Technology in Medicine Conference on Medical Device Security Overview of Medical Devices and HIPAA Security Compliance Wednesday, March 9, 2005 Stephen L. Grimes, FACCE Chair, Medical Device Security Workgroup Healthcare Information and Management Systems Society (HIMSS) Senior Consultant & Analyst GENTECH

Medical Device Security: Is this just a HIPAA issue? NO! …. Even if HIPAA were thrown out, Medical Device Security is a necessity … not just a regulation Medical device security … particularly data integrity & data availability … is critical to healthcare quality, timeliness, and cost-effectiveness Today, a reasonable standard of care cannot be maintained without an effective an Information Security Management Program in place that includes biomedical technology Slide 2 Illustrates what we’re doing with respect to medical device security is not being done just because of HIPAA i.e., we’re not doing it just to meet a regulation … it’s because it’s good practice Medical device security … particularly data integrity & availability … is critical to quality, timeliness & cost-effectiveness of healthcare. March 9, 2005 © HIMSS / ACCE / ECRI ~ 2

Implications for Biomedical Devices & Systems HIPAA’s Security Rule Implications for Biomedical Devices & Systems

Security Risks to Healthcare Technology Make sure you are addressing more than the tip of the risk! D Risks to Healthcare IT Systems Risks to Biomedical Devices & Systems The inventory of biomedical devices & systems in a typical hospital is 3-4 times larger than the IT inventory March 9, 2005 © HIMSS / ACCE / ECRI ~ 4

Significant Medical Device Industry Trends Medical devices and systems are being designed and operated as special purpose computers … more features are being automated, increasing amounts of medical data are being collected, analyzed and stored in these devices There has been a rapidly growing integration and interconnection of disparate medical (and information) technology devices and systems where medical data is being increasingly exchanged March 9, 2005 © HIMSS / ACCE / ECRI ~ 5

Information Technology Systems Mission Critical Activities, processing, etc., that are deemed vital to the organization's business success or existence. If a Mission Critical application fails, crashes, or is otherwise unavailable to the organization, it will have a significant negative impact upon the business. Examples of Mission Critical applications include accounts/billing, customer balances, ADT processes, JIT ordering, and delivery scheduling. MISSION Critical March 9, 2005 © HIMSS / ACCE / ECRI ~ 6

Biomedical Technology Systems Life Critical Devices, systems and processes that are deemed vital to the patient’s health and quality of care. If a Life Critical system fails or is otherwise compromised, it will have a significant negative impact on the patients health, quality of care or safety. Examples of Life Critical systems include physiologic monitoring, imaging, radiation therapy, and clinical laboratory systems. Life Critical March 9, 2005 © HIMSS / ACCE / ECRI ~ 7

Major Differences in Risk Between IT & Biomedical Systems IT Systems MISSION Critical Medical Devices & Systems Life Critical March 9, 2005 © HIMSS / ACCE / ECRI ~ 8

HIPAA’s Security Rule Implications for Biomedical Technology Standalone with ePHI Slides 6 & 7 Illustrate that security & ePHI are concerns for both standalone … and (slide 6) networked systems March 9, 2005 © HIMSS / ACCE / ECRI ~ 9

HIPAA’s Security Rule Implications for Biomedical Technology and Networked Systems Both Standalone with ePHI March 9, 2005 © HIMSS / ACCE / ECRI ~ 10

HIPAA’s Security Rule Implications for Biomedical Technology Why is security an issue for biomedical technology? Because compromise in ePHI can affect Integrity or Availability … can result in improper diagnosis or therapy of patient resulting in harm (even death) because of delayed or inappropriate treatment Confidentiality … can result in loss of patient privacy … and, as a consequence, may result in financial loss to patient and/or provider organization Slide 8 We see that due to the function of medical devices, the implications for compromised security can be particularly devastating … For example … a compromise to data integrity or availability in medical devices can affect a patient’s health by contributing to improper diagnosis or therapy whereas a compromise to confidentiality in medical devices can lead to a loss of patient privacy March 9, 2005 © HIMSS / ACCE / ECRI ~ 11

