Clinical engineering's evolving impact on medical device security and compliance
By Derek Brost, April 9, 2013
All about spotting breaches, partnering with IT, managing vulnerabilities and preparing for potential changes to your job description.
In my last post, we discussed the many technical and administrative threats that clinical engineers face that could trigger patient data breaches. The thought of tackling data-breach risks on top of your daily equipment management responsibilities may seem overwhelming. The good news is that medical device security doesn't rest entirely on your shoulders, and factors outside your control won’t weigh on you. Rather, clinical engineers are part of a larger team that must work together to prevent breaches. That said, here are important elements to consider regarding your role:
- Do no harm. This is the basis of the Hippocratic Oath, and although clinical engineers don't administer patient care in the way a physician does, it still applies. Consider how your tools have changed over the years – you’ve likely begun decreasing your reliance on wrenches and screwdrivers and increasing it for your laptop, software and USB removable storage. It's important to make sure your tools are “clean” to protect patient data. If you've installed Internet games on your professional laptop, remove them. If you've added anything to your “software toolbox” that could potentially compromise patient data, especially unsupported software (e.g., remote control), eliminate it. Regularly scan your computer and USB storage devices to make sure they don't inadvertently contain patient data or known threats. If you find known threats, I recommend no longer trusting that device. Wipe it, start over and backtrack the systems you've touched.
- Spot and handle breaches carefully. I understand that you're judged on equipment uptime, so in your efforts to deliver quick and quality equipment service and repair, you may overlook the evidence of a data breach. If, in a rush to get a piece of equipment back up and running, you accidentally destroy evidence of a data breach, consider that instance could be used against your hospital in a legal proceeding. If you have any question about what you're dealing with, it's worth slowing down and telling your client that you need to check with others before proceeding. Ensure you have prepared relationships and procedures with security and compliance managers who will assist.
- IS/IT partnership. You're no stranger to the occasional tension between clinical engineering and your hospital's information systems/technology (IS/IT) department. The two groups can often step on each other's toes, even with the shared goal of delivering good service. It's vital to establish a partnership with the IS/IT department so you can work together with regard to privacy and security policies and procedures. Additionally, leverage the partnership your department already has in place regarding patient safety with risk management to extend into patient privacy and security requirements.
- Learn and excel above IS/IT at clinical networking. IS/IT departments do networking very well, but they typically do it to “mainstream” kinds of technology within a hospital, such as datacenter backbones, LAN/WAN, WiFi, phones, streaming video, etc. As a clinical engineer, you have an opportunity to specialize in clinical networking. In other words, learn how to build a network for clinical devices, and become an expert. Carve this niche for yourself, even if it means stepping on IS/IT's toes (see above). In time, they'll come to see it's part of the value you bring and the partnership you're working to forge with them. If this is too much for your department resources, at least keep on top of OEMs that provide clinical networking bundled into device installation and repair services.
- Help train owners and operators on appropriate use (AU). Unfortunately, computer etiquette that may seem like common sense to you isn't universally accepted. For example, it's not okay for device operators to be viewing YouTube videos on the MRI machine between patients. Just because a machine is Internet-connected and/or running the same operating system as a $300 laptop doesn’t mean it should be used for social networking or gaming. Leverage your clinical leadership relationships to discuss AU for all clinicians on sensitive equipment.
Another part of your job as a clinical engineer is vulnerability management, or the process of understanding and dealing with known vulnerabilities within a network of clinical devices. Think of this as you already do with recalls and alerts. It means not ignoring it and formulating a management strategy with your team. How should you do that, exactly? Here are several items to consider when developing your strategy:
- Know the regulatory requirements. Be familiar with the HIPAA Privacy and Security Rule, FDA mandates and others, and understand how these translate to patient data privacy at your hospital.
- Be aware of versions, bundling, patch tables and more. You’re likely aware of the different versions of software running on different medical devices. What's problematic about software updates and various versions is that equipment manufacturers often stop supporting a certain version, which means it's now especially vulnerable to viruses, corruption and more. Be aware that to get the support you need, the manufacturer may require an upgrade to the latest version, which can sometimes cost tens of thousands of dollars. Patch tables also fall into this category, as manufacturers support certain patches for certain versions and none for others. Advise the device owners and clinical directors as best you can on these items, and have a strategy for implementation.
- Visibility is key. It's important that you have full visibility to what is on your hospital's network. Which machines are supposed to talk to other machines? Which aren't? For devices connected to the Internet, which websites are they visiting (as we mentioned previously, it probably shouldn't be ESPN.com!)? What connections are being made remotely? When? What assets are on the network? What software are they running? What's the baseline of activity and deviation? Again, you can be the clinical network expert. Even if you're not performing all the analytics for the above questions, you can provide expertise to network operators to find useful answers.
Let me acknowledge that this is a lot to digest. Much of this goes above and beyond what is likely written in your job description. But as you grow in your chosen profession as a clinical engineer, data security is an area that may be added to that job description. Start now and differentiate yourself among your peers. Be a leader. And when needed, reach out to an independent organization that can answer questions and counsel you in areas related to protecting your patients' private data.
About the author
As chief security officer for eProtex, Derek Brost heads the development and implementation of solutions to medical device security and HIPAA compliance challenges, directing risk assessment and mitigation efforts for nearly 100 hospitals nationwide. A Certified Information Systems Security Professional (CISSP), Derek's 17-year background in IS/IT operations, architecture and information security includes various leadership roles in the healthcare arena. He can be reached at email@example.com. Learn more about eProtex at www.eprotex.com.
Tags: :: Online Only Features ::