Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

Medical Device Security – Where Is the Finger Pointing?

Posted on October 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.

How Integrating Medical Device Data Improves EMR Data’s Value

Posted on July 17, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As we’ve noted here before, connecting medical device data to EMRs is no walk in the park.  Hospitals have to invest in next-gen devices with new capabilities — such as wireless connectivity — and across their entire campus too, if they want consistent results. Then there’s the labor involved in initiating, completing and managing an array of newly-capable devices.  This will create hiccups, or possibly worse, even under the best of circumstances.

But I’d guess most of us would agree that there’s plenty of good reasons to go ahead and install more-connected devices.  Here’s five reasons to consider, laid out in a recent article by Sue Niemeier of connectivity tech vendor Capsule:

1.  EMR data becomes more accurate. Since it’s being collected automatically, the data won’t suffer from transcription errors or omissions.

2. With connected devices, measurement data is collected in virtually real-time. Otherwise, Niemeier says, it can be anywhere from two to twelve hours in her experience before the data gets into a paper chart, which might not even go with the patient if moved.

3. EMR data comes in as a steady stream rather than “batch” fashion, making it easier to check and submit as it arrives — rather than at the end of the shift.

4.  Data delivered directly by devices is concise, making it easier to track patient progress, while nursing notes may bury the data in paragraph form.

While all of this is great, we’re not likely to see a grand switchover in the near term. Right now, integration stats are very low; for example, according to a recent KLAS hospital study, less than 10 percent of respondents had adopted connected smart infusion pumps.

Still, it’s good to be reminded of where we’re (probably) heading, rather than just carping about what bogs down today. I believe Niemeier makes a lot of sense, and vendor rep or not, her points are worth considering.

EMR as Medical Devices, Facebook Organ Donor Initiative, and Innovation at Big Companies

Posted on May 6, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There was some interesting news this week in healthcare IT and EMR. Plus, there are some ongoing conversations that are still happening.

The following 3 tweets highlight this. It’s one of the things I love about Twitter is that you can discuss lots of interesting happenings and news along with discussing lots of important topics. Here are just a few of them that were talked about this week.


I disagree. I think there are very few absolutes in this world, but I don’t EMR should be considered a medical device. There is more than enough government regulation going on with the EMR industry as is. I can’t imagine what benefit would be achieved with more government regulation.


This was big news and was a great illustration of the good that can be done by large companies like Facebook when it comes to healthcare. The real problem is that developers and entrepreneurs aren’t using the Facebook platform as much because they’ve killed it for the entrepreneur. Facebook is unlikely to do much on their own in the healthcare space other than these one off initiatives like this.


The question in the #HITsm chat was which healthcare IT companies were innovating. My first answer was are there any big companies that are innovating? This was my follow up tweet about how “innovation centers.” Jennifer Dennard followed up with a question about whether hospital innovation centers counted. I can see an exception in some cases. Particularly when the hospital is squarely focused on research. Then, research can produce some innovative results and many things in healthcare cost so much money that it takes a large company to pay for the research.

GammaTech’s Durabook U12C Review – Healthcare Gadget Friday

Posted on April 13, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I mentioned in last week’s post about the PhoneSoap – Charge and Sanitize Your cell phone (UPDATE: The Kickstarter project is fully funded and PhoneSoaps are going to production.) post, I’m going to try and reserve Friday for what I’m calling Healthcare Gadget Friday. Today we’re going to look at the GammaTech Durabook U12C.

Here’s the official description of the GammaTech Durabook U12C:

GammaTech’s Durabook U12C is the perfect companion for mobile power users on the go. The U12C features a 12.1″ WXGA Touch Screen with Digitizer and LED backlight display that quickly converts into a Tablet PC. This lightweight convertible style Tablet PC features I/O covered ports to protect from the hazards of dirt and dust. Powered by the Intel Core i5 processor, the U12C has maximized speed and data management. In addition, the U12C comes with a hard handle making portability a snap. It offers a number of sophisticated I/O modules that can encompass everything from a RS232 port or GPS to an optional second 2M-pixel auto focus camera. An optional vehicle docking station is also available.


