Summary

Executive Summary

In a project that won the 2013 Health Devices Achievement Award, Methodist Hospital of Southern California (Arcadia, CA) overhauled its equipment management policies to accommodate networked medical devices. The project centered around identifying system vulnerabilities—particularly those related to the availability and integrity of medical data and the security of a patient's protected health information (PHI)—and implementing a program to manage them.

With this project, incoming inspections now include a security assessment form that asks 57 questions to help gauge the risks associated with a particular device. It focuses on the information systems used to integrate the medical devices, along with the controls, policies, and procedures that affect the confidentiality, integrity, and availability of PHI that is stored within or transmitted by these devices or systems.

Preventive maintenance procedures at Methodist likewise have been reinvented to address cybersecurity. Activities include verifying virus protection, applying vendor-approved patches, and implementing data security measures.

The project also established a system that provides continuous monitoring and updating of medical devices and systems. In addition, medical device software agreements are being reviewed (e.g., to clarify the organization's responsibilities with respect to cybersecurity). And a system administrator has been appointed as a liaison between biomedical engineering and IT and is involved in capital acquisition purchases to ensure that the devices purchased are network compatible, have well-documented security features, and can be safely configured on the network.

Who Should Read This

Full Text

Table of Contents

 

Methodist Hospital of Southern California. (Image courtesy of Methodist)

As medical devices change, the processes used to manage them should likewise change. That’s the driving concept behind an impressive project undertaken by Methodist Hospital of Southern California (Arcadia, CA), winner of this year's Health Devices Achievement Award.

In hospitals everywhere, traditional stand-alone medical devices are giving way to networked, software-driven devices and systems. The biomedical engineering team at Methodist Hospital recognized that along with exciting new benefits, these IT-based devices bring a new generation of risks. Thus, the team set out to proactively manage these risks by reinventing the facility’s medical device inspection and preventive maintenance processes.

Networked devices—devices that can store and process patient information electronically, can integrate into the hospital network, and can be accessed remotely—have different vulnerabilities than stand-alone devices. Thus, effective management of such devices, the team reasoned, would require identifying those vulnerabilities—particularly those related to the availability and integrity of medical data and the security of a patient’s protected health information (PHI)—and implementing a program to manage them.

To achieve this, the team implemented the Integrated Systems Management (ISM) program developed by Renovo Solutions LLC. (Renovo Solutions is the organization contracted to provide Methodist Hospital’s biomedical engineering services.) The ISM program, which is a component of a biomedical engineering management system called RenovoLive, involves new processes and procedures both for incoming medical device inspections and for the ongoing management of the device throughout its useful life.

With the ISM program, in addition to verifying the operation and safety of the device, incoming inspections now include an assessment of how the device handles data. This is done by completing a Security Assessment form. The form includes 57 questions to help assess the risks associated with a particular device. It focuses on the information systems used to integrate the medical devices, along with the controls, policies, and procedures that affect the confidentiality, integrity, and availability of PHI that is stored within or transmitted by these devices or systems. Thus, it addresses the factors that could affect compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). (The HIPAA Security Rule outlines provisions for ensuring the confidentiality, integrity, and availability of PHI that is transferred or held in electronic form—referred to as ePHI.) This Security Assessment helps the team identify risks and take corrective actions or steps to mitigate the risks as appropriate.

Preventive maintenance procedures at Methodist likewise have been reinvented to address cybersecurity and incorporate activities associated with the ISM program. Activities include:

  • Verifying virus protection
  • Applying vendor-approved patches
  • Managing hardware (e.g., servers, workstations)
  • Facilitating disaster recovery (e.g., backups, hard drive ghosting)
  • Implementing data security measures
  • Enforcing policies and procedures

The RenovoLive software is interfaced to the Methodist Hospital Network through a Client Services Module (CSM). The CSM is a set of Windows services that runs on the hospital’s network and is used to capture information on a regular basis, as well as on request. Notably, this configuration allows for continuous monitoring and updating of medical devices and systems. For example, a polling feature remotely captures status and configuration settings of networked medical devices. Information captured includes hardware devices present, the software version and service packs on those devices, antivirus software information, and the number of errors within the last 24 hours.

Other components of the ISM program include the review of medical device software agreements (e.g., to clarify the organization’s responsibilities with respect to cybersecurity) and the appointment of a system administrator. This person acts as a liaison between the biomedical engineering and IT departments and is involved in capital acquisition purchases to ensure that the devices purchased are network compatible, have well-documented security features, and can be safely configured on the network.

Best Practices

Methodist Hospital’s ISM program establishes a well-rounded approach to cybersecurity, proactively and continually addressing the risks related to the availability and integrity of medical data and the security of private patient information on networked and software-driven medical devices and systems. “This is the future,” notes Anthony Coronado, biomedical engineering manager at Methodist Hospital. “Technology has changed; and in our role, we have to adopt new practices to meet that change.”

In ECRI Institute’s estimation, many facilities have not yet made substantive progress in cybersecurity. Thus, the Methodist Hospital program provides a good example for hospitals to follow. Our October 2013 webinar, Tackling Medical Device Cybersecurity, included additional discussion about cybersecurity considerations as well as a presentation by Mr. Coronado describing the Methodist Hospital program in more detail.

Congratulations and thanks to Anthony Coronado for submitting Methodist’s application for the Health Devices Achievement Award.

Glossary

References

Bibliography

References

Classifications

Topics and Metadata

Topics

Quality Assurance/Risk Management; Technology Management

Caresetting

Hospital Inpatient

Clinical Specialty

 

Roles

Biomedical/Clinical Engineer; Materials Manager/Procurement Manager

Information Type

Guidance

Phase of Diffusion

 

Technology Class

 

Clinical Category

 

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD9/ICD10

FDA SPN

SNOMED

HCPCS

Disease/Condition

 

Publication History

Citation

ECRI Institute. Equipment management for the digital age—Methodist Hospital's award-winning project. Health Devices 2014 Jan 15.