Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

FDA Announces Precertification Program For Digital Health Tools

Posted on October 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The FDA has recruited some the world’s top technology and medical companies to help it pilot test a program under which digital health software could be marketed without going through the through the agency’s entire certification process.

The participants, which include Apple, Fitbit, Johnson & Johnson, Samsung and Roche, will give the agency access to the measures they’re using to develop, test and maintain their software, and also how they collect post-market data.

Once armed with this information, the FDA will leverage it to determine the key metrics and performance indicators it uses to see if digital health software meets its quality standards.

Companies that meet these new standards could become pre-certified, a status which grants them a far easier path to certification than in the past. This represents a broad shift in the FDA’s regulatory philosophy, “looking first at the software developer digital health technology developer, not the product,” according to a report previously released by the agency.

If the pilot works as planned, the FDA is considering making some significant changes to the certification process. If their processes pass muster, pre-certified companies may be allowed to submit less information to the FDA than they currently must before marketing a new digital health tool.  The agency is also considering the more radical step of allowing pre-certified companies to avoid submitting a product for premarket review in some cases. (It’s worth noting that these rules would apply to lower-risk settings.)

The prospect of pre-certifying companies does raise some concerns. In truth, the argument could be made that digital health software should be regulated more tightly, not less. In particular, the mobile healthcare world is still something of a lawless frontier, with very few apps facing privacy, security or accuracy oversight.

The fact is, it’s little wonder that physicians aren’t comfortable using mobile health app data given how loosely it can be constructed at times, not to mention the reality that it might not even measure basic vital signs reliably.

It’s not that the healthcare industry isn’t aware of these issues. about a year ago, a group of healthcare organizations including HIMSS, the American Medical Association and the American Heart Association came together to develop a framework of principles dressing app quality. Still, that’s far short of establishing a certification body.

On the other hand, the FDA does have a point when it notes that a pre-certification program could make it easier for useful digital health tools to reach the marketplace. Assuming the program is constructed well, it seems to me that this is a good idea.

True, it’s pretty unusual to see the FDA loosen up its certification process – a fairly progressive move for a stodgy agency – while the industry fails to self-regulate, but it’s a welcome change of style. I guess digital health really is changing things up.

 

Will Medical Device Makers Get Interoperability Done?

Posted on September 20, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most of the time, when I think about interoperability, I visualize communication between various database-driven applications, such as EMRs, laboratory information systems and claims records. The truth is, however, that this is a rather narrow definition of interoperability. It’s time we take medical device data into account, the FDA reminds us.

In early September, the FDA released its final guidance on how healthcare organizations can share data between medical devices and other information systems. In the guidance, the agency asserts that the time has come to foster data sharing between medical devices, as well as data exchange between devices and information systems like the ones I’ve listed above.

Specifically, the agency is offering guidelines to medical device manufacturers, recommending that they:

  • Design devices with interoperability in mind
  • Conduct appropriate verification, validation and risk management to ensure interoperability
  • Make sure users clearly understand the device’s relevant functional, performance and interface characteristics

Though these recommendations are interesting, I don’t have much context on their importance. Luckily, Bakul Patel has come to the rescue. Patel, who is associate director for digital health the FDA‘s Center for Devices and Radiological Health, offered more background on medical device interoperability in a recent blog entry.

As the article points out, the stakes here are high. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system,” Patel writes. Put another way, in non-agency-speak, incompatibilities between devices and information systems can hurt or even kill patients.

Unfortunately, device-makers seem to be doing their own thing when it comes to data sharing. While some consensus standards exist to support interoperability, specifying things like data formats and interoperability architecture design, manufacturers aren’t obligated to choose any particular standard, Patel notes.

Honestly, the idea of varied medical devices using multiple data formats sounds alarming to me. But Patel seems comfortable with the idea. He contends that if device manufacturers explain carefully how the standards work and what the interface requires, all will be well.

All told, If I’m understanding all this correctly, the FDA is fairly optimistic that the healthcare industry can network medical devices on the IoT with traditional information systems.

I’m glad that the agency believes we can work this out, but I’d argue that such optimism may be premature. Patel’s assurances raise a bunch of questions for me, including:

  • Do we really need another set of competing data exchange standards to resolve, this time for medical device interoperability?
  • If so, how do we lend the consensus medical device standards with consensus information system standards?
  • Do we need to insist that manufacturers provide more-consistent software upgrades for the devices before interoperability efforts make sense?

