In May 2018, the U.S. Department of Veterans Affairs (VA) National Healthcare Technology Management (HTM) Program Office (Bedford, MA) was named a finalist for ECRI Institute's 12th Health Devices Achievement Award for the organization's development of a centralized database of medical devices that connect to the VA network.

The Health Devices Achievement Award recognizes innovative and effective initiatives undertaken by member healthcare institutions to improve patient safety, reduce costs, or otherwise facilitate better strategic management of health technology. For details about the winning submission and other finalists, see The Health Devices Achievement Award: Recognizing Exceptional Health Technology Management.

ECRI Institute congratulates the VA project team members. In particular, the VA National HTM Program Office singled out two individuals for their efforts on this project:

1. Andrew Kusters, a biomedical engineer at the Milwaukee VA Medical Center, developed what has become known as the Networked Medical Device Database (NMDD).

2. Megan Friel, Associate Director of the VA HTM Program Office, led the design team and the deployment effort for the national roll-out of the NMDD.
 

The Challenge

To develop, implement, and sustain a centralized database of the network-connected medical devices that are in use at VA medical centers in support of the organization's cybersecurity efforts. The database would be the authoritative method for documenting technical attributes for all medical devices that connect to the VA network.
 

The Landscape

1. Ready access to accurate and up-to-date information about the technical attributes of networked medical devices in a healthcare facility's inventory is a key component of a medical device cybersecurity program.

a) ECRI Institute has addressed the importance of this information in several editions of its annual list of the Top 10 Health Technology Hazards.

b) See, for example, the cybersecurity-related topics covered in the 2018, 2017, and 2015 editions.

2. Before 2015, each VA medical center's biomedical engineering department had its own approach for maintaining inventory listings and technical attributes for network-connected medical devices.

a) VA's computerized maintenance management system (CMMS) lacked the functionality to support medical device security.

b) Thus, the organization did not have a standardized or centralized means for recording and retrieving the relevant information.

3. To address that shortcoming, the VA National HTM Program Office developed and deployed its own application.

a) It had been determined that no commercially available application met VA's unique needs.

b) In response, VA biomedical engineers set about developing a solution using only existing resources.

4. The project was led by a biomedical engineer at the Milwaukee VA Medical Center and one in the VA Central HTM Office.
 

The Process

1. Seeing the need for a centralized tool that all VA medical centers could use to document technical attributes for networked medical devices, a team of VA biomedical engineers developed what has become known as the Networked Medical Device Database.

a) The database was developed in ASP.NET using Microsoft Visual Studio. The only direct cost for the project was that for the engineers' time.

b) During 2015, the NMDD was piloted in six Veteran Integrated Service Networks (VISN), it was improved through the incorporation of field feedback, and then it was deployed nationally to more than 150 VA medical centers.

2. A companion tool developed with the NMDD uses basic Windows commands to provide an automated inventory of operating systems and software on Windows-based devices (Windows 7 and above). The data from this tool can be merged with the NMDD to provide biomedical engineering departments with an accurate inventory to address cybersecurity concerns and device vulnerabilities.

3. Additionally, individual biomedical engineering departments and the HTM Program Office can pull a variety of reports, which are updated nightly, from the system.
 

The Results

1. The HTM Program Office notes that central access to data about networked medical devices across the VA offers several benefits:

a) It allows the HTM Program Office to monitor several key performance indicators (KPIs) nationally to verify that the inventory data is complete and accurate.

b) It enhances medical device security (e.g., vulnerability management, access-control list remediation) across all VA medical centers. For instance, the NMDD database was instrumental in the organization's response to the WannaCry attack, providing a listing of networked medical devices that could potentially be affected based on operating system data.

2. Biomedical engineering staff at VA medical centers have praised the tool, noting that it fulfilled a need and has helped them do their jobs more effectively.
 

Key Takeaways

ECRI Institute has long recommended that healthcare organizations document and track details about the IT-based and networked medical devices and systems in their inventories. The utility of such information in responding to cybersecurity threats—a concern that is only likely to grow in the coming years—illustrates the timeliness and value of VA's effort.