Overview of Compliance Process HIPAA’s Security Rule Overview of Compliance Process

HIPAA’s Security Rule Compliance Overview Information Security Management (ISM) Program Risk Analysis & Management Plan (RAMP) Slide 10 This graphic that illustrates how HIPAA’s Security Rule requires Security Management Process or Program …. which must include within it a Risk Analysis / Risk Management program You cannot have an effective Security Management program without an integrated Risk Management Program March 9, 2005 © HIMSS / ACCE / ECRI ~ 13

HIPAA’s Security Rule Compliance Overview Establish effective Info Security Management (ISM) program: Assign security official & establish information security committee Develop necessary policies as per security standards Develop necessary procedures, physical/technical safeguards as per implementation specifications Implement Policies/procedures, Business associate agreements, Educate workforce & Install/Configure security “tools” Test implementation Integrate security measures into organization-wide program Increasing Levels of Program Effectiveness Slide 11 There are 6 levels that must be passed in order to have an effective Security Management Program Steps Must assign security official & should establish an information security committee Develop security policies as per the HIPAA Rule’s security standards Develop security procedures, physical & technical safeguards as per the HIPAA Rule’s implementation specifications Implement policies/procedures, business associate agreements, educate workforce & install configure security tools Test implementation Integrate security measures into organization-wide security program March 9, 2005 © HIMSS / ACCE / ECRI ~ 14

HIPAA’s Security Rule Compliance Overview Slide 12 The Information Security Committee’s role is to provide input into and to monitor the effectiveness of the organization’s security management plan Core members (in yellow) include information security official, and representatives from information services and clinical engineering Other members participating (in blue) at least on an ad hoc basis may include Device users Clinical staff Administration Quality assurance / Risk management Materials management / purchasing In-service education Human resources Facilities engineering March 9, 2005 © HIMSS / ACCE / ECRI ~ 15

HIPAA’s Security Rule Compliance Overview Establish Risk Analysis/Management Plan (RAMP): Conduct inventory (identify sources of ePHI) and survey current security practices & resources Identify and Assess Security Risks Establish Priorities Determine Security Gap (i.e., need for additional safeguards) following “best practices” and Security Rule’s Standards and Implementation Specifications Formulate/Implement Plan for Risk Mitigation Process incorporating Risk-based Priorities Test & Measure Effectiveness of Risk Mitigation Process (Improving as Necessary) Slide 13 Describes the steps necessary in establishing a Risk Analysis & Risk Management Plan Conduct inventory & survey … i.e., Do an inventory of biomedical devices & systems and identify those that transmit or maintain ePHI & step 1 also includes a Survey current security practices & resources Involves Identifying and Assessing Security Risks associated with the ePHI on the inventoried equipment Includes Establishing Priorities for addressing the identified risks based on the assessed degree of the risks Is Determining the Security Gap (that is the need for additional safeguards) following “best practices” and using Security Rule’s Standards and Implementation Specifications as a guideline Is to Formulate and Implement Plan for Risk Mitigation Process incorporating Risk-based Priorities Test & Measure Effectiveness of Risk Mitigation Process … incorporating improvements as necessary March 9, 2005 © HIMSS / ACCE / ECRI ~ 16

Compliance Overview Risk Analysis/Management Conduct Inventory Identify biomedical devices & systems that maintain and/or transmit ePHI For each affected device/system, determine: Types of ePHI Who has access & who needs access Description of any connections with other devices Types of security measures currently employed Slide 14 Looking at Process in a little more detail Describes the part 1 of the first step in the Risk Analysis / Risk Management Program …. Conduct inventory Identify biomedical devices & systems that maintain and/or transmit ePHI For each affected device/system, determine: Types of ePHI Who has access & who needs access Consider any connections with other devices Consider any security measures currently employed with the device New! Nov 8, 2004 HIMSS Manufacturers Disclosure Statement for Medical Device Security (MDS2) http://www.himss.org/asp/medicalDeviceSecurity.asp March 9, 2005 © HIMSS / ACCE / ECRI ~ 17

