HIPAA Omnibus and Medical Devices

HIPAA Omnibus and Medical Devices

The HIPAA Omnibus rule could play an important role in improving the security of medical devices that store patient data.

Under the new rule, companies that service medical devices and have access to the patient information they contain are now considered business associates. And the new rule clarifies that all BAs must comply with the HIPAA Security Rule.

To comply with HIPAA, medical device servicers will need to implement a "patch management program" to protect against viruses.

Some manufacturers of devices, such as insulin pumps and pacemakers, have resisted applying patches to the operating system within a device, expressing concern that modifications could affect performance, some healthcare security experts say.

"Vendors have a tendency to say the device is FDA (Food and Drug Administration) approved so you can't make any modifications to it, even though it's Windows 2000 based and not patched," says Alain Bouit, director of IT security at Adventist Health, a 19-hospital system based in Roseville, Calif. "So we've isolated our devices onto their own network, separate from a core network."

Security for wireless implanted devices is a growing concern. For example, an "ethical hacker" recently demonstrated how an implanted wireless heart defibrillator can be hacked from 50 feet away to deliver a potentially dangerous shock.

How HIPAA Omnibus Applies

In an interview at the HIMSS conference, David Holtzman, senior health information technology and privacy specialist at the HHS Office for Civil Rights explained how the HIPAA Omnibus Rule could play a role in dealing with the issue of securing medical devices.

If the device manufacturer, or a middleman, has a service contract with the provider that gives it access to electronically protected health information stored within the device, then the company is considered a business associate under the broadened definition within the new rule, Holtzman says.

"Very few facilities are large enough and have enough resources to have a fully sufficient biomedical device maintenance program," he says. "They have an agreement with either the vendor or the manufacturer to service and update the product."

Many medical devices store information and contain an operating system, such as Microsoft Windows, Holtzman notes. "What has been happening is that the end-user organizations have been assessing the medical device and finding that the Microsoft Windows platform either isn't being updated by the vendor or whoever is supposed to be servicing it, or it's gone so long that the operating system is no longer supported, and therefore, there is no patch management by the end-user."

Patch Management

The HIPAA Security Rule requires covered entities to have a patch management program to protect against viruses. And now, thanks to the HIPAA Omnibus Rule, business associates, including, in some cases, device manufacturers or services, must also comply with that requirement.

"Business associates should be able to demonstrate compliance with the security rule, which requires having a program for securing ePHI and having a patch management program," says Holtzman. "Business Associates have until the Sept. 23 HIPAA Omnibus rule compliance date to determine the steps they need to take to comply", he adds.

The new rule could play an important role in helping ensure medical devices are secure, Holtzman stresses. "But this is still one of those areas that have many layers to it," he says. "We're continuing in our dialogue with the stakeholders and our federal partners in identifying all of the issues and how we can work to provide guidance and resources to help them (device servicers) come into compliance."

Privacy and Security When Using Mobile Devices

Following are steps entities they can take to protect their PHI when using mobile devices:

  • Install and enable encryption
  • Use a password or other user authentication
  • Install and activate wiping, remote disabling, or both to erase data on lost or stolen devices
  • Disable and do not install or use file-sharing applications
  • Install and enable a firewall to block unauthorized access
  • Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks
  • Keep security software up to date
  • Research mobile applications before downloading
  • Maintain physical control of mobile devices
  • Use adequate security to send or receive health information over public Wi-Fi networks
  • Delete all stored health information on mobile devices before discarding the devices