Medical Devices: New Security HelpHow HIPAA Omnibus Rule Could Play a Role
The HIPAA Omnibus Rule could play an important role in improving the security of medical devices that store patient data, says an official with the agency that enforces HIPAA.
See Also: HIPAA Audits: A Revised Game Plan
Under the new rule, companies that service medical devices and have access to the patient information they contain are now considered business associates. And the new rule clarifies that all BAs must comply with the HIPAA Security Rule, says David Holtzman, senior health information technology and privacy specialist at the HHS Office for Civil Rights.
So to comply with HIPAA, medical device servicers will need to implement a patch management program to protect against viruses, Holtzman points out.
Some manufacturers of devices, such as insulin pumps and pacemakers, have resisted applying patches to the operating system within a device, expressing concern that modifications could affect performance, some healthcare security experts say.
"Vendors have a tendency to say the device is FDA [Food and Drug Administration] approved so you can't make any modifications to it, even though it's Windows 2000 based and not patched," says Alain Bouit, director of IT security at Adventist Health, a 19-hospital system based in Roseville, Calif. "So we've isolated our devices onto their own network, separate from a core network."
Bouit made his comments during his presentation at the 2013 HIMSS Conference in New Orleans.
Security for wireless implanted devices is a growing concern. For example, an "ethical hacker" recently demonstrated how an implanted wireless heart defibrillator can be hacked from 50 feet away to deliver a potentially dangerous shock (see: How to Minimize Medical Device Risks).
But so far, there's no clear-cut evidence that hackers have ever caused harm to a patient with a wireless medical device, according to a recent Government Accountability Organization report that urged the Food Drug Administration to develop a plan to improve tracking of device security and safety issues (see: GAO Spotlights Medical Device Security).
How HIPAA Omnibus Applies
In an interview at the HIMSS conference, Holtzman explained how the HIPAA Omnibus Rule could play a role in dealing with the issue of securing medical devices.
If the device manufacturer, or a middleman, has a service contract with the provider that gives it access to electronic protected health information stored within the device, then the company is considered a business associate under the broadened definition within the new rule, Holtzman says.
"Very few facilities are large enough and have enough resources to have a fully sufficient biomedical device maintenance program," he says. "They have an agreement with either the vendor or the manufacturer to service and update the product."
Many medical devices store information and contain an operating system, such as Microsoft Windows, Holtzman notes. "What has been happening is that the end-user organizations have been assessing the medical device and finding that the Microsoft Windows platform either isn't being updated by the vendor or whoever is supposed to be servicing it, or it's gone so long that the operating system is no longer supported, and therefore, there is no patch management by the end user."
The HIPAA Security Rule requires covered entities to have a patch management program to protect against viruses. And now, thanks to the HIPAA Omnibus Rule, business associates, including, in some cases, device manufacturers or servicers, must also comply with that requirement.
"Business associates ... should be able to demonstrate compliance with the security rule, which requires having a program for securing ePHI and having a patch management program," Holtzman says. They have until the Sept. 23 HIPAA Omnibus rule compliance date to determine the steps they need to take to comply, he adds.
The new rule could play an important role in helping ensure medical devices are secure, Holtzman stresses. "But this is still one of those areas that has many layers to it," he says. "We're continuing in our dialogue with the stakeholders and our federal partners in identifying all of the issues and how we can work ... to provide guidance and resources to help them [device servicers] come into compliance."
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.