I received a demo Durabook U12C to be able to do this review. I was quite pleased with the Durabook U12C in general, so I’ll be a little sad when I have to ship it back to Durabook. It’s a really solid offering if you’re looking for a nice Durabook.

My good experience with the GammaTech started when I opened the package and saw the really well designed packaging for the Durabook. While a box doesn’t really matter when it comes to the quality of the computer, it does say something about the company and their concern about even the smallest of details.

I won’t go into all the gory details of the specs on the machine. The Durabook U12C was running the Windows 7 operating system and so you can compare its detailed specs with any other similarly specked laptop on the market today. With that said, I used it for a few weeks and never had an issue with any of the specs in the ways I used it.

When you look at it, it seems like the 12″ screen feels a little small. However, in actual use the 12.1″ screen was never a problem for me. I know GammaTech has another model that only has a 10″ screen. I think the 10″ screen might be too small for me, but I really had no issues with the 12.1″ screen. Plus, when you add on the extra Durabook casing to protect the machine you really don’t want a screen bigger than 12.1″. If you went even to a 14″ screen the Durabook gets way too unwieldy.

I didn’t do any real specific tests as far as drop resistance, shock resistance, spill resistance, dust resistance, and battery protection since I didn’t want to break the machine if something didn’t work quite right. You can see the tough features specs on the GammaTech website. Needless to say, the machine feels very solid in every component. In fact in some cases almost to a fault.

An example of this is the latch to open the machine. The latch is pretty hard to open. Partially because it secures the lid so well and partially because the easy carry handle makes it awkward to maneuver the latch. I actually handed it to my wife and asked her to open it. A few minutes later (and a few laughs) she finally figured out how to open it. Of course, once you figure it out it’s not that bad, but it does require a kind of awkward angle to unlatch it. I’m sure the solid latch was an intentional part of the design. I know I’ve seen A LOT of broken latches on laptops in my time working in healthcare IT and with EHR software. This latch will never have that problem.

I was also a little disappointed with how responsive the track pad was to my touch. It’s a really hard touch pad that left a lot to be desired. I imagine this probably has to do with durability as well, but it was pretty disappointing to use. Good thing that it’s a tablet as well so you could always use the pen instead.

The Durabook U12C had the best fingerprint scanner placement of any laptop or Durabook that I’ve seen. Maybe there are others that have similar positioning, but I loved the fingerprint scanners nice placement in the middle on the right side of the screen for easy thumb scanning. It just felt right since I often hold my screen in just the right position to be able to scan when I open it up. Very well done.

I spent a fair amount of time playing with the tablet features of the Durabook U12C. Obviously many of the features are dependent on Windows 7 more than the Durabook U12C itself. On that subject, if you haven’t tried the Windows 7 tablet stuff yet, it’s quite good and so much better than its predecessor. We’ll see what Windows 8 brings. The Durabook U12C performed well and the pen storage was really convenient.

My biggest pain point with the Durabook U12C was the placement of some of the quick buttons on the screen. They weren’t an issue in laptop mode, but when I converted to a tablet and was using the stylus I kept accidentally hitting the buttons. It got really annoying when I was trying to write something on the tablet and then the screen just rotates because the palm of my hand brushed the rotate button. I tried to even rotate the screen into the notebook position, but I still hit some other buttons that were on the screen. This certainly would have deterred me from using the tablet very much.

Overall I was quite pleased with the Durabook U12C. The biggest downsides from my experience were the lackluster track pad and the poorly placed on screen buttons. However, the rest of the features were really well executed and provided a really solid Durabook. I can see a number of cases where a durabook could make sense in the healthcare IT world. This would definitely be one worth trying. It’s built to last and your IT administrator will love you since it has Windows 7 which won’t have any issues with your IT security requirements.

PhoneSoap – Charge and Sanitize Your Cell Phone – Healthcare Gadget Friday

Posted on April 6, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Many of you know we have our regular Meaningful Use Monday series that we’ve been doing for almost a year now. Today I decided that it would be fun to create a new series I’m calling Healthcare Gadget Friday. I’m not sure I’ll do it every single Friday, but I’d like to do it most Fridays.

