The Office of the Inspector General (OIG) of the U.S Department of Health and Human Services has released a report (pdf) outlining its 2015 work plan. Among a host of subjects is “Information Technology Security, Protected Health Information, and Data Accuracy” with the subsection “Controls over networked medical devices at hospitals”. The focus here is on the security of patient electronic health information which is to be protected under law. Other risks associated with device networking are not addressed.
The relevant subsection (page 22) is relatively brief:
We will examine whether CMS oversight of hospitals’ security controls over networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety. Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications. To participate in Medicare, providers such as hospitals are required to secure medical records and patient information, including ePHI. (42 CFR § 482.24(b).) Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.
Note that this is the OIG’s intention to examine what CMS is doing, not directly what hospitals are doing. However it might be expected that CMS would endeavor to assure its performance in order to pass muster under OIG review.
The reference to MDS2 in this subsection should be noted. MDS2 is intended as a format for medical device manufacturers to provide a standard set of security/risk information to hospitals to be used in the hospital’s network risk management plan. MDS2 was developed by HIMSS and ACCE, and then further standardized through cooperation with other organizations. The use of MDS2 by manufacturers remains voluntary, and is driven by customer demand for this information in the MDS2 format. Some manufacturers have made their MDS2 forms openly available on the web which is certainly a good thing. Others have provided web availability to registered users which is a marginally good thing. And of course some manufacturers have not made them web available (assuming they have them) which is a bad thing.
But what does the sentence in the subsection about MDS2 mean? I ask this question in the personal context of having recently been attentive to the use of should, shall, may and must in requirements documents, as well as the advice of some to avoid all of these words. (This is a subject for a separate post.) The latter approach of not using such words appears to be the path that HHS has taken in crafting this sentence. As written, is it a statement that this is what all manufacturers are doing? Or is it an instruction to manufacturers, a demand on manufacturers, or an instruction/demand on hospitals? If the latter, does it mean that CMS during an inspection would expect the hospital to have and be able to produce its MDS2’s for all networked devices? The reference to MDS2 here can be contrasted with the FDA’s recent Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (pdf) which makes no mention of MDS2.
Whether or not having MDS2’s is mandatory, hospitals requiring such forms from manufacturers and then actually using them is a good idea. As a consumer driven resource, the more that hospitals ask for (demand) the MDS2 the more likely they are to be readily available. This might remind us that the reason to do things is not limited to the government or other authority having jurisdiction (AHJ) forcing us to, and the absence of anyone forcing us is not in turn a reason not to do things. In an ideal world (in which we do not live) that which we were mandated to do would be the same as that which was otherwise the right thing to do.
For reference, 42CFR482.24(b) is part of the Medicare Conditions of Participation-Medical Record Services (i.e., these are hospital requirements). Part (b) is best understood in the context of the full 482 section, but here I only include the general statement and point 3 of part (b):
The hospital must have a medical record service that has administrative responsibility for medical records. A medical record must be maintained for every individual evaluated or treated in the hospital.
(b) Standard: Form and retention of record. The hospital must maintain a medical record for each inpatient and outpatient. Medical records must be accurately written, promptly completed, properly filed and retained, and accessible. The hospital must use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.
(b) (3) The hospital must have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital must ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records must be released by the hospital only in accordance with Federal or State laws, court orders, or subpoenas.
It is interesting here that second and third sentences of (b) seem to speak to the deliberate release of records. The first sentence might just mean that also, but in the network context it is apparently being given a much broader interpretation. The emphasis here on procedure is also noteworthy. The requirement is not simply that the hospital has maintained confidentiality (i.e. no breaches) but that it has a methodology in place to prevent breaches.
In summary, the OIG intends to audit how CMS is assuring that the requirements for patient data security is being met by hospitals, here in the specific context of networked systems. This may mean that CMS will pay particular attention to this subject. This in turn means that hospitals probably need to do the same.