By K. Richard Douglas
There was a time when medical records were paper documents stored in manilla folders and often locked away in a file cabinet. It wasn’t that long ago, however, that an evolution in medical record storage led to digitizing medical records and storing them electronically. Early electronic health records (EHR) were in limited use as far back as 1992, yet the concept goes all the way back to the 1960s. Further development of this system eventually included networked medical devices that create and store additional medical and diagnostic information that would be added to electronic health records (EHRs) through interoperability.
This streamlined the capture and storage of an enormous cache of patient data used by care providers, nursing homes, hospices, insurance companies, departments of corrections and other stakeholders.
Platforms for sharing this data increased with the growing use of tablets, smartphones and other mobile devices. Its storage grew to lean heavily on cloud storage and regulations grew with expanded use of EHRs to control its availability, required procedures and standards.
By 2019, 81.2 percent of hospitals had adopted EHR, using the information for test and imaging results, provider order-entry, clinical documentation and clinical decision support. The utility of these electronic records continues to grow.
Picture Archiving and Communication Systems (PACS) were one of the early success stories within the evolution of EHRs, allowing for access, storage and the transfer of digital images.
Data inclusion grew to include genetic information, family histories, mental health records, pathology results and e-prescribing.
Concurrent with the move to electronic health records was the growing sophistication of cyber criminals. For these criminals, medical information is gold. Before this information was put online, a criminal might break into a medical records room to steal information. With the advent of electronic health records, the cyber-criminal potentially has access to millions of records. The value of medical records on the dark web is enormous.
Measures to protect EHR information include encryption, security protocols, patient consent policies and standards compliance.
The juxtaposed evolution of EHR and cybercrime has meant that there has been a concurrent need for healthcare professionals to implement networked device connections and to guard electronic Protected Health Information (ePHI) from cyber criminals. These positions are most often thought of as residing in IS/IT.
Data from ventilators, infusion pumps, various monitors and other medical devices are interfaced to EHR. This data helps in making clinical decisions as well as feeding the “birth to death” big data used in research.
This has resulted in the development of biomed roles with HTM professionals who are knowledgeable about cybersecurity and who can harden the threat surface. It has called for a definition and rethinking of what is the biomed’s responsibility and what is the responsibility of IT/IS when medical devices are added to a healthcare network.
SEPARATE OR MERGED?
With the increased overlapping interests of the biomed and IT/IS departments, and with some biomed departments under the leadership of the CIO, there has been a realignment of roles and responsibilities in some cases.
“At Allegheny Health Network (AHN), IT and Biomed are separate departments. However, we do work closely together in many areas. We recently worked together to remediate all medical devices running Windows 7 or older. We also work with IT to integrate our devices into our EMR. Biomed is responsible for configuring the medical device while IT is responsible for the middleware that goes between the hospital network and the EMR,” says Brad Klauss, clinical engineering manager at West Penn Hospital, Allegheny Health Network.
Klauss’s description of his facility’s biomed and IT departments and their responsibilities remains the standard for most health systems.
“I believe the bridge between Biomed and IT/IS needs to be there. Everything is becoming more connected, and the collaboration between both teams is essential, especially when it comes to areas like device integration, system uptime and security,” says Uriel Vargas Jr., BSEE, A+ Certified, healthcare technology regional manager with Baylor Scott & White Health.
Jackie Boyer, MBA, director of clinical engineering at Cincinnati Children’s Hospital Medical Center points to the increasing partnership between the departments that has grown out of necessity.
“At Cincinnati Children’s, biomed and IT teams work collaboratively. With the shift toward connected medical equipment and devices, the overlap between these departments has increased. Our biomed department focuses on medical equipment, while the IT department supports servers, applications, networking and cybersecurity,” she says.
Craig Cumbie, CBET, biomedical technician III, at Central Peninsula Hospital in Soldotna, Alaska, says that there is currently no interest in merging departments at his facility.