I’m kicking off this series with a gadget a friend of mine emailed me about called: PhoneSoap. You can read all about PhoneSoap and pre-order one on this kickstarter page (If you haven’t seen Kickstarter before it’s a pretty amazing website). Here’s the overview of the PhoneSoap product:

PhoneSoap is a small box that simultaneously charges and sanitizes your cell phone using UV-C light. UV-C light is electromagnetic radiation that’s used in hospitals and clean rooms around the world. This short wavelength of light penetrates the cell wall of the bacteria and disrupts its DNA, effectively killing it. It is 99.9% effective in killing bacteria and virus’. Best of all it is completely safe.The UV-C light is only on for 3-5 minutes at a time and there is no heat or liquid involved so there is no risk of damaging your phone. There is a UV-C light on the top and on the bottom of the box so that the UV rays surround your phone for complete sanitization. Take a look at our before and after pictures to see how powerful PhoneSoap is:

I’ll admit that I’m no expert on UV-C light and its uses in healthcare, but I hope that some of our readers are familiar with it. I’d love to learn more about what you know about its ability to sanitize.

With that said, I think it’s a pretty creative product. I could see healthcare people putting their cell in this when they get home after a day in the hospital or even on the drive home from work. I’ve seen long discussions online about the best wipes or other awkward solutions to use to clean and sanitize devices in healthcare. I wonder if this could be a better solution…at least for cell phones. I imagine they could later make one for iPads as well.

What do people think of this idea? Could this be beneficial in healthcare? Are you guys worried about carrying around a germ infected cell phone that doesn’t ever get clean?

Considering the number of devices that have entered the healthcare environment and will continue to become part of healthcare, we’re going to need something that does a good job cleaning these devices. I’ll be interested to hear what you think of the PhoneSoap device.

How Serious Is the Security Threat to Connected Medical Devices?

Posted on June 23, 2011 I Written By

I’m in New York City this week for the second Mobile Health Expo, which wrapped up Thursday afternoon. You may have seen the story I wrote for InformationWeek based on one session related to the security of networked medical devices.

Since I just do news and not commentary for InformationWeek, I figured EMR and HIPAA—specifically, the HIPAA part— was the perfect forum to discuss a small controversy that I may have stirred up with that story.

The two presenters from Indianapolis-based security firm eProtex talked about how connected medical devices have recently been popping up all over the place. “As little as two years ago, we checked some hospitals and found that there was less than one networked clinical device per bed,” eProtex Executive Director Earl Reber said.

With network connection and exposure to the Internet came heightened threats from viruses and malware, both internal and external, Reber and eProtex Chief Security Officer Derek Brost said. Sometimes it’s because devices are so old that they still run DOS and simply weren’t built for the HIPAA era. Other times, the greater reliance on various versions of Windows makes medical devices vulnerable to attacks.

Often, Brost said, hospitals are trying to protecting the wrong assets. “It’s not the actual medical device in most cases [that is at risk]. It’s the individual patient’s health information,” he said.

All this makes a lot of sense, though it is important to note that the warnings are coming from a security vendor with a real interest in selling products and services to prevent and combat insidious threats to medical equipment and other connected devices such as smartphones and tablets.

This was not lost on at least one person, “ZigZagZeke.” In a comment titled “Ignorance,” this poster said in no uncertain terms:

The speaker is using scare tactics to try to make sales of his protection software. Makers of such software are desperately trying to convince people that their Apple products need protection, because as more and more users switch to Apple, sales of anti-virus software are declining. This use of scare tactics is know by an acronym: FUD, which stands for “fear, uncertainty, and doubt.” It is the speaker’s only hope.

I suspect some of the criticism was directed at me for not differentiating between malware and viruses or between Linux/Unix/Macintosh and Windows.

Did I screw up here by not pressing the speakers on these differences, or are Apple devices and operating systems becoming just as vulnerable to data corruption as Windows? Windows became a prime target not just because of security holes, but because of its ubiquity. Now, the iPad and iPhone seem to rule at least the physician market. Wouldn’t that critical mass put Apple iOS in the crosshairs of a growing number of hackers and malware spreaders?

So what’s the real story here? As devices get connected to EMRs and hospital networks and produce more protected health information (PHI), should healthcare providers be concerned about greater HIPAA liability? If so, where should they focus prevention efforts?