Medical Device Security at Philips Ultrasound
While waiting for my flight back from Las Vegas, I ran into an old
friend, Tim Gurno by the slot machines. Tim was the Program Manager on the ultrasound
miniPACS product at ATL Ultrasound (before they were acquired by
Philips) – I was the Product Manager on the project. Since I left
Philips, Tim has become the Philips Ultrasound R&D Security Officer
for their ultrasound products.
It seems that Tim has whipped things into shape for the Ultrasound
group. Their latest flagship product runs Windows XP embedded, and
they've cut out a major portion of the code that's not used. This
reduces the number of malicious exploits that could damage the product.
They also run a firewall to harden the device. We've all heard the
vendor excuse that they can't patch their device's OS because: a) the
FDA won't let them (untrue), or b) they'll have to re-validate the
entire product/system and that will take months (poor process). Well at
Philips Ultrasound, they've instituted a process were they do a risk
assessment on each vulnerability and Windows patch, determine whether
it's even applicable (because they've reduced the XP footprint) and the
scope of required validation. Depending on the patch, validation could
be done in as little as a few weeks – lightening speed for an FDA
regulated device. In addition to the above, Philips has completed the
HIMSS MDS2 Medical Device Disclosure Statement for medical device
security.
Philips Medical has a link right off their home page to a section on Product Security.
They have a link to MDS2 forms that detail how the product manages ePHI
(electronic protected health information), security safeguards, and
recommended security practices. Registration is required to access this
information, and the Firefox browser is not supported. The MDS2 was
created by the HIMSS Medical Device Security Workgroup to help users
quickly access basic information about ePHI related to medical devices.
Here's a blurb on MDS2 from ECRI.
The larger vendors have been pretty good about completing the forms and making them available. Here's a GE Healthcare MDS2
(pdf file) that came up in a Google search – couldn't find it on their
web site (searches on their site for “ePHI”, “HIPAA” and “MDS2″ got no
hits).
Check out the HIMSS Medical Device Security web page for more.
Improved Patient Flow: A Triumph of Common Sense
Great sessions today's at the Urgent Matters Perfecting Patient Flow
conference. Patient flow arose in our consciousness
through the ED. Of course the
cause for most ED patient flow problems lies beyond the ER. Most of
today's presentations dealt with the ED, with some focus on hospital wide
patient flow. I wonder if there should be two
separate tracks, one for patient flow optimization across the hospital
(include the ED) and one to dive deep into ED operations. Some of the
sessions today were two tracked, which worked well.
Another attendee asked me what I thought of the conference; her
assessment, “it's all just common sense.” Hmmm. This is not rocket
science, but when you're inside the box we call health care, solutions
can seem impossible if not non existent. After all the top patient flow
problems are
identified, all the best tools utilized, the biggest factor for success
is
organizational will and execution. Our health care system needs to make
some pretty major changes. Yet when you consider the inherent
resistance to change the challenge isn't technique or science so much
as art, craft and maybe luck.
Bound by tradition and the “rules,” hospital organizations must break away and adopt meaningful
change to improve patient flow and patient safety. An example of that
was Carolyn Santora's presentation on boarding patients. Carolyn laid
out the rationale for boarding patients in their inpatient units rather
than in the ED. Radical stuff, but after a review of the facts the
resulting changes were simply
common sense. You might be surprised at the well known hospitals that
are boarding patients up on inpatient units rather than the ER. There is no rocket science here, just gut wrenching change.
In another session, we came up with the top 5 patient flow bottlenecks (in order of impact):
- Lack of beds or monitored beds
- Medical staff culture
- Access to data or information – e.g., organizational silos or “data poor” organizations
- Competition for beds – ED, surgery, direct admits and transfers
all competing for beds (this is really an artificial variability issue)
Here's an interesting technique used at one hospital where patients are given an anticipated
discharge date at admission (they even put a sign above the patient's
bed with their target discharge date). When it's discharge time, patients are moved to a discharge
lounge to free up their bed. Anectdotally, patients sent to the
discharge lounge seem more proactive in finding a ride home than
patients who wait in their rooms.
The photo right Shari Welch, MD, discusses her poster on the impact dashboards have on patient flow at this evening's reception.
Urgent Matters Regional Conference on Perfecting Patient Flow
I'm in Las Vegas tonight, getting ready for the next day and a half
immersed in patient flow. The conference is at the Bellagio (pictured).
I'm staying across the street at Bally's – the rooms are like one third
the price. But, broadband Internet access is $10 and no wireless! Not
quite the amenities of a Courtyard, eh?
If the Bellagio's “enlightened” enough to provide WiFi I'll post some
updates during the conference, otherwise we'll have to wait until later…
Profile: Cincinnati Hospitals Adopting IT
Here's a story
in the Cincinnati Business Courier about how Cincinnati area hospitals
are adopting IT. The hospital's focus is on patient safety and improved
patient care.
Over the next four years Mercy will spend $37 million on a plan it
calls “clinical informatics”: $23 million for clinical applications and
$14 million for technology infrastructure and equipment.
Among the initiatives under way or planned at Mercy [Health Partners] and other hospital systems in the area:
- Bar-coded medication administration, in which patients' wristbands must match their medication before the drug is given.
-
Digitized radiology, which allows radiologists to more easily rotate
and compare images and makes them accessible throughout the hospital or
even from physicians' home computers. - Electronic clinical
documentation, in which nurses and other medical workers, such as
respiratory therapists, make notes about their patients in digital
form. - Electronic physician orders, where doctors enter instructions for laboratory work or medications, by computer.
Mercy Health Partners has three hospitals in the Cincinnati area
totaling 444 beds. Even for a 3 hospital system, $37 million is a lot
of cash. Mercy's most recent net income (as reported here)
is 5.13, (0.86) and 0.37 percent – good performance, but not
outstanding. I wonder what they're giving up capital budget wise to
make this IT investment? I also wonder what planning they've done to
integrate medical devices into their IT plans. If they're like most
hospitals, the average age of their medical devices is 5 to 8 years,
old enough to make integration with an EMR expensive indeed (unless
they use secret techniques known only to the cabal of connectologists).
[Hat tip: iHealthBeat]
OSI Gains Cash Through Spacelabs IPO
OSI has taken all their health care holdings (Spacelabs, Blease
Medical, Dolphin Medical and Osteometer MediTech), created a new
Delaware company called Spacelabs Healthcare Inc., and listed them on
London's AIM. From the press release:
Spacelabs Healthcare were placed with institutional investors raising
approximately $27 million net of expenses. The shares will begin
trading October 31, 2005 under the ticker symbol 'SLAB'. [Perhaps not the best ticker for a health care company, eh?]
Of the proceeds raised, Spacelabs Healthcare will repay approximately
$22 million of its $57.3 million debt to OSI – leaving a balance owed
to OSI of approximately $35 million. Prior to the commencement of
trading, the market capitalization of Spacelabs Healthcare will be
approximately $150 million plus the approximate $35 million in debt.
For the past year OSI has been exploring strategic alternatives for its
Security, Healthcare and Opto-electronic business groups. The company's
Healthcare Group, now known as Spacelabs Healthcare, has grown from
approximately $11 million in annual revenues in fiscal 2003, to $195.7
million in fiscal 2005 primarily as a result of the acquisitions of
Spacelabs and Blease.
