As patients, have we ever thought that issues with Healthcare IT systems like Electronics Health Record (EHR) and its components such as Computerized Physician Order Entry (CPOE), Electronic Medication Administration Record (e-MAR), Clinical Decision Support (CDS) system, etc. could lead to death, permanent loss of a bodily function or other serious injuries? A study commissioned by the Joint Commission revealed that, if not careful, these systems have indeed led to serious health hazards. The study obviously excluded many more close calls! Some of the results are summarized in the figure below.
Because many of such adverse events haven’t regularly been reported in the best possible way until recently, general awareness around the topic is limited. Knowledge of the adverse events, however, shouldn’t discourage us from using Health IT (HIT) systems or believing in merits of the Internet of Things (IoT) trend. In fact, some studies suggest that full potential of IoT should deliver as much as $60B value in the US from increased efficiency and improvements in quality of care. Benefits certainly ought to outweigh drawbacks! Goal here is to develop practices that minimize adverse events and maximize the value that IoT, HIT and the increased connectivity have to offer.
A recent MediTechSafe whitepaper (Need Holistic Approach to Cybersecurity of Medical Devices and Networks … Reinforcement from WannaCry Attacks!) talked about the importance of developing clinical verification & validation (V&V) practices for Medical IT network in a hospital environment during design, implementation, update and/or remediation phases. In fact, clinical V&V should be an essential component of the patch management process when the device being patched is a networked device. The paper talks about treating a network like a Class I medical device when clinical data flows bi-directionally through the network to ensure patient safety and clinical relevance. According to an ECRI Institute study, top five safety issues from HIT events are: (1) system interface issues, (2) wrong input, (3) software issues in system configuration, (4) wrong record retrievals, and (5) software functionality issues. Good V&V practices in a hospital environment should certainly help in managing many of these.
Erin Sparnon, Engineering Manager from ECRI Institute, provided following real examples of how adverse events could occur if one is not careful in HIT integration. She shared these examples via her IHE USA presentation: Ensuring Patient Safety in Your Connected Hospital. The examples clearly speak to the value of performing clinical V&V before commissioning and/or making a change to a HIT network.
1. Wrong therapy due to unsynchronized timestamps
The following example only represents one of many potential scenarios that could create patient care challenges due to network imposed latency. Hence, it is good to test for various clinical use-cases and workflows in consultation with clinicians in a safe environment before commissioning / updating / remediating a network.
2. An update/patch disrupted predetermined surgery procedure
Hospitals have many devices that have to be patched on a regular basis. The following example shows how those updates/patches should be validated in a given hospital’s network environment before implementation.
3. Update(s) to network component(s) leading to negative impact on patient interfacing device(s)
Following examples reinforce the need for system level focus. It is essential to test how a change in one component of a system would impact the performance of the overall system, especially in Healthcare settings.
4. Vulnerability scanning of a network impacting medical devices and associated patients
This is yet another example of requiring the system level focus before introducing any non-standard procedure.
Individual hospitals are going to have converged medical IT networks with the increasing trend of connected medical devices. Each hospital will likely have slightly different network configuration. Consequently, the responsibility of clinical V&V will rest on hospitals’ shoulders; this is not a muscle that most hospitals have fully developed yet. In fact, the recent Ponemon study confirms that majority of Healthcare Delivery Organizations (53%) do not test or are unsure of testing practices while performing medical device related software updates. No wonder we see increasing health hazards from HIT!
MediTechSafe has developed a proprietary solution to help hospitals manage the cybersecurity of medical devices and clinical networks related risks. If you are a healthcare provider (or a biomed services provider) interested in learning more about the solution, you could reach us at info@meditechsafe.com.