Empowering the Biomedical/CE Professional
Network worms are a class of malicious software (a.k.a. Malware) which self-replicate across a network among computer systems. In a theoretical sense I find them to be amazing and incredibly interesting, but in a practical sense they can be extremely difficult to deal with effectively. Typically IT/IS security teams have methods to detect, investigate, remediate and prevent infection on desktop, laptops and servers they manage; however, clinical engineers have a much greater challenge in that the same methods cannot often be used with medical devices, for many reasons. Like any other piece of malware, there must be an infection vector...
Rushing to the Rescue (In a Vacuum)
Clinical engineers are frequently called to work on time-sensitive and costly technology repair situations, many times which directly affect patient care workflows. CEs also have brothers-in-arms for those same circumstances in the IT staff that respond to incidents across technology platforms. Taking into account the previous topics I’ve written on CE/IT introductions, change management, security and networking I will present a (not so) hypothetical situation for which these groups should begin to coordinate before an incident occurs. As with any technology incident management work, the aim is to reduce downtime, reduce expenses, and contain a failure mode from affecting others....
As Americans discovered during the banking crisis and subsequent bailouts in 2008, fraud and abuse regulation and policy are only as good as the weakest investigation and enforcement activities. As you know, in health care there are numerous regulations, and in health care facilities there are numerous policies as well. However, I’d like to turn your attention to a large upcoming change in regulatory enforcement that will likely hit a facility you may know of or work with this calendar year. The U.S. Department of Health and Human Service (HHS) has numerous operating and staff divisions, many of which you...
IT Buzzword Busting: The Cloud
If there’s one thing IT marketing and publishing groups are great at it’s coining, reinforcing and misusing technology buzzwords. I don’t aim to be cynical, so I will make an effort to separate the wheat from the chaff on the topic of cloud computing. This buzzword has become mainstream and actually does refer to important trending changes in the computing industry, but much like an actual cloud in the sky, the term also indistinctly refers to ideas that are hazy; vapor devoid of much substance. One of the most important trends that The Cloud refers to is the concept of...
Securely limiting medical device internet and remote access
Last month’s IT Update addressed how a few key network infrastructure systems facilitate data communication between devices. Building on that, it’s good to be aware of what is being transmitted to and from medical equipment and how that may affect operations and/or patient care. I believe two key starting points on this topic are Internet access and remote access. Thinking through the inventory of network connected medical devices you manage, how many have direct Internet access? Of these, how many require Internet access for the proper operation or support of that device? If there is a big difference in your...
Antivirus software on medical devices
Especially for windows based devices, antivirus (AV) software can provide security benefits in the form of detecting (and possibly protecting against) threats from malicious software. Common malicious software attacks to modern medical devices in the clinical setting are self-replicating worms within the hospital network, infected removable media introduced by clinical staff with physical access to the device, and myriad web-based trojans and drive-by downloads accessible on devices with Internet access and browser software. While AV software may be able to detect and prevent such threats, its presence can also introduce operational complications. The process of designating, approving, installing, operating, updating,...
Implementing data destruction policies to secure patient data
Many departments in a health care facility have overlapping duties and responsibilities for HIPAA privacy and security compliance. However, there is a standard on device and media controls which can rest squarely on clinical engineering throughout their work, and I think it’s important for technicians to be aware of the issues. Even more important is for the CE department to standardize on how the workforce will handle systems with electronic protected health information (ePHI) consistently. The HIPAA Security Physical Safeguard standards include § 164.310(d)(1), which requires covered entities (health care providers) to “implement policies and procedures that govern the receipt...
Introductions between CE & IT
This article is about introductions, so in the words of Austin Powers, allow myself to introduce… myself. I wrote last month about security and medical devices, a topic that I work in everyday as Chief Security Officer of eProtex. While my background is primarily in IT security, infrastructure, and operations, I have spent much of that time doing so within a clinical engineering company. This has given me the opportunity to have a foot in IT and at possibly a few toes in clinical engineering. From that, I’ve experienced many opportunities first-hand about the varied issues resulting from a gap...
Identifying The Most Vulnerable Devices to HIPAA Compliance
Since the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 2003, the Department of Health and Human Services Office of Civil Rights has investigated and resolved more than 11,000 HIPAA violations, as reported by the Deloitte Center for Health Solutions. And since 2009, more than 7 million patients have been affected by data breaches. As the health care industry moves toward a fully automated system featuring electronic protected health information (ePHI) and clinical data warehousing, even more data is at risk and breaches are imminent. Despite the hefty fines and potential risks a breach can cause to...