Hey, I’m sure medical device manufacturers want to make device-to-device and device-to-database data sharing as simple and efficient as possible. That’s what their customers want, after all.

Unfortunately, though, the industry doesn’t have a great track record even for maintaining their devices’ operating systems or patching industrial-grade security holes. Designing devices that handle interoperability skillfully may be possible, but will device-makers step up and get it done anytime soon?

A Programmatic Approach to Print Security

Posted on July 17, 2017 I Written By

The following is a guest blog post by Sean Hughes, EVP Managed Document Services at CynergisTek.

Print devices are a necessary tool to support our workflows but at the same time represent an increasing threat to the security of our environment.

Most organizations today have a variety of devices; printers, copiers, scanners, thermal printers and even fax machines that make up their “print fleet”. This complex fleet often represents a wide variety of manufacturers, makes and models of devices critical to supporting the business of healthcare.

Healthcare organizations continue to print a tremendous amount of paper as evidenced by an estimated 11% increase in print despite the introduction of the EHR and other new systems (ERPs, CRMs, etc.). More paper generally means more devices, and more devices means more risk, resulting in increased security and privacy concerns.

Look inside most healthcare organizations today and even those with a Managed Print Services program (MPS) probably have a very disjointed management responsibility of their inventory. Printers are most often the responsibility of IT, copiers run through supply chain with the manufacturer providing support, and fax machines may even be part of Telecommunications. Those organizations that have an MPS provider probably don’t have all devices managed under that program – what about devices in research or off-site locations, or what if you have an academic medical facility or are part of a university?

These devices do have a couple of things in common that are of concern – they are somehow connected to your network and they hold or process PHI.

This fact and the associated risk requires an organization to look at how these devices are being managed and whether the responsibility for security and privacy are being met. Are they part of your overall security program, does your third party manage that for you, do you even know where they all are and what risks are in your fleet today?  If multiple organizations manage, do they follow consistent security practices?

Not being able to answer these questions is a source of concern and probably means that the risk is real. So how do we resolve this?

We need to take a programmatic approach to print and print security to ensure we are addressing the whole. Let’s lay out some steps to accomplish this.

  • Know your environment – the first thing we must do is identify ALL print devices in our organization. This includes printers, scanners, copiers, thermals, and fax machines, whether they are facility owned, third-party managed, networked or local, or sitting in a storage room.
  • Assess your risk – perform a comprehensive security risk assessment of the entire fleet and develop a remediation plan. This is not a one-time event but rather needs to be part of your overall security plan.
  • Assign singular ownership of assets – either through an internal program or a third-party program, the healthcare organization should fold all print-related devices into a single program for accountability and management.
  • Workflow optimization – you probably have millions of dollars of software in your organization that is the source of the output of these devices. Even more was spent securing the environment these applications are housed in, and accessed from, to make sure the data is secure and privacy is maintained. The data in those systems is at its lowest price point, most optimal from a workflow efficiency standpoint, and most secure — yet every time we hit print we multiply the cost, decrease the operational efficiency and increase the risk to that data.
  • Decrease risk – while it is great that we identify all the devices, assess and document risk and develop a mitigation/remediation plan, the goal should be to put controls in place to stem the proliferation of devices and ultimately to begin the process of decreasing the unnecessary devices thereby eliminating the risk associated to those devices.

The concept of trying to reduce the number of printers from a cost perspective is not new to healthcare. However, many have achieved mixed results, even those that have used an MPS partner. The reason that happens is generally because they are focused on the wrong things.

The best way to accomplish a cost-effective print program is to understand what is driving the need or want for printers, and that is volume. You don’t need a print device if you don’t need to print. I know it sounds like I am talking about the nirvana that is the paperless environment but I am not. This is simply understanding what and where is unnecessary to print and eliminating it, thereby eliminating the underlying need for the associated device, and with it the inherent security risk as well as the privacy concern of the printed page. Refocusing on volume helps us to solve many problems simultaneously.

Putting a program in place that provides this visibility, and using that data to make the decisions on device reduction can significantly reduce your current risk. Couple this with security and privacy as part of your acquisition determination, and you can make intelligent decisions that ensure you only add those devices you need, and when you do add a device it meets your security and privacy requirements. More often than not the first line of defense in IT is better management of the environment.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

Health IT Leaders Struggle With Mobile Device Management, Security

Posted on January 30, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new survey on healthcare mobility has concluded that IT leaders aren’t thrilled with their security arrangements, and that a significant minority don’t trust their mobile device management solution either. The study, sponsored by Apple device management vendor Jamf, reached out to 550 healthcare IT leaders in the US, UK, France, Germany and Australia working in organizations of all sizes.