“In our particular case, the primary challenge would be the culture of the departments. There are challenges created by the differences in departmental culture. Our biomed department is viewed as having the best customer service and is respected by all departments. That being said, we do have a high level of IT involvement on the biomed side,” he says.
Cumbie says that biomed is in charge of maintaining various systems such as Ascom nurse call, Securitas HUGS infant security system, the Olympus OR integration suite and the Change Healthcare cath lab hemodynamics system.
“All of these systems have servers, PCs, network switches and so forth that we are responsible for maintaining,” he says.
Cumbie adds that the area where IT and biomed most work together is for cybersecurity.
“We have cracked down on vendor access using shared credentials and medical devices that communicate to the Internet have been placed on their own separate unsecured medical Internet of Things wireless network. Wired devices are on their own VLANs and isolated from internal resources,” he says.
If two separate departments are maintained; is there overlap?
“Yes,” says Samantha Jacques, Ph.D., FACHE, AAMIF, vice president of McLaren Clinical Engineering Services (MCES) at McLaren Health Care in Michigan.
“Any devices that sit on the network require coordination. This includes cybersecurity reviews, network design, data routing (for things like imaging devices to PACS), and of course ongoing support plans,” she says.
Tedd Koh, CISSP, CRES, CBET, CCNA, A+, NET+, Security+, medical electronics tech at Olive View UCLA Medical Center details other areas where IT and biomed cooperate.
“Integrate network configurations, DICOM protocols and security measures into medical equipment such as patient monitoring systems, standalone EKG machines, ultrasound scanners, fetal monitoring systems, and stress testing devices. These represent the primary areas of collaboration with IT,” he says.
Steve Ellithorpe, CHTM, executive director of clinical technology strategy & innovation at Providence says he has seen significant changes in his CE program during the past four to five years.
“During this time, cybersecurity issues were escalating and attacks on healthcare organizations were increasing. Like many other healthcare organizations, the WannaCry event impacted Providence. Our response and discoveries during the event shaped a slightly different direction which ultimately brought CE, IT Field Services and the IT Help Desk to a combined organization of Clinical Technology Services (CTS),” he says.
Ellithorpe says that the new organization now also includes medical device cybersecurity, CE Help Desk, and standard enterprise CMMS and cybersecurity platforms.
“This consolidation of service teams and platforms provides greater insights into our support operations, as well as informs on our medical device fleet and cyber risk profiles, and it’s through this data we’ve found opportunity to evaluate skill sets, identify new roles, and further develop the support provided by CTS,” he adds.
Vargas says that at his facility, IT and biomed still operate as separate departments. He adds that there is a lot of natural overlap in the day-to-day work.
“Whether it’s working through network issues with connected medical equipment or ensuring cybersecurity standards are being followed, our teams are constantly coordinating. That overlap has only increased over the last few years,” he says.
THE EVOLUTION OF NEW ROLES
Cybersecurity, and more recently, AI, have prompted new laws and requirements that will mean that specialized roles and expertise will continue to be added to the biomed department.
“I do have a clinical cyber specialist that helps identify vulnerabilities affecting medical devices, coordinates the discussions with the vendors on approved remediations, and then coordinates with internal departments (end users, biomed and IT) to implement those remediations,” Jacques says.
She says that in the coming years, healthcare will start seeing medical devices enter the market that are subject to a new law that took effect in March 29, 2023 – section 3305 of the Consolidated Appropriations Act of 2023 – Ensuring Cybersecurity of Medical Devices. She points to an FDA document titled: Cybersecurity in Medical Devices Frequently Asked Questions (FAQs) as reference.
“All new devices approved after this date are required to be cybersecure and have patches available to address vulnerabilities. Ideally, this would mean the number of available patches for medical devices will increase dramatically as more new equipment gets approved through the FDA. There will need to be more governance, processes, and people to review, coordinate and implement these patches to ensure continued cyber-safety of these devices,” Jacques says.
