This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
Security


Transferring data securely from medical devices to EMRs


Cardiac clinic moves closer to going paperless. By Luis F. Perez


dministrators in the cardiac electrophysiology clinic at the George E. Wahlen Department of Veterans Affairs Medical Center in Salt Lake City, Utah, struggled to keep up with the stacks of paper produced by medical devices used to monitor pa- tients’ hearts. They would spend hours upon hours scanning sheets of paper so that the results could be transferred to the hospital’s electronic medical records (EMR) system. Kimberly A. Selzman, M.D., director of arrhythmia/ cardiac electrophysiology at the Salt Lake V.A. medical center, wanted to fi nd a way to electronically transfer those records.


A


For more on LOK-IT: www.rsleads.com/202ht-225


She knew that there had to be a better way to handle all the data. The medical devices produce a telemetry strip similar to electrocardiogram (EKG) and details on how the device is functioning and the battery status. “It’s important, and we want to keep that information,” Selzman says, in particular if a patient has a future problem so that doctors can pinpoint, for example, when an abnormal heart rhythm may have started. The medical devices that Selzman and other cardiologists use to monitor patients’ pacemakers and implant- able cardioverter defi bril-


lators print out reports on scrolls of paper fi ve-inches wide. That format is not conducive to medical record keeping. In addition, the thin paper wears easily, making the records illegible over time. To solve that problem, clinic offi cials hooked up the medi- cal devices, called programmers, to printers. Heart patients routinely come into the clinic to have their pacemakers or defi brillators checked. With each patient visit, the program- mer generates reports up to 15 pages long – and each day the clinic runs, 25 patients come through. The mounds of paper quickly begin to rise. Dr. Selzman turned to the manufacturer of one of the medical devices that spit out the reams of reports: St. Jude Medical Inc. That’s when she found out the programmer came equipped with a USB port. But that was only a start. The U.S. Department of Veterans Affairs rules for encrypted


12 February 2012


medical records precluded the medical center from using a standard USB fl ash drive. “We needed something that could be seen by the program- mer and met all the privacy concerns of the V.A.,” Selzman says. “They have a lot of requirements. You couldn’t just use any old USB drive.” Standard USB fl ash drives do not protect the data stored on them, so encryption is needed in order to satisfy the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. These laws state that if organiza- tions have a data breach where personal health information stored on a portable device is lost or stolen and it was not encrypted with a U.S. National Institute of Standards and Technology-approved algorithm, then they must follow data breach notifi cation procedures and are subject to federal penalties up to $1.5 million per occurrence. The issue became further complicated because most en-


crypted fl ash drives require software for the user to enter a password. This process of software authentication requires a keyboard and/or mouse, a monitor and the use of commonly supported operating systems. The medical devices had none of these. They only had USB ports embedded within the devices. For typical encrypted flash drives to work, it would have required the medical device company to rewrite the software on the programmers so that it could interact with those drives. That process would have taken months and a substantial budget. After going through several drives, the search by the V.A. and St. Jude led them to the LOK-IT Secure Flash Drive made by Systematic Development Group, which is based in Deerfi eld Beach, Fla. The LOK-IT drives are the only Federal Information Pro- cessing Standards (FIPS) 140-2 Level 3-certifi ed fl ash drives that utilize hardware user authentication with an onboard PIN pad. So, much like an ATM, users punch a pin code into a 10-key PIN pad on the device to unlock the drive and access data stored on it. The use of the PIN pad eliminates reliance


HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44