Researchers found that 83% or organizations offer smartphones or tablets to their providers, and that 32% of survey respondents hope to offer mobile devices to consumers getting outpatient care over the next two years.  That being said, they also had significant concerns about their ability to manage these devices, including questions about security (83%), data privacy (77%) and inappropriate employee use (49%).

The survey also dug up some tensions between their goals and their capacity to support those goals. Forty percent of respondents said staff access to confidential medical records while on the move was their key reason for their mobile device strategy. On the other hand, while 84% said that their organization was HIPAA-compliant, almost half of respondents said that they didn’t feel confident in their ability to adapt quickly to changing regulations.

To address their concerns about mobile deployments, many providers are leveraging mobile device management platforms.  Of those organizations that either have or plan to put an MDM solution in place, 80% said time savings was the key reason and 79% said enhanced employee productivity were the main benefits they hoped to realize.

Those who had rolled out an MDM solution said the benefits have included easier access to patient data (63%), faster patient turnaround (51%) and enhanced medical record security (48%). At the same time, 27% of respondents whose organizations had an MDM strategy in place said they didn’t feel especially confident about the capabilities of their solution.

In any event, it’s likely that MDM can’t solve some of the toughest mobile deployment problems faced by healthcare organizations anyway.

Health organizations that hope to leverage independently-developed apps will need to vet them carefully, as roughly one-quarter of these developers didn’t have privacy policies in place as of late last year. And the job of selecting the right apps is a gargantuan one. With the volume of health apps hitting almost 260,000 across the Google and Apple app marketplaces, it’s hard to imagine how any provider could keep up.

So yes, the more capabilities MDM systems can offer, the better. But choosing the right apps with the right pedigree strikes me as posing an even bigger challenge.

E-Patient Update:  You Need Our Help

Posted on January 20, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I just read the results of a survey by Black Book Research suggesting that many typical consumers don’t trust, like or understand health IT.

The survey, which reached out to 12,090 adult consumers in September 2016, found that 57% of those interacting with health IT at hospitals or medical practices were skeptical of its benefit. Worse, 87% said they weren’t willing to share all of their information.

Up to 70% of consumers reported that they distrusted patient portals, medical apps and EMRs. Meanwhile, while many respondents said they were interested in using health trackers, 94% said that their physicians weren’t willing or able to synch wearables data with their EMR.

On the surface, these stats are discouraging. At a minimum, they suggest that getting patients and doctors on the same page about health IT continues to be an uphill battle. But there’s a powerful tactic providers can use which – to my knowledge – hasn’t been tried with consumers.

Introducing the consumer health IT champion

As you probably know, many providers have recruited physician or nurse “champions” to help their peers understand and adjust to EMRs. I’m sure this tactic hasn’t worked perfectly for everyone who’s tried it, but it seems to have an impact. And why not? Most people are far more comfortable learning something new from someone who understands their work and shares their concerns.

The thing is, few if any providers are taking the same approach in rolling out consumer health IT. But they certainly could. I’d bet that there’s at least a few patients in every population who like, use and understand consumer health technologies, as well as having at least a sense of why providers are adopting back-end technology like EMRs. And we know how to get Great-Aunt Mildred to consider wearing a FitBit or entering data into a portal.

So why not make us your health IT champions? After all, if you asked me to, say, hold a patient workshop explaining how I use these tools in my life, and why they matter, I’d jump at the chance. E-patients like myself are by our nature evangelists, and we’re happy to share our excitement if you give us a chance. Maybe you’d need to offer some HIT power users a stipend or a gift card, but I doubt it would take much to get one of us to share our interests.

It’s worth the effort

Of course, most people who read this will probably flinch a bit, as taking this on might seem like a big hassle. But consider the following:

  • Finding such people shouldn’t be too tough. For example, I talk about wearables, mobile health options and connected health often with my PCP, and my enthusiasm for them is a little hard to miss. I doubt I’m alone in this respect.
  • All it would take to get started is to get a few of us on board. Yes, providers may have to market such events to patients, offer them coffee and snacks when they attend, and perhaps spend time evaluating the results on the back end. But we’re not talking major investments here.
  • You can’t afford to have patients fear or reject IT categorically. As value-based care becomes the standard, you’ll need their cooperation to meet your goals, and that will almost certainly include access to patient-generated data from mobile apps and wearables. People like me can address their fears and demonstrate the benefits of these technologies without making them defensive.