Compliance Overview Risk Analysis/Management and Survey current security practices & resources … to analyze existing processes Policies & procedures Training programs Tools & security measures Slide 15 Describes the part 2 of the first step in the Risk Analysis / Risk Management Program …. Survey existing security practices & resources Identify existing policies, procedures, training programs, tools & security measures March 9, 2005 © HIMSS / ACCE / ECRI ~ 18

Component, Device, or System Create/Input ePHI Maintain ePHI Transmit/Receive ePHI Component, Device, or System Keyboard Disk Hard Disk Scanning - bar code - magnetic - OCR Tape Memory (e.g., RAM) Digital Memory Card Imaging - photo - medical image Disk Optical disk, CD-ROM, DVD Tape Wired Networks Private or Public, Leased or Dial-up lines, Internet Biometrics Slide 16 Shows graphically examples of media that may be associated with maintaining or transmitting ePHI. Note that some media (e.g., tape, CD, DVD, PC cards, etc) are considered capable of both transmitting and maintaining ePHI. Input ePHI keyboard scanning images biometrics voice Maintain ePHI hard disks & diskettes memory tape PC cards, SD/CF cards, CD & DVD Rom Transmit/Receive ePHI diskettes networks (both wire & wireless) Digital Memory Card Optical disk, CD-ROM, DVD Wireless Networks Voice Recognition March 9, 2005 © HIMSS / ACCE / ECRI ~ 19

Compliance Overview Inventory of Devices/Systems Physiologic Monitor where ePHI may consist of patient identifying information and the following data: ECG waveform Blood pressure Heart rate Temp O2 Saturation Respiration Alarms Slides 17 thru 21 Examples of devices & systems physiology monitor, infusion pump, ventilator, laboratory analyzer, CT or MRI) where patient identifying information and diagnostic or therapeutic data existing together would meet the definition of electronic Protected Health Information or ePHI March 9, 2005 © HIMSS / ACCE / ECRI ~ 20

Compliance Overview Inventory of Devices/Systems Infusion pump where ePHI may consist of patient identifying information and the following data: Flow Rate Volume delivered Alarms March 9, 2005 © HIMSS / ACCE / ECRI ~ 21

Compliance Overview Inventory of Devices/Systems Ventilator where ePHI may consist of patient identifying information and the following data: Flow Rate Volume Delivered Respiration (Breaths Per Minute) O2 Saturation Alarms March 9, 2005 © HIMSS / ACCE / ECRI ~ 22

Compliance Overview Inventory of Devices/Systems Laboratory analyzer where ePHI may consist of patient identifying information and the following data : Blood related Hemoglobin Glucose Gas pH Electrolyte Urine related Albumin Creatinine Bilirubin March 9, 2005 © HIMSS / ACCE / ECRI ~ 23

Compliance Overview Inventory of Devices/Systems MRI, CT Scanner, Diagnostic Ultrasound where ePHI may consist of patient identifying information and the following data : Image March 9, 2005 © HIMSS / ACCE / ECRI ~ 24

Compliance Overview Risk Analysis/Management Assess risk with respect to confidentiality, integrity, availability: Criticality Categorize level of risk/vulnerability (e.g., high, medium, low) to CIA Probability Categorize the likelihood of risk (e.g., frequent, occasional, rare) to CIA Composite Score for Criticality/Probability Slide 22 Second step in the Risk Analysis / Risk Management Program …involves Assess risk with respect to confidentiality, integrity and availability (CIA) We need to assess Criticality Categorize level of risk/vulnerability (e.g., high, medium, low) to CIA We need to assess Probability Categorize the likelihood of risk (e.g., frequent, occasional, rare) to CIA Establish a Composite Score for Criticality/Probability March 9, 2005 © HIMSS / ACCE / ECRI ~ 25

Clinician with Authorized Access Taking into account Criticality: Assess Risk associated with compromises to Integrity of ePHI Central Station Patient Clinician with Authorized Access Physiologic Monitor Data Actual Maintained/ Transmitted Patient ID 7813244 7813254 Heart Rate 60 bpm 35 bpm Blood Pressure 120/80 mmHg 90/50 mmHg Temp 98.6º F 89.6º F SpO2 92% Slides 23-25 Provide a simple illustration the types of risks that need to be considered for medical devices containing ePHI Slide 23 Assessing Criticality – Integrity The risk in this case is EMI interference affecting the Integrity of data. If we agree that inaccurate data could result in poor, insufficient or wrong treatment or therapy we would likely conclude the criticality of data integrity is high March 9, 2005 © HIMSS / ACCE / ECRI ~ 26