Vargas says that as technologies like AI and advanced cybersecurity tools become more common, we’ll continue to see new hybrid roles pop up.
“The focus will always be on supporting patient care, but the skill sets required to do that are shifting,” he says.
CERTIFICATIONS AND ENDORSEMENTS
The emergence of new roles in the biomed department means specialized training and knowledge. That can come, at least in part, from formal training. It can also mean specialized certifications indicate additional knowledge of IT, networking concepts or IT security principles.
Jacques says that knowledge of networking has been important for a while now and will continue to be important in the future.
“For those interested in cyber, the normal cyber certifications – CompTIA Security+, CISSP, etcetera, help get the basic knowledge related to cyber – but they do not cover medical device cyber specifically,” she says.
Gaining more IT and network knowledge is likely to be hardwired into biomed training as the need for these skills only increases with technology.
“While we don’t require network or programming certifications, we encourage students to take network and computer-related classes while pursuing their biomed degree. The future of the biomed field is likely to become more intertwined with IT, potentially adopting a hybrid approach for medical devices. The trend towards more connected devices and remote monitoring will necessitate IT skills in the biomed toolbox, moving rapidly together to advance technology in healthcare,” Boyer says.
Uriel says that there is still a place for on-the-job training.
“As a manager, I’ve started looking for technicians who have a mix of skills in both areas, even just a little bit of familiarity with IT or networking can go a long way. The rest can usually be taught with training and support. What’s more important is a willingness to learn and adapt because the field keeps evolving quickly,” he says.
Ellithorpe says that his system provides internal training that includes this area.
“We’re also intentional regarding growing and investing in our teams. Providence supports technical/professional certification such as CBET in the HTM space and seeks opportunity for technical service training for staff. Internally, we’ve provided both ‘network bootcamps’ and ‘project management bootcamps.’ The network bootcamp for our technical teams provided infrastructure device and architecture knowledge to enhance field level support. The project management bootcamp for several of our supervisors and managers was designed to introduce additional process, action, and communication tools,” he says.
AI – A NEW ERA
Billions of dollars have been invested into AI with applications across the spectrum. The evolution towards quantum computing will only increase AIs uses and saturation within healthcare and in every facet of the average person’s daily life.
Koh says that physicians are increasingly adopting AI to streamline their busy routines.
“Additionally, AI can be utilized in applications like RTLS and CMMS. Therefore, it’s essential for our HTM community to train staff and equip them to meet these emerging requirements,” he says.
Jacques says that with regards to AI – medical devices have had AI embedded into them for quite a while now. She points out that it has just often referenced other terms like “machine learning” or “clinical decision support.” She references an earlier FDA list that includes many devices that incorporate machine learning or artificial intelligence.
“The FDA has again reviewed these products before allowing them to be marketed in the U.S.,” Jacques says.
She does think leaders in biomed need to be educated on AI/ML and the risks around it as organizations have begun building and implementing governance models to thoughtfully review and discuss what types of AI/ML organizations want to implement to ensure patient safety.
“However, at this early stage, I’m not sure we need bench level technicians to be able to work with or manipulate AI models. We just aren’t there yet,” Jacques adds.
Klauss says that he sees a role for AI at his health system.
“The network is always looking for ways to implement it into our workflow. I see it as a powerful tool which will be able to identify vulnerabilities, assess risk levels and devise remediations,” he says.
Ellithorpe says that AI can have a role in providing an opportunity for greater service history and service data analytics.
“Enhancing service methodologies, driving greater efficiencies, predictive analysis, and device lifecycle insights are areas for innovation and program improvement,” he says.
AI and an increased focus on cybersecurity will require an expanded role for the biomed. The sophistication of medical devices and healthcare system informatics is never in retreat. More specialized knowledge and an understanding of new advances in these areas will serve every HTM professional well in their career progression.
