At the recent PHI Protection Conference in Philadelphia, one of the topics raised was the security risks health systems face connecting medical devices on their network. Although connecting them enhances patient care, there are risks involved because the devices tend to have weak security controls, speakers said.
Keith Fricke, principal consultant at tw-Security, former CISO of Mercy Health System (formerly known as Catholic Health Partners), said that the HHS Office for Civil Rights would expect covered entities to assess the security of medical devices. Some boards of directors have raised concerns about medical devices such as insulin pumps getting hacked, he added. Fricke said that unless the hacker has an axe to grind against a particular patient, it is much more likely that the hacker would compromise a medical device as a stepping stone in to the network. “I am not dismissing the harm possible, but they may not be motivated to kill someone. We don’t know what would happen to a device if it gets compromised, so we have to treat the threat very seriously.”
Despite these security concerns, there is a strong push to connect medical devices to EHRs for patient safety reasons. A 2015 national survey of more than 500 nurses conducted online by Harris Poll on behalf of the Gary and Mary West Health Institute found strong support for seamlessly connecting devices.
Half of these nurses surveyed said they witnessed a medical error resulting from a lack of coordination among medical devices in a hospital setting.
Sixty percent said medical errors could be significantly reduced if medical devices were connected and shared data with each other automatically. The problem could be addressed by the widespread adoption of open communications standards that allow for the safe and secure exchange of data. Seventy-four percent of these nurses (strongly/somewhat) agreed that it is burdensome to coordinate the data collected by medical devices, and 93 percent (strongly/somewhat) agreed that medical devices (e.g., monitors, diagnostic devices) should be able to seamlessly share data with one another automatically.
Despite these concerns, the West Health Institute found in 2013 that only one-third of U.S. providers had connected medical devices to their EHRs. But as hospitals upgrade their medical devices, wireless connectivity and interfaces to the EHR are high on the wish list for clinical informatics departments and nurses. I recently had the chance to speak with Robert Gordon, director of information systems for 204-bed Halifax Regional Medical Cente in Roanoke Rapids, N.C., which has been on the Meditech EHR for clinicals since 2005.
Gordon said nurses identified transferring data from medical devices such as vital sign monitors to the EHR as a major problem, especially in the intensive care unit. “They were trying to record vital signs every 15 minutes,” he said. So basically the nurse would go in and take vital signs and write it on a piece of paper, go to the next station and do the same, then go back to a workstation and call up the patients’ records’ and type the information into the EHR.” That creates a potential for error, he said. “We saw some swapped digits, or a nurse hitting a wrong digit or forgetting a decimal point or a zero,” he added.
Halifax’s vital signs monitors were 10 to 15 years old, so when they started looking for replacements a few years ago, they wanted them to be wireless and to interface to the Meditech system. “We ended up choosing Welch-Allyn for vital signs,” Gordon said. “The nurses had the same requirement recently when they went out looking for new infusion pumps, but we discovered there weren’t any vendors out there that had successfully interfaced with our Meditech system. So we still got the wireless, but hopefully down the road we will get that interface. But at this time we couldn’t.”
Because medical devices and EHR systems don’t work together seamlessly out of the box, hospitals turn to middleware providers that offer gateway products that link their system to an assortment of medical devices. Halifax brought in Iatric Systems to interface with the different devices. “If we did a straight interface between the devices and Meditech, we would have to have an interface for each device vendor,” Gordon said. “This way, we have the one interface going to Iatric and they manage all the different other interfaces with the devices.”
Although Halifax doesn’t have any way to precisely measure the patient safety value of having the devices on the network, Gordon said its nurses estimate they are saving five minutes per patient per round by not entering data and they are able to spendi more time talking with the patients. “Also, because the vital sign data is going into the EHR, it is there sooner for our hospitalists to see,” he added. There is no delay as they wait for the nurse to round on their seven or eight patients.”
Gordon said the biggest factor in making the medical device integration successful is that the project was clinically driven, not an IT project. “Since the clinical informatics department was involved from the beginning, they wanted it to work. They had ownership.”