Clinician with Authorized Access Taking into account Criticality: Assess Risk associated with compromises to Availability of ePHI Central Station Patient Clinician with Authorized Access Physiologic Monitor Data Actual Maintained/ Transmitted Patient ID 7813244 XXXXX Heart Rate 60 bpm XX bpm Blood Pressure 120/80 mmHg XXX/XX mmHg Temp 98.6º F XX.Xº F SpO2 92% XX% Slide 24 Assessing Criticality - Availability We’re assessing the risk of data being destroyed or lost. If we agree that missing data might delay treatment but wouldn’t likely result in wrong treatment, then we might conclude that the criticality of data availability is medium March 9, 2005 © HIMSS / ACCE / ECRI ~ 27

Clinician with Authorized Access Taking into account Criticality: Assess Risk associated with compromises to Confidentiality of ePHI Central Station Patient Clinician with Authorized Access Physiologic Monitor Unauthorized Access Data Actual Maintained/ Transmitted Patient ID 7813244 Heart Rate 60 bpm Blood Pressure 120/80 mmHg Temp 98.6º F SpO2 92% Slide 25 Assessing Criticality - Confidentiality Here we’re assessing the risk of data being accessed by unauthorized personnel. If we agree the data might help to reveal the patient’s condition, then we might conclude that the criticality of data confidentiality is also medium March 9, 2005 © HIMSS / ACCE / ECRI ~ 28

Impact on Organization Assessing Criticality of Risk Associated with Biomedical Devices/Systems with ePHI Impact on Patient Impact on Organization RISK LEVEL Potential degree to which health care would be adversely impacted by compromise of availability or integrity of ePHI Potential degree to which privacy would be adversely impacted by compromise of confidentiality of ePHI Potential degree to which interests would be adversely impacted by compromise of confidentiality, availability or integrity of ePHI Potential financial impact Potential legal penalties Likely corrective measures required High Serious impact to patient’s health (including loss of life) due to: misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment Could identify patient and their diagnosis Extremely grave damage to organization’s interests Major $1,000K Imprisonment and/or large fines Legal Medium Minor impact to patient’s health due to: Could identify patient and their health information (but from which a diagnosis could not be derived) Serious damage Moderate $100K Moderate Fines Low Minor Impact Could identify patient Minor damage Minor $10K None Administra-tive Slide 26 Shows a table with a proposed set of Criteria for ranking for Criticality. Note that the left side of the chart considers risk “impact on the patient” and the right side of the chart considers risk “impact on the organization” Risks levels are ranked High, Medium, and Low where Higher risks indicate either the potential for a more severe impact on patient health … or patient’s or organization’s financial well-being March 9, 2005 © HIMSS / ACCE / ECRI ~ 29

Frequent Likely to occur (e.g., once a month) Assessing Probability of Risks Associated with Biomedical Devices/Systems with ePHI Frequent Likely to occur (e.g., once a month) Occasional Probably will occur (e.g., once a year) Rare Possible to occur (e.g., once every 5 -10 years) Slide 27 Shows a table with a proposed set of Criteria for ranking Probability. Here we’ve defined 3 levels Frequent - Likely to occur (e.g., once a month) Occasional - Probably will occur (e.g., once a year) Rare - Possible to occur (e.g., once every 5 -10 years) March 9, 2005 © HIMSS / ACCE / ECRI ~ 30

Probability Criticality 3 6 9 2 4 1 Assessing Criticality & Probability of Risks associated with Biomedical Devices/Systems with ePHI Determining the Criticality/Probability Composite Score Probability Rare Occasional Frequent Criticality High 3 6 9 Medium 2 4 Low 1 Slide 28 Shows a proposed method for establishing a composite score for Criticality & Probability. Criticality is rated along the vertical axis and Probability along the horizontal axis … and the composite score taken from the points their respective scores intersect. March 9, 2005 © HIMSS / ACCE / ECRI ~ 31