I hope hospitals and medical practices take advantage of people like me soon. We’re waiting in the wings, and we truly want to see the public support health IT. Let’s work together!

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.

Vocera Aims For More Intelligent Hospital Interventions

Posted on November 14, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Everyday scenes that Vocera Communications would like to eliminate from hospitals:

  • A nurse responds to an urgent change in the patient’s condition. While the nurse is caring for the patient, monitors continue to go off with alerts about the situation, distracting her and increasing the stress for both herself and the patient.

  • A monitor beeps in response to a dangerous change in a patient’s condition. A nurse pages the physician in charge. The physician calls back to the nurse’s station, but the nurse is off on another task. They play telephone tag while patient needs go unmet around the floor.

  • A nurse is engaged in a delicate operation when her mobile device goes off, distracting her at a crucial moment. Neither the patient she is currently working with nor the one whose condition triggered the alert gets the attention he needs.

  • A nurse describes a change in a patient’s condition to a physician, who promises to order a new medication. The nurse then checks the medical record every few minutes in the hope of seeing when the order went through. (This is similar to a common computing problem called “polling”, where a software or hardware component wakes up regularly just to see whether data has come in for it to handle.)

Wasteful, nerve-racking situations such as these have caught the attention of Vocera over the past several years as it has rolled out communications devices and services for hospital staff, and have just been driven forward by its purchase of the software firm Extension Healthcare.

Vocera Communications’ and Extension Healthcare’s solutions blend to take pressures off clinicians in hospitals and improve their responses to patient needs. According to Brent Lang, President and CEO of Vocera Communications, the two companies partnered together on 40 customers before the acquisition. They take data from multiple sources–such as patient monitors and electronic health records–to make intelligent decisions about “when to send alarms, whom to send them to, and what information to include” so the responding nurse or doctor has the information needed to make a quick and effective intervention.

Hospitals are gradually adopting technological solutions that other parts of society got used to long ago. People are gradually moving away from setting their lights and thermostats by hand to Internet-of-Things systems that can adjust the lights and thermostats according to who is in the house. The combination of Vocera and Extension Healthcare should be able to do the same for patient care.

One simple example concerns the first scenario with which I started this article. Vocera can integrate with the hospital’s location monitoring (through devices worn by health personnel) that the system can consult to see whether the nurse is in the same room as the patient for whom the alert is generated. The system can then stop forwarding alarms about that patient to the nurse.

The nurse can also inform the system when she is busy, and alerts from other patients can be sent to a back-up nurse.

Extension Healthcare can deliver messages to a range of devices, but the Vocera badge and smartphone app work particularly well with it because they can deliver contextual information instead of just an alert. Hospitals can define protocols stating that when certain types of devices deliver certain types of alerts, they should be accompanied by particular types of data (such as relevant vital signs). Extension Healthcare can gather and deliver the data, which the Vocera badge or smartphone app can then display.

Lang hopes the integrated systems can help the professionals prioritize their interventions. Nurses are interrupt-driven, and it’s hard for them to keep the most important tasks in mind–a situation that leads to burn-out. The solutions Vocera is putting together may significantly change workflows and improve care.

Locking Down Clinician Wi-Fi Use

Posted on November 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now that Wi-Fi-based Internet connections are available in most public spaces where clinician might spend time, they have many additional opportunities to address emerging care issues on the road, be they with their family in a mall or a grabbing a burger at McDonald’s.

However, notes one author, there are many situations in which clinicians who share private patient data via Wi-Fi may be violating HIPAA rules, though they may not be aware of the risks they are taking. Not only can a doctor or nurse end up exposing private health information to the public, they can open a window to their EMR, which can violate countless additional patients’ privacy. Like traditional texting, standard Wi-Fi offers hackers an unencrypted data stream, and that puts their connected mobile device at risk if they’re not careful to take other precautions like a VPN.

According to Paul Cerrato, who writes on cybersecurity for iMedicalApps, Wi-Fi networks are by their design open. If the physician can connect to the network, hostile actors could connect to the network and in turn their device, which would allow them to open files, view the files and even download information to their own device.

