead

As medical device usage and integration with EHRs continues to become more common, physician practices need to identify their own role in terms of compliance. Patient education is critical; however, it’s equally as important to open the lines of communication with your EHR vendor and device manufacturer.EMR Demo

Topics: Cybersecurity

Related Posts

EHR Implementaton: EHR Selection - Best Practices (2020) | RevenueXL

EHR Implementation Best Practices To Guide Medical Practices Successful implementation of medical EHR software can only be achieved by following a...

Read More

Benefits of EHR - Electronic Health Records | RevenueXL

Benefits of Electronic Health Records The word is out -- ambulatory practices continue to reap the benefits of adopting integrated EHR System...

Read More

MIPS | What is MIPS ? | RevenueXL

What is MIPS? Medicare reform—specifically the Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APM)—is the number one...

Read More

Ready to Transform Your Practice?