One item in the OIG 2014 Work Plan is to examine the controls over networked medical devices. That’s right. Yet another government entity, the OIG, plans to scrutinize hospital IT / Biomedical security.
The OIG indicates that biomedical equipment is “increasingly integrated with EMRs and the larger health network” and poses “a growing threat to the security and privacy of personal health information.” So, they are making this a new priority for 2014.
As mentioned in our earlier post about the Work Plan privacy and security items, we can only speculate, as we don’t know what kind of audits the OIG will conduct to measure the security of biomedical equipment. Traditionally biomed equipment such as patient monitoring systems, diagnostic equipment and medication dispensing systems, was kept separate and isolated on independent networks. However, these devices are increasingly being connected with electronic records and the Internet. As a result, they become vulnerable to multiple threats which have affected the business and clinical systems traditionally managed by hospital IT.
Eagle Consulting Partners, Inc. recommends providers take the following steps to secure the ePHI on biomedical equipment:
- Open and strengthen lines of communication between IT management and Biomed.
- Hospitals for the last couple of years have conducted a “meaningful use risk assessment” for compliance with the meaningful use program. This requirement, which we would describe as a HIPAA Security risk assessment, should mature and include all systems that process ePHI.
- If resources are limited, at least create a thorough inventory of all biomedical equipment that processes ePHI.
- Work toward integrating the computer security risk assessment into an overall hospital risk management plan. Include hospital senior management in the process. Document the impacts of security failures, including risks to patient safety and malpractice liability.
While this will be a long journey, the time to get started is right now.
