Transferring data securely from medical devices to EMRs
By Luis F. Perez, February 2012
Cardiac clinic moves closer to going paperless.
Administrators in the cardiac electrophysiology clinic at the George E. Wahlen Department of Veterans Affairs Medical Center in Salt Lake City, Utah, struggled to keep up with the stacks of paper produced by medical devices used to monitor patients’ hearts. They would spend hours upon hours scanning sheets of paper so that the results could be transferred to the hospital’s electronic medical records (EMR) system.
Kimberly A. Selzman, M.D., director of arrhythmia/cardiac electrophysiology at the Salt Lake V.A. medical center, wanted to find a way to electronically transfer those records.
She knew that there had to be a better way to handle all the data. The medical devices produce a telemetry strip similar to electrocardiogram (EKG) and details on how the device is functioning and the battery status. “It’s important, and we want to keep that information,” Selzman says, in particular if a patient has a future problem so that doctors can pinpoint, for example, when an abnormal heart rhythm may have started.
The medical devices that Selzman and other cardiologists use to monitor patients’ pacemakers and implantable cardioverter defibrillators print out reports on scrolls of paper five-inches wide. That format is not conducive to medical record keeping. In addition, the thin paper wears easily, making the records illegible over time.
To solve that problem, clinic officials hooked up the medical devices, called programmers, to printers. Heart patients routinely come into the clinic to have their pacemakers or defibrillators checked. With each patient visit, the programmer generates reports up to 15 pages long – and each day the clinic runs, 25 patients come through. The mounds of paper quickly begin to rise.
Dr. Selzman turned to the manufacturer of one of the medical devices that spit out the reams of reports: St. Jude Medical Inc. That’s when she found out the programmer came equipped with a USB port. But that was only a start. The U.S. Department of Veterans Affairs rules for encrypted medical records precluded the medical center from using a standard USB flash drive.
“We needed something that could be seen by the programmer and met all the privacy concerns of the V.A.,” Selzman says. “They have a lot of requirements. You couldn’t just use any old USB drive.”
Standard USB flash drives do not protect the data stored on them, so encryption is needed in order to satisfy the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. These laws state that if organizations have a data breach where personal health information stored on a portable device is lost or stolen and it was not encrypted with a U.S. National Institute of Standards and Technology-approved algorithm, then they must follow data breach notification procedures and are subject to federal penalties up to $1.5 million per occurrence.
The issue became further complicated because most encrypted flash drives require software for the user to enter a password. This process of software authentication requires a keyboard and/or mouse, a monitor and the use of commonly supported operating systems. The medical devices had none of these. They only had USB ports embedded within the devices.
For typical encrypted flash drives to work, it would have required the medical device company to rewrite the software on the programmers so that it could interact with those drives. That process would have taken months and a substantial budget.
After going through several drives, the search by the V.A. and St. Jude led them to the LOK-IT Secure Flash Drive made by Systematic Development Group, which is based in Deerfield Beach, Fla.
The LOK-IT drives are the only Federal Information Processing Standards (FIPS) 140-2 Level 3-certified flash drives that utilize hardware user authentication with an onboard PIN pad. So, much like an ATM, users punch a pin code into a 10-key PIN pad on the device to unlock the drive and access data stored on it. The use of the PIN pad eliminates reliance on a keyboard and computer to unlock and use the drive. That makes it platform independent. The operating system used by the medical device didn’t matter. The software didn’t need to be rewritten to access the encrypted drive, and the medical devices could see the drives.
Finding a flash drive that worked with the medical devices was only a partial victory. The V.A., like many federal agencies and major corporations, does not allow the use of thumb drives for data security reasons.
LOK-IT’s FIPS 140-2 Level 3 rating was critical to the cardiac clinic getting permission to use the drive. The rating was developed by the federal government, and the 140 series refers to computer security standards that specify requirements for cryptography modules. The U.S. National Institute of Standards and Technology sets the criteria; a Level 3 validation requires that a component is tamper resistant, encrypts data and allows identity-based authentication.
LOK-IT has an internal epoxy potting that prevents unauthorized access to the internal components. If someone tries to remove the epoxy potting, it causes irreversible damage to the components and renders it unusable. To encrypt data, LOK-IT drives use on-the-fly, full-disk, 256-Bit AES hardware encryption. All data stored on the drive is automatically encrypted by LOK-IT’s encryption controller. And it’s onboard PIN pad allows for a seven- to 15-digit pass code.
It took months, but in the end the V.A. information technology department gave the cardiac clinic permission to use the flash drive. IT authorized access to the locked USB ports on the clinic’s desktop computers so that clinic staff could upload the data from LOK-IT.
Implementing the drive was simple. Basically, it’s a plug-and-play device, so there’s little training to be done. There were “no glitches … no hesitation,” Selzman says.
The clinic found an added benefit for patients who have home monitoring devices that transmit their cardiac reports using a landline. The reports are uploaded by the patient at home to the medical device companies’ websites. There are various devices, so there are several different sites where the patient reports end up. LOK-IT helps those patients who don’t have a landline by allowing the data from the medical device at home to be transferred to the hospital’s electronic medical records.
The clinic uses other medical devices besides St. Jude’s product, including Medtronic devices. Selzman says the LOK-IT drives they purchased also work with the Medtronic devices.
For the clinic’s two physicians, two nurses and administrator, LOK-IT has made filing patients’ medical records much easier. What once took hours can now be done at the end of a clinic day in 30 minutes. The stacks of paper are gone.
“It’s easier to find patient data,” Selzman says.
Instead of looking through piles of paper, doctors now can search electronically. And the cardiac clinic has moved closer to the V.A.’s goal of going paperless.
For more on LOK-IT, click here.