MEDICAL DEVICES: Special Considerations

Posted on April 6, 2025 by Dr. David Edward Marcinko MBA MEd CMP™

By Staff Reporters

***

***

INFORMATION TECHNOLOGY CONSIDERATIONS FOR MEDICAL DEVICES

In 2013, the Food and Drug Administration (FDA) issued its first cybersecurity safety communication, followed in 2014 by final guidance. It struck a reasonable balance between new regulations (almost none) and guidance (in the form of non-binding recommendations).

In 2015, the Federal Trade Commission (FTC) released a staff report entitled Internet of Things: Privacy & Security in a Connected World, in which it recommend that Internet of Things (IoT) style devices, which of course include medical and clinical devices, need to maintain a good security posture. It’s worth noting that the FDA, FTC, and other government regulators are centering on a few key guidelines. The following recommendations come directly from the FTC report.

Companies should build security into their devices at the outset, rather than as an afterthought. As part of the security by design process, companies should consider:

  • Conducting a privacy or security risk assessment
  • Minimizing the data they collect and retain
  • Testing their security measures before launching their products
  • Companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization
  • Companies should retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers.
  • When companies identify significant risks within their systems, they should implement a defense-in-depth approach, in which they consider implementing security measures at several levels.
  • Companies should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
  • Companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities

According to colleague Shahid N. Shah MS, the FTC report and FDA guidelines are remarkably consistent. When thinking of cybersecurity and data privacy, engineers tend to think about authentication, authorization, and encryption. Those are the relatively easy topics. For safety-critical devices, however, things are much more difficult and need to encompass a larger surface of questions, including but not limited to:

  • Asset Inventory: Is the device discoverable, and can it associate itself with standard IT inventory systems so that revision management, software updates, and monitoring can be automated?
  • Cyber Insurance: Does the device have enough security documentation to allow it to be insured by standard cyber insurance riders?
  • Patching: How is the firmware, operating system (OS), or application going to be patched by IT staff within hospitals (or the home for remote devices)?
  • Internal Threats: Has the device been designed to circumvent insider (hospital staff, network participants, etc.) threats?
  • External Threats: Has the device been designed to lock down the device from external threats?
  • Embedded OS Security: Is the device sufficiently hardened at the operating system level, such that no extraneous software components, which increase the attack surface, are present?
  • Firmware and Hardware Security: Are the firmware and hardware components sourced from reputable suppliers and free of state-sponsored spying?
  • Application Security: Is the Microsoft Security Development Lifecycle (SDL) or similar software security assurance process integrated into the engineering process?
  • Network Security: Have all network protocols not in use by the device been turned off so that they are not broadcasting?
  • Data Privacy: What data segmentation, logging, and auditing is being done to ensure appropriate data privacy?
  • HIPAA Compliance: Have proper steps been followed to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance?
  • FISMA Compliance: If you’re selling to the federal government, have proper steps, such as use of Federal Information Processing Standard (FIPS) certified encryption, been followed to ensure Federal Information Security Management Act (FISMA) compliance?
  • Data Loss Prevention (DLP): Is there monitoring in place to ensure data leakage outside of the device doesn’t occur?
  • Vulnerabilities: Have common vulnerabilities such as the Open Web Application Security Project (OWASP) Top 10 been reviewed?
  • Data Sharing: Are proper data sharing agreements in place to allow sharing of data across devices and networks?
  • Password Management: Are passwords hardcoded into the device or made configurable?
  • Configuration Protection: Are configuration files properly check-summed and protected against malicious changes?

ASSESSMENT

It is vital to perform a security assessment on a healthcare practice to understand the environment, identify risks and perform risk mitigation. A one-time security assessment with risk mitigation is not sufficient in 2025. This is a continuous process that needs to be performed religiously to maintain a secure and compliant practice.

COMMENTS APPRECIATED

Refer, Like and Subscribe

***

***

Filed under: "Ask-an-Advisor", Experts Invited, Funding Basics, Glossary Terms, Health Law & Policy, Information Technology, Insurance Matters, Research & Development | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment »

ONC: Push-Back Against Health IT Blocking Dis-Incentives

Posted on April 17, 2024 by Dr. David Edward Marcinko MBA MEd CMP™

By Staff Reporters

***

Certified Health Information Technology Reported by Clinicians for ...

***

DEFINITION: The Office of the National Coordinator for Health Information Technology (ONC) is a staff division of the Office of the Secretary, within the U.S. Department of Health and Human Services. ONC leads national health IT efforts, charged as the principal federal entity to coordinate nationwide efforts to implement and use the most advanced health information technology [HIT] and the electronic exchange of health information.

CITE: https://www.r2library.com/Resource

***

***

And so, hospitals and medical groups are now pushing back on ONC’s proposed information blocking disincentives, arguing that the financial penalties are “excessive,” “unfair” and will discourage participation in value-based care programs [VBC].

VBC: https://medicalexecutivepost.com/2023/08/14/value-based-care-guidelines-and-best-practices/

COMMENTS APPRECIATED

Thank You

***

***

Filed under: "Doctors Only", Career Development, Events-Planner, Information Technology | Tagged: , , , , , , , , | Leave a comment »

The Continuing Debate over Electronic Medical Records Systems

Posted on February 13, 2011 by Dr. David Edward Marcinko MBA MEd CMP™

Join Our Mailing List

Are We There Yet? – In Healthcare Organizations

[By Richard J. Mata MD, MS]

Dr. Mata

Paper-based medical records have been in existence for centuries and their gradual replacement by computer-based records has been slowly underway for over twenty years in western healthcare systems.

Computerized information systems have not achieved the same degree of penetration in healthcare as is seen in other sectors such as finance, transportation, and the manufacturing and retail industries.

Further, deployment has varied greatly from country to country and from specialty to specialty and in many cases has revolved around local systems designed for local use.

The DHHS

In a 2005 DHHS study, national penetration of electronic health records (EHRs) may have reached over 90% in primary care practices in Norway, Sweden, and Denmark (2003), but has been limited to 17% of physician office practices in the U.S. (2001-2003). By 2011, and the ACA, this number may now be approaching 20-25% in the US but adoption may actually be slowing.

The ISMS Vision

According to the Illinois State Medical Society there is a “Sweeping Vision for EHRs”:

  • EHRs will provide a comprehensive view of all patient information
  • Quality of care will be improved.
  • Physicians will more easily be able to review the “complete” medical record.
  • An appropriately configured EHR system will provide “alerts” and “notices” to help health care providers incorporate best practices into patient treatments. Ideally clinical decision support should be built in and be evidence-based.

Medical errors can be reduced:

  • Treatment and administrative costs will be reduced.
  • Public health will be improved.

Defining Electronic Records Systems

The 2003 Institute of Medicine (IOM) Patient Safety Report describes an EHR as encompassing:

  • a longitudinal collection of electronic health information for and about persons;
  • [immediate] electronic access to person- and population-level information by authorized users;
  • provision of knowledge and decision-support systems [that enhance the quality, safety, and efficiency of patient care] and
  • support for efficient processes for health care delivery.

IOM Report

A 1997 IOM report, The Computer-Based Patient Record: An Essential Technology for Health Care provides a more extensive definition:

A patient record system is a type of clinical information system, which is dedicated to collecting, storing, manipulating, and making available clinical information important to the delivery of patient care. The central focus of such systems is clinical data and not financial or billing information. Such systems may be limited in their scope to a single area of clinical information (e.g., dedicated to laboratory data), or they may be comprehensive and cover virtually every facet of clinical information pertinent to patient care (e.g., computer-based patient record systems).

The EHR definitional model document developed by the Health Information and Management Systems Society (HIMSS, 2003) includes “a working definition of an EHR, attributes, key requirements to meet attributes, and measures or ‘evidence’ to assess the degree to which essential requirements have been met once EHR is implemented.”

IOM Re-Deux

In another IOM report, Key Capabilities of an Electronic Health Record System [Tang, 2003], identifies a set of eight core care delivery functions that EHR systems should be capable of performing in order to promote greater safety, quality and efficiency in health care delivery. The eight core capabilities that EHRs should possess are:

  1. Health information and data. Having immediate access to key information – such as patients’ diagnoses, allergies, lab test results, and medications – would improve caregivers’ ability to make sound clinical decisions in a timely manner.
  2. Result management. The ability for all providers participating in the care of a patient in multiple settings to quickly access new and past test results would increase patient safety and the effectiveness of care.
  3. Order management. The ability to enter and store orders for prescriptions, tests, and other services in a computer-based system should enhance legibility, reduce duplication, and improve the speed with which orders are executed.
  4. Decision support. Using reminders, prompts, and alerts, computerized decision-support systems would help improve compliance with best clinical practices, ensure regular screenings and other preventive practices, identify possible drug interactions, and facilitate diagnoses and treatments.
  5. Electronic communication and connectivity. Efficient, secure, and readily accessible communication among providers and patients would improve the continuity of care, increase the timeliness of diagnoses and treatments, and reduce the frequency of adverse events.
  6. Patient support. Tools that give patients access to their health records, provide interactive patient education, and help them carry out home monitoring and self-testing can improve control of chronic conditions, such as diabetes.
  7. Administrative processes. Computerized administrative tools, such as scheduling systems, would greatly improve hospitals’ and clinics’ efficiency and provide more timely service to patients.
  8. Reporting. Electronic data storage that employs uniform data standards will enable health care organizations to respond more quickly to federal, state, and private reporting requirements, including those that support patient safety and disease surveillance.”

Assessment

After reviewing the above, are we there yet in – 2011?

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct DetailsProduct Details

Product Details 

Filed under: Information Technology | Tagged: , , , , , , , , | 12 Comments »