It’s not surprising that physicians are tempted to use open public networks to do clinical work. After all, it’s convenient for them to dash off an email message regarding, say, a patient medication issue while having a quick lunch at a coffee shop. Doing so is easy and feels natural, but if the email is unsecured, that physician risks exposing his practice to a large HIPAA-related fine, as well as having its network invaded by intruders. Not only that, any HIPAA problem that arises can blacken the reputation of a practice or hospital.

What’s more, if clinicians use an unsecured public wireless networks, their device could also acquire a malware infection which could cause harm to both the clinician and those who communicate with their device.

Ideally, it’s probably best that physicians never use public Wi-Fi networks, given their security vulnerabilities. But if using Wi-Fi makes sense, one solution proposed by Cerrato is for physicians is to access their organization’s EMR via a Citrix app which creates a secure tunnel for information sharing.

As Cerrato points out, however, smaller practices with scant IT resources may not be able to afford deploying a secure Citrix solution. In that case, HHS recommends that such practices use a VPN to encrypt sensitive information being sent or received across the Wi-Fi network.

But establishing a VPN isn’t the whole story. In addition, clinicians will want to have the data on their mobile devices encrypted, to make sure it’s not readable if their device does get hacked. This is particularly important given that some data on their mobile devices comes from mobile apps whose security may not have been vetted adequately.

Ideally, managing security for clinician devices will be integrated with a larger mobile device management strategy that also addresses BYOD, identity and access management issues. But for smaller organizations (notably small medical groups with no full-time IT manager on staff) beginning by making sure that the exchange of patient information by clinicians on Wi-Fi networks is secured is a good start.

A Look At Vendor IoT Security And Vulnerability Issues

Posted on October 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the time, when we discuss the Internet of Things, we’re looking at issues from an end-user perspective.  We talk about the potential for IoT options like mobile medical applications and wearable devices, and ponder how to connect smart devices to other nodes like the above to offer next-generation care. Though we’re only just beginning to explore such networking models, the possibilities seem nearly infinite.

That being said, most of the responsibility for enabling and securing these devices still lies with the manufacturers, as healthcare networks typically don’t integrate fully with IoT devices as of yet.

So I was intrigued to find a recent article in Dark Reading which lays out some security considerations manufacturers of IoT devices should keep in mind. Not only do the suggestions give you an idea of how vendors should be thinking about vulnerabilities, they also offer some useful insights for healthcare organizations.

Security research Lysa Myers offers IoT device-makers several recommendations to consider, including the following:

  • Notify users of any changes to device features. In fact, it may make sense to remind them repeatedly of significant changes, or they may simply ignore them out of habit.
  • Put a protocol in place for handling vulnerability reports, and display your vulnerability disclosure policy prominently on your website. Ideally, Myers notes, makers of IoT medical devices should send vulnerability reports to the FDA.
  • When determining how to handle a vulnerability issue, let the most qualified person decide what should happen. In the case of automated medical diagnosis, for example, the right person would probably be a doctor.
  • Make it quick and easy to update IoT device software when you find an error. Also, make it simple for customers to spot fraudulent updates.
  • Create an audit log for all devices, even those that might seem too mundane to interest criminals, as even the least important of devices can assist criminals in launching a DDoS attack or spamming.
  • See to it that users can tell when the changes made to an IoT device’s software are made by the authorized user or a designated representative rather than a cybercriminal or other inappropriate person.
  • Given that many IoT devices require cloud-based services to operate, it’s important to see that end users aren’t dropped abruptly with no cloud alternative. Manufacturers should give users time to transition their service if discontinuing a device, going out of business or otherwise ending support for their own cloud-based option.

If we take a high-level look at these recommendations, there’s a few common themes to be considered:

Awareness:  Particularly in the case of IoT devices, it’s critical to raise awareness among both technical staffers and users of changes, both in features and security configurations.

Protection:  It’s becoming more important every day to protect IoT devices from attacks, and see to it that they are configured properly to avoid security and continuity failures. Also, see to that these devices are protected from outages caused by vendor issues.

Monitoring:  Health IT leaders should find ways to integrate IoT devices into their monitoring routine, tracking their behavior, the state of security updates to their software and any suspicious user activity.

As the article suggests, IoT device-makers probably need to play a large role in helping healthcare organizations secure these devices. But clearly, healthcare organizations need to do their part if they hope to maintain these devices successfully as health IT models change.