Compliance Overview Risk Analysis/Management Establish priorities Use Criticality/Probability composite score to prioritize risk mitigation efforts Conduct mitigation process giving priority to devices/systems with highest scores (i.e., devices/systems that represent the most significant risks) Slide 29 Third step in the Risk Analysis / Risk Management Program is …. Establish priorities Use Criticality/Probability composite score to prioritize risk mitigation efforts Conduct mitigation process giving priority to devices/systems with highest scores (i.e., devices/systems that represent the most significant risks) March 9, 2005 © HIMSS / ACCE / ECRI ~ 32

Compliance Overview Risk Analysis/Management Determine security gap Determine what measures are necessary to safeguard data Compare list of necessary measures with existing measures identified during biomedical device/system inventory process Prepare gap analysis for devices/systems detailing additional security measures necessary to mitigate recognized risks (addressing devices/systems according to priority) Slide 30 Fourth step in the Risk Analysis / Risk Management Program is …. Determine security gap Determine measures necessary to safeguard data Compare list of those necessary measures with existing measures identified during biomedical device/system inventory process Prepare gap analysis for devices & systems detailing additional security measures necessary to mitigate recognized risks … addressing devices/systems according to priority March 9, 2005 © HIMSS / ACCE / ECRI ~ 33

Compliance Overview Risk Analysis/Management Formulate & implement mitigation plan Formulate written mitigation plan incorporating additional security measures required (i.e., policies, procedures, technical & physical safeguards) priority assessment, and schedule for implementation Implement plan & document process Slide 31 Fifth step in the Risk Analysis / Risk Management Program was …. Formulate & implement mitigation plan Formulate written mitigation plan incorporating additional security measures required (i.e., policies, procedures, technical & physical safeguards) priority assessment, and schedule for implementation Implement plan & document process March 9, 2005 © HIMSS / ACCE / ECRI ~ 34

Compliance Overview Risk Analysis/Management Monitor process Establish on-going monitoring system (including a security incident reporting system) to insure mitigation efforts are effective Document results of regular audits of security processes Slide 32 And sixth step (and last) in the Risk Analysis / Risk Management Program was …. Monitor process Establish on-going monitoring system (including a security incident reporting system) to insure mitigation efforts are effective Document results of regular audits of security processes March 9, 2005 © HIMSS / ACCE / ECRI ~ 35

Compliance Overview Risk Analysis/Management Prepare a Risk Mitigation Worksheet 1 Identify ePHI 2 Identify & Assess Risks 3 Establish Priorities 4 Determine Gap 5 Formulate & Implement Plan Slide 33 shows a graphic of a Risk Mitigation Worksheet Risk Mitigation Worksheet should be created by security officer with clinical engineering and reviewed by information security committee Identify ePHI Column 1: description of ePHI Identify & Assess Risks Column 2: description of security element being considered (i.e., Integrity, Availability or Confidentiality Column 3: description of possible sources of risk to data Column 4: description of possible consequences if security compromised Establish priorities Column 5: criticality score Column 6: probability score Column 7: composite score Determine Gap Formulate & Implement Plan Column 8: develop mitigation plan Column 9: assign responsibility Column 10: set target date for completion Monitor process Risk Mitigation Worksheet should be reviewed regularly by information security committee 6 Test & Measure Effectiveness of Plan March 9, 2005 © HIMSS / ACCE / ECRI ~ 36

HIPAA’s Security Rule Overview of Compliance Process Slide 34 Overview of Compliance Process – shows relationship between Security Management and Risk Analysis/Management Security Management Plan Risk Analysis and Management is part of Security Management Document, document, document March 9, 2005 © HIMSS / ACCE / ECRI ~ 37

Questions? Stephen L. Grimes, FACCE slgrimes@nycap.rr.com Slide 47 Questions? Health Information and Management Systems Society www.himms.org American College of Clinical Engineering (ACCE) www.accenet.org ECRI www